AV Evasion Using Cloaked Malware/Exploits

Discussion in 'other anti-virus software' started by itman, Aug 13, 2015.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    For those who have said conventional AVs don't protect you anymore, here's another justification.

    Ref.: http://www.securitysift.com/pecloak-py-an-experiment-in-av-evasion/

    Summary

    Here is a summary of the results:

    http://www.securitysift.com/wp-content/uploads/2015/03/pecloak5.jpg

    As you can see, a green check mark indicates successful evasion, a red X indicates peCloak could not successfully bypass AV evasion, and N/A indicates the AV product did not even detect the original uncloaked version so additional encoding was unnecessary. It should be noted that several products did not detect any of the uncloaked malicious executables (McAfee, Spybot, and TrendMicro) despite updated virus definitions. There were no apparent configuration problems or errors indicated by the product so the reason for detection failure is unknown. Regardless, these products were disqualified from further testing as a result. That left a total of 12 AV products that were tested.
     
  2. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Were they seriously declaring a pass/fail by right click scanning files only? Seems so. Are they not acquainted with the fact that most AV's have on-execution technologies that only work when you actually execute the file?
     
  3. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,727
    Location:
    localhost
    Yes, they did run them.... text from the comments section

     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    For me, this test clearly illustrates the problem with current heuristic/behavior blocking AV techniques. They only scan startup behavior and do not constantly monitor the app. Just force the malware into a loop doing nothing as the author did, or put it to sleep for so many CPU cycles or many months as a recent ransomware did. Plus the problem is getting worse with the trend to trust signed apps and not monitor any further once the initial startup check is done.
     
  5. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    I wonder how they tested Comodo. Most testers get it entirely wrong with its sandboxing part and declare things to "bypass" even though they actually don't bypass...
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    This pretty sums up the testing:

    A quick glance at the table, will demonstrate that despite a few of the products detecting some of the executables, the best method of evading AV detection is by cloaking a backdoored executable (as I did with strings.exe). In fact, as you’ll see below, one of the products actually automatically whitelisted my backdoored executable without any action on my part!

    Backdoors have always been the "Achilles heel" of AVs. I strongly suspect that the Locker ransomware that was circulating a few months ago utilized a cloaked backdoor which allowed it to be activated on demand.
     
  7. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    I still don't understand what's so special about this evasion "technique". And backdoors aren't some special magic thing that is especially problematic...
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Old news, AV's are never enough if you're paranoid. That's why I decided to mostly rely on HIPS and sandboxing, back in 2004.
     
  9. Yash Khan

    Yash Khan Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    1,837
    I too wonder how they tested Comodo?

    Is there any test details for individual products?
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Already mentioned in reply #3 above.
     
  11. Yash Khan

    Yash Khan Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    1,837
    I am not an expert.
    I dont know what those samples do.

    I meant did CIS sandboxed those samples?
    And what happened after resetting the sandbox?
     
  12. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    It explains nothing. I've seen so many so called testers who don't even understand basics how Comodo works and when something is a pass and when it's a fail. Just because a thing runs on system with CIS installed, that doesn't mean it has been compromised...
     
  13. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    975
    Location:
    Paris
    RejZoR- Note that the author stated that "This product did not detect the unencoded version of vdmallowed.exe file but did detect the other three as malicious." Nothing was said of any system changes if the file was run. And backdooring of malware is certainly nothing new; it is actually the same technique I used the other day to expose a flaw in Sandboxie (which Invincea patched within 72 hours, much to their credit).

    The real issue is actually the inability of most AV and HIPS based products to recognize and stop Script based malware of diverse types. Scripts have been the prime vectors in the majority of Corporate breaches recently, and have also been the main reason for the Enterprise Space moving from traditional security solutions to virtualization solutions from FireEye and Palo Alto.

    The author could have saved himself the trouble of using Metasploit executables by just coding malware in Python (much more elegant). I did an overly long video series on a Scriptor that I wrote (it deleted documents, bypassed UAC and wiped System files), and although the script and its malicious actions were ignored by the traditional security products, it was contained quite nicely in the sandboxes of Comodo and Sandboxie.
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    I think people are missing the point of the article. Cloaked malware is designed to remain hidden. Whether the sandbox is obvious such as Sandboxie's or Comodo's or transparent such as that used in many heuristics/behavior blocker products is not the issue. Unless software remains in the physical or virtual sandbox always, cloaked malware can do its thing. Sandboxing for the most part is designed to be a transitional protection measure to restrict start up behavior and allow a determination by the heuristic/behavior blocker if the software is safe enough to discontinue monitoring.

    HIPS rules on the other hand are a continuous method of monitoring app behavior.

    And as Cruelsister pointed, monitoring scripts notably ones that use Powershell are extremely difficult to monitor since the processes they invoke are often legitimate. Again HIPS rules that monitor registry access and the like would at least alert the user of the activity. However in most cases, technical knowledge is required to assess if the activity is malicious or not.

    What is needed by the security industry is intelligent deterministic protection that can record software usage over time and alert for abnormal behavior. There was a movement towards this a few years back. The HIPS used in PrivateFirewall is an example of such software. Threatfire was another example. I also believe Webroot employs some of this technology though it's prior acquisition of Prevx.
     
    Last edited: Aug 15, 2015
  15. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    The whole point of sandbox is to contain and isolate the offending sample. Not detecting it doesn't mean anything. So, them saying it wasn't detected means nothing. Was the sandbox isolation breached? Was it?
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    I believe what the author means by not detected was the process was allowed to execute and perform the stated activities i.e. windows privledge escalation. Anything else would mean the process was detected.

    vdmallowed.exe – local Windows privilege escalation exploit
     
  17. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    But does it actually mean that?
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Verify with the author. I believe the web page is still accepting comments.
     
  19. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,974
    Location:
    Brasil
    You're mostly right.

    While COMODO's Sandbox is a wonderful thing, sometimes a program will behave as it's not malware and COMODO won't tell a thing.... but after running the program outside the sandbox and rebooting your PC will be "nuked". I'm on my way out but once I get back I'll provide the Youtube video test showing that.
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Also please make a note of the products tested. He tested Comodo Antivirus; not Internet Security. Defense+; especially if running in Paranoid mode would have caught most of these tests.
     
  21. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    975
    Location:
    Paris
    Once again, he never said that the system was infected when the undetected malware was run on the CAV protected machine, just that the cloaked malware was undetected. There is a big difference between Detection and Protection (also, I believe at default settings with CAV the Sandbox is Enabled and HIPS disabled)..

    As to Webroot, I had no difficulty at all infecting a computer so protected with my Scriptor.
     
  22. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    So the inclusion of Comodo is absolutely pointless then if they only tested the antivirus (which is essentially just a dumb file scanner). I wonder what else is excluded then for other vendors...
     
  23. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    975
    Location:
    Paris
    A well crafted Scriptor will infect systems protected by traditional AV/HIPS. Even something as simple as a system actively infected by a vbs coded Worm will be ignored by things like MB and HMP.

    And the Paranoid Mode of Comodo HIPS is not a viable option unless the user wants an alert after each mouse-click. But no matter as proper setting of the sandbox contains these things well and silently.
     
  24. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    Hi, I have one question. Would properly configured SRP (blacklisted .vbs...) and disabled script engines prevent such infections?
     
  25. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    975
    Location:
    Paris
    Yeah- if you block vbs you will be protected from them. Sadly vbs scripts are really rather low-class. Python is the scripting language of choice lately (keyloggers, diverse data-stealers, up to my Doomsday thingy). Blocking vbs won't help you here.
     
Loading...