Every day we are hearing different attacks, vulnerabilities, breaches, and so on. It’s difficult to fight when you have no idea who the enemy is. Our organizations will build a strong antivirus wall to detect all those attacks. But in most cases, it fails to detect it. As every new breed of virus is conceived, created, and released into the wild, another small change is made to the anti-virus software to combat the new threat. If Antivirus works, then there will be no jobs for the defense team. You can’t just have an Antivirus program and be more secure.
Antivirus software is designed to detect and prevent malicious files and processes from spreading across the operating system, thereby protecting the endpoint from executing them. Antivirus engines have developed over time, becoming smarter and more sophisticated, but the base remains the same in most solutions. The majority of today’s antivirus programs are built on just a few engines, each with its own set of goals, as follows:
- Static engine
- Dynamic engine (includes the sandbox engine)
- Heuristic engine
- Unpacking engine
As its name says, the static engine is exceedingly simple. The static engine of the antivirus software conducts comparisons of existing files within the operating system to a database of signatures, and in this way can identify malware. It is impossible to identify all malware that exists using static signatures because any change to a particular malware file may bypass a particular static signature, and perhaps even completely bypass the static engine. Its purpose is to use static signatures, such as the YARA signature, to identify threats. These signatures are written from time to time and updated by antivirus security analysts on an almost daily basis.
The dynamic engine is a level up from the static engine, and its job is to examine the file at runtime using a variety of ways.
- First method – API monitoring: The purpose of API monitoring is to intercept and detect malicious API requests in the operating system. System hooks are used to monitor APIs.
- Second method – sandboxing: A sandbox is a virtual environment separate from the physical host computer’s memory. This allows malicious software to be detected and analyzed by running it in a virtual environment rather than directly on the physical computer’s memory.
- Running malware in a sandboxed environment is effective against it, especially if it is not signed and identified by the antivirus software’s static engine.
One of the major limitations of a sandbox engine like this is that malware is only executed for a short period of time. Security researchers and threat actors can figure out how long the malware is running in a sandbox, pause malicious activity for that time, and then run the designated malicious functionality.
Heuristic-based detection is a method that based on pre-defined behavioral rules can detect potentially malicious behavior of running processes. Using a heuristic engine, antivirus software becomes even more advanced. This type of engine determines a score for each file by conducting a statistical analysis that combines the static and dynamic engine methodologies. A few example rules are:
- If a process tries to interact with the LSASS.exe process that contains users’ NTLM hashes, Kerberos tickets, and more
- If a process that is not signed by a reputable vendor tries to write itself into a persistent location
- If a process opens a listening port and waits to receive commands from a Command and Control (C2) server
The main disadvantage of the heuristic engine is that it can result in a huge number of false-positive detections, but it is also easy to learn how the engine works and bypass it through a series of basic tests using trial and error.
Antivirus bypass techniques:
The following are some of the most prevalent methods used by hackers to avoid antivirus detection:
- Obfuscation simply distorts the malware while keeping its form. A simple example would be randomizing the case of the characters in a PowerShell script.
- The function is the same, PowerShell doesn’t care about the case of the characters, but it may fool simple signature-based scanning.
- They reorganise and modify code in such a way that it’s practically hard to reverse engineer it and figure out what it’s doing on disks. They can either introduce dead code or modify the semantics of existing instructions with equally dangerous code.
Encryption effectively eliminates the ability for antivirus to detect malware through signature alone. Malware authors commonly use ‘crypters’ in order to encrypt their malicious payloads. Crypters encrypt a file and attach a ‘Stub’, a program that will decrypt the contents and then execute them. There are two types of crypters:
- ”Scantime crypters” are the most naïve and simply decrypt the payload, drop it onto the disk and execute it.
- “Runtime crypters” use various process injection techniques to decrypt the malicious payload and execute it in memory, never touching the disk.
- ‘Process Hollowing’ is one of the most common process injection methods used by runtime crypters. The stub first creates a new process in a suspended state using a completely legitimate executable such as explorer.exe. It then ‘hollows’ this process by unmapping the legitimate process memory and replacing it with the malicious payload before resuming the process.
- While there are numerous techniques of process injection, the primary goal of runtime crypters remains the same: decrypt a malicious payload and execute it without allowing it to touch the disk and thus give the antivirus time to look at the file in-depth.
- We create a subroutine kind of route, in which we add some code and change the flow of execution so that our malicious code is executed somewhere in between normal function execution and the function completes its work normally, without the user realising it has done something evil.
- Packers are used to reduce the size of the payload. Malicious codes were previously zipped using winRAR. However, nowadays, packers reduce executable size by creating an entirely new binary structure for the file on disk.
- The protectors were created to prevent any code from being reversed, debugged, or tested via the virtual machine emulation method. However, by constructing payload behind protection and sending to the victim, we may use this functionality to trick Anti-Virus solutions.
Also Read: Latest Cyber Security News – Hacker News !
Malicious PowerShell Process with Obfuscation Techniques:
Description: This search looks for PowerShell processes launched with arguments that have characters indicative of obfuscation on the command line.
search: ‘| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| eval num_obfuscation = (mvcount(split(process,”`”))-1) + (mvcount(split(process, “^”))-1) + (mvcount(split(process, “””))-1) | `malicious_powershell_process_with_obfuscation_techniques_filter` | search num_obfuscation > 10 ‘
The above techniques are used to evade AV and the most often used technique is obfuscation. Deploying a rule-based on it in your environment will help to detect obfuscation-related attacks.