Bypassing Antivirus To Deliver Malware With Code Packers

Mainstream antivirus vendors general do a pretty good job.

…but aren’t so great at dealing with packed malware, here’s why.

What we’re looking at is how to get around having malware snaffled by antivirus. We’re going to show you a few examples and some live demonstrations of how you can use malware packers to modify or encrypt the contents of your malware so that they are not picked up by the major antivirus vendors.

What I’ve done here is to use the Virus Total API and a little python script that’s been published to do this. I’m going to be uploading a series of files of malware types to show you how easy it is to bypass antivirus. The first one we have is a Metasploit reverse shell, it’s really straightforward, it’s been out for donkeys years and every vendor should know about it. We’re going to connect to the VirusTotal API and get quite a bit of output, but I’ll clean that up now with a cleaner that dumps the information into a database and summarises it here for me.

As you can see our straightforward Metasploit reverse shell has been picked up by 33 of the 46 main vendors, but 13 of them are missing it. A bit worrying really as you’d expect this reverse shell to get picked up, it’s not exactly complex stuff

I’m going to make it a bit more difficult now, by looking at using a malware packer. This one is called Mpress, its available freely on the internet so go and find it for yourselves, but be a little bit careful about where you download it from.

We’re now going to pack our sample, that reverse shell, and send it. Lets have a look at the database entry now. We clean it up again and what do we see? That instead of 33 we’ve now got 10 more antivirus products don’t detect our malware, because we packed it with a freeware piece of software. It’s not detected by 23, so the detection rate is down to 50%. That’s good, if we’re trying to get malware into an organisation we’ve got a much better chance.

Now lets try harder, lets make it tougher for the antivirus. I’m going to show you using a different packer, this one is called Hyperion, a very cool packer which was published last year (2012). Now when we go back to our database output we can see that having packed it with Hyperion our detection rate is down to 19 out of the 46 vendors that are registered with VirusTotal, that is quite concerning. Let’s go further though and make it even tougher. We are going to use a product called MoleBox. It’s a commercial packer typically used to protect games software from piracy but its also a really good malware packing engine.

When we use MoleBox and go back and look at our database output we are now down to just 10 of the 46 vendors detecting our malware. We haven’t spent any significant money, a few bucks on a license for MoleBox and we’re now past most of the mainstream antivirus vendors. There’s a lot of big names there who really should be doing a bit better.