Evading AV

I came over this and I remembered a couple of years ago that I did a dropper like the one described there but more malicious.

Anyway, techniques of evading the AV software.

The most classic thing is… Packers.

Packers are executables that usually compress your executable. When you click your executable, it is uncompressed and then executed. Now, there are way more advanced things and this is where the fun starts. Packers that not only compress your executable, they also encrypt it. Packers that decrypt only the parts of the code that they will be executed, that’s nice actually.

Another thing is… Obfuscators

Usually you keep your code clean. Forget that. Put inside your executable tons of junk, loops that do nothing but they seem complicated. Instructions that do nothing such as

MOV EAX, EAX

Just add inside your executable TONS OF YOUR JUNK. YOUR JUNK IS GOOD. KEEP IT.

Another cool trick is… Messing with the original source code.
Some time ago I wanted to use NetCat in my own computer. Well, the AV wouldn’t allow me to. It said that netcat is a known backdoor. Truth is, netcat can be used as a backdoor but usually I don’t use it that way. The problem was that I had a reverse tcp shell inside a target (exploit me challenges) that I couldn’t use. I had to figure out a way, other than quitting my AV software, to avoid the detection. How I owned it? EASY. I opened the source code and changed every variable’s name to something else and I compiled. Detection? What is that? I don’t know any detection.

Finally, which is common knowledge between malware writers and malware analysts, you can put your executable inside a .dll 😛

 

Leave a Reply

Your email address will not be published. Required fields are marked *