Bypass All Anti-virus

Posted by xedlg ubaid December 06, 2011

Bypass All Anti-virus

Introduction

as you may read in @abysssec in twitter actually in past a few months we did a cool research on bypassing anti-viruses and got really great result .
Bypassing anti-viruses is not a new topic and it’s still about encrypting / decrypting of a program to being hide from AV eyes. In past it was really, really easy task to do but AV’s getting smarter and bypassing all anti-viruses with some really unique methods that each of them use is not funny and neither easy to do.
before i go feature i like to have a simple glossary for unfamiliar readers.

Glossary

Crypter : the program (mostly GUI) will crypt the malware / bot to make it hide from anti-viruses
Stub : the Decryptor of crypted program
FUD : Fully Un Detectable (FUD = no AV detect)
RUNPE : run the PE without headers in memory
USG : unique stub generator. (make unique stubs)
Binder: will join two file will drop in hdd or mem
Pumper: will increase size of tool
EOF : end of file(in crypter it need to preserve)
Cloner : will clone the file (Decryptor like in HDD)
Icon Changer: will change the final exe icon
well there are two also different kind of crypters scan time and run time. The good crypter is run time one because as it name says the scan time crypter is just FUD at scan time and when you run it and after real malware decrypted it will be detect so not that useful. And the real crypter is the runtime one.

How it works ?

if we remove all complex technical info for bypassing all 35 anti-virus around the world it works really sample.

it simply encrypt program, decrypt, and then run it in memory. encryption algorithm is not important and sample ideas are enough to make a crypter fud
but some of mostly used alghortims are :

I. RC4

II. AES

III.DES

IV. TEA

V. XOR

VI. CryptoAPI

VII. blowfish

note that there is important part in your job and that is run the malware safely in memory after decrypting it , and this is done by RunPE . the idea of RunPE comes from great PoC by Tan Chew Keong called dynamic forking of win32 exe : http://www.security.org.sg/code/loadexe.html

steps and idea are really sample :
CreateProcess
Find Base address
Virtualalloc
Align sections
Fix thread context
Resume thread
but this is not easy to hide this kind of API chaining from anti-viruses .
so we finished our research by writing a new fud crypter and our crypter is unique and different with public ones .
our crypter is unique and can bypass all 35 exist av right now .
here is list of AV we fully tested our crypters on them .

- Ad-Aware
 - AhnLab V3 Internet Security
 - ArcaVir
 - Avast
 - Avast 5
 - AVG Free
 - AntiVir (Avira)
 - BitDefender
 - BullGuard
 - VirusBuster Internet Security
 - Clam Antivirus
 - COMODO Internet Security
 - Dr.Web
 - eTrust-Vet
 - F-PROT Antivirus
 - F-Secure Internet Security
 - G Data
 - IKARUS Security
 - Kaspersky Antivirus
 - McAfee
 - MS Security Essentials
 - ESET NOD32
 - Norman
 - Norton Antivirus
 - Panda Security
 - A-Squared
 - Quick Heal Antivirus
 - Rising Antivirus
 - Solo Antivirus
 - Sophos
 - Trend Micro Internet Security
 - VBA32 Antivirus
 - Vexira Antivirus
 - Webroot Internet Security
 - Zoner AntiVirus

we even tested 10 year ago malware and our crypter can hide them from any anti-virus system .
our crypter comes with some unique features here is some of them

- FUD 0 / 35 detection

- EOF support

- Coded in C/ASM Stub and GUI In C#
 - Compatible with Win 2k/XP/7 x32 and x64
 - Ability of bypassing heuristic and emulators (Kaspersky pro-acvtive defense , Nod32 advanced heuristic , Norton Sonar, Avira heuristic)
 - Command line support
 - Unicode support (chines , russian and so on)
 - Right-to-Left Exploit after crypting you can have .mp3 , doc , pdf , avi or anything as output !!!
 - inbuilt scanner and scanning with 35 anti-virus after cryptring
 - advanced file binder with drop in disk and memory
 - Anti-debug
 - Anti-sandbox
 - advanced encryption : Double XOR , RC4, AES256
 - Advanced resource storage : unique method

here is some screen shot of GUI :

and finally you can see the actual work in a demo here :
http://abysssec.com/files/VampCrypt.rar
as we don’t want harm anyone if you are :
- penetration testing company
- anti virus / IDS company
- any legit company who needs it
” please note that WE DON”T give tool / technology to PERSON . ONLY VERIFIED COMPANY ”
contact : info [at] abysssec.com
and as always you can follow @abysssec in twitter
happy fudding .

Search This Blog

Cyber Security Coding Diy