Outsmarted - Why Malware Works in face of Antivirus Software
Matthias Deeg, Sebastian Nerz, Daniel Sauder Outsmarted – Why Malware Works in face of Antivirus Software
For many years, different types of malware rank among the biggest IT security threats both in the business and the private domain. In order to protect one- self from the dangers of malware, numerous software manufacturers offer IT security products like antivirus and endpoint protection software. But these products alone offer no sufficient protection from malware that knows some tricks, as the results of our recent research with the topic antivirus evasion show.
n the recent past, there were several com- from antivirus software. Thereby, current results puter-based attacks against IT networks that of our recent research are presented and recom- became public and raised a lot of media at- mendations are given for dealing with threats and Itention. Especially the attacks against the New security risks caused by malware. York Times [1] and the Washington Post [2] at the beginning of 2013 had a world-wide media How Antivirus Software Works coverage and also heated the debate about such Current antivirus software, no matter if a stand- cyber threats with manufacturers of IT security alone software product or a component of a soft- products like antivirus and endpoint protection ware suite (host intrusion detection/prevention software. In both mentioned cases, attackers were software, endpoint protection software, etc.), uses able to install malware on computer systems of different methods to detect known and unknown employees in order to literally spy on the affect- threats by means of malware. ed companies – and this probably undetected for In general, these methods used for protecting several months. computer systems from unwanted, malicious Once more, incidences like these have pointed software can be assigned to the following two out that in spite of the use of IT security prod- strategies: ucts like antivirus software or host intrusion de- tection/prevention software (HIDS/HIPS) such 1. Blacklisting attacks cannot be entirely prevented. This kind 2. Whitelisting of threat illustrates that enterprises and also gov- ernment agencies require a master plan with a In the context of antivirus software, the two working information security management and terms blacklisting and whitelisting simply mean security awareness of all employees. that the execution of a program is either explic- itly forbidden (being on a black list) or explicitly This paper discusses how developers of malware allowed (being on a white list). Thus, by following like trojan horses (in short trojans), viruses, and the blacklisting approach antivirus software worms proceed to hide their malicious intentions will prevent the execution of programs that are
SySS GmbH | August 2014 Page 1|8 Outsmarted - Why Malware Works in face of Antivirus Software
software and are added to their signature data- Exploiting base. Hence, with this method it is only possible Antivirus software does not offer any pro- to detect malware for which at least one corre- tection against attacks of vulnerable network sponding signature exists. services, for example, an outdated web server. The manner in which manufacturers of antivirus Because in such attacks, malicious code, so- software create signatures for malware and search called shellcode, is directly loaded into the for the specific patterns of course influences the main memory of the affected system and ex- error rate of signature-based malware detection ecuted there, for example by exploiting a buf- (error type 1 [false positive], error type 2 [false fer overflow vulnerability. Thus, there is no negative]). file containing the malicious code within the file system of the target system that could be Malware authors and users exploit this situa- found by the usual malware detection mecha- tion by developing and modifying malware in nisms of antivirus software. such a way that it does not contain any known signatures that are sufficient for classifying it as malware. Thus, this kind of malware cannot be not found on a black list. In contrast, using the detected by solely signature-based malware de- whitelisting approach antivirus software will only tection mechanisms. For bypassing some sig- allow the execution of programs found on a white nature-based malware detections it is sufficient list. These two strategies help to pursue the goal to compile the malware with different compiler allowing only desired, expected, and benign be- settings or with a different compiler (malware havior and preventing unwanted, unexpected, source code is available), or to compress and/or and malicious behavior. encrypt the executable file (malware source code The adminstration of black and white lists can is not available) using so-called EXE packers or either be the responsibility of the antivirus soft- EXE cryptors. In this way, the original function- ware, which is the default case for the blacklisting ality of known malware can be preserved but its strategy, or it can be the responsibility of the end form has changed. users or administrators, which is primarily the Thus, polymorphism is a big challenge for signa- case for the whitelisting strategy. ture-based detection mechanisms and is used by The majority of used antivirus software only fol- malware for a long time. lows the blacklisting strategy and thus tries to detect whether software is malicious and should Behavior-Based Malware Detection therefore not be executed. Behavior-based malware detection tries to deter- For malware detection there are generally the fol- mine the behavior of software and to classify it lowing two methods which are described in more according to defined criteria as benign or mali- detail in the following sections: cious. For this, usually rule-based techniques are used in combination with a scoring system and 1. Signature-based specified thresholds for calculated scores. This 2. Behavior-based detection method, also known as heuristic pro- cedure, is capable of detecting unknown malware Signature-Based Malware Detection due to its behavior. The used scoring system and By using signature-based malware detection, an- threshold values have a major influence on the tivirus software is searching for known patterns error rate of this generic method (error type I in the form of byte sequences (also called signa- [false positive], error type II [false negative]). The tures) in files that allow to identify specific mal- analysis of a software program can be performed ware. A disadvantage of this methodology is that only statically at which the code of the executable only known patterns can be searched for. These file is analyzed in a so-called static code analysis patterns are created by the manufacturers of an- and corresponding software behavior is deter- tivirus software based on analyses of malicious mined by means of the presence of specific fea-
SySS GmbH | August 2014 Page 2|8 Outsmarted - Why Malware Works in face of Antivirus Software tures. However, a disadvantage of this approach Research Project: Antivirus Evasion is that only program code can be analyzed that is In the course of our research project with the top- directly accessible to the antivirus software. Thus, ic antivirus evasion, the authors have tested dif- program code that is only available during run- ferent antivirus evasion techniques with several time respectively detectable as code, for example well-known and widely used antivirus software due to compression, encryption or self-modi- products that follow the blacklisting strategy. fying code, is not considered for the static code The applied techniques are not new, they have analysis. been used by malware for years and exploit the abovementioned weaknesses in signature- and For this reason, most of the antivirus software behavior-based detection methods of antivirus uses a so-called sandbox environment besides a software. static code analysis. In the context of antivirus software, a sandbox means a secure and control- lable execution environment in which the behav- Characteristics of Antivirus Software: Up- ior of an executable file can be analyzed during dates and Scan Engines runtime and be classified as benign or malicious During the conducted antivirus evasion tests due to defined criteria. In this way, the effective- of this research project and during penetra- ness of some malware obfuscation methods, for tion tests, the SySS GmbH noticed on several instance based on compression or encryption, occasions that the behavior of scan engines can be reduced. Furthermore, another goal of of tested antivirus software products varied antivirus sandbox environments is to hide their in different environments. For example, if a presence and not to be detectable by malware. malicious file is not detected by the locally in- This prevents malware from adjusting its behav- stalled antivirus software, nevertheless, it can ior according to the discovered execution envi- be rated as malicious by the assumed identical ronment and thus malicious code is not executed scan engine when uploaded to VirusTotal. The within a sandbox. In general, the emulation of an reason for this different behavior one should execution environment is a very tough problem be aware of is that antivirus companies often and far from being perfectly implemented con- parametrize their scan engines specifically for sidering antivirus software sandboxes. There- VirusTotal (stronger heuristics, cloud interac- fore, there are different ways to detect sandbox tion, inclusion of beta signatures, etc.) [3]. environments and to manipulate behavior-based Furthermore, it has to be considered that analyses by adjusting the software behavior ac- besides false-positive results there are also cordingly. false-negative results now and again, for ex- Moreover, the classification of programs by an- ample in the case of known malware that is tivirus software into the two categories benign not correctly detected although it has been and malicious is also subject to time constraints. known for several months or even years. Because it is not acceptable to an end user if the In general, it is recommended to have short analysis of a program lasts a longer period of time update intervals for antivirus signature data- and he or she is thus prevented from carrying out bases as already a few hours can make a dif- her work, the manufacturers of antivirus software ference regarding malware that spreads via have to consider the needs of users and should e-mail. accept compromises for all their malware detec- tion methods, no matter whether signature- or behavior-based. Methodology Behavior-based malware detection as it is imple- The SySS GmbH developed two software tools mented in current antivirus software using differ- named Avet and ShCoLo that could be used to ent methods has several weaknesses that can be create executable files containing malware for exploited by malware developers. Windows operating systems. Both software tools supported different antivirus evasion techniques
SySS GmbH | August 2014 Page 3|8 Outsmarted - Why Malware Works in face of Antivirus Software
Listing 1: Generating and encoding a Meterpreter shellcode with msfpayload and msfencode
$ msfpayload windows/meterpreter/reverse_https LHOST=192.168.23.1 LPORT=443 R | msfencode -e x86/shikata_ga_nai -t raw > meterpreter_reverse_https.bin [*] x86/shikata_ga_nai succeeded with size 377 (iteration=1) exploiting weaknesses in signature- and behav- the following antivirus evasion techniques that ior-based detection methods. Using these soft- were used in different combinations: ware tools, it should be possible to successfully execute malware in the face of antivirus software • Polymorphism on a target system. • Encryption As malware, a well-known Meterpreter shell- • Sandbox detection code (windows/meterpreter/reverse_https) of the • Process injection free open source Metasploit Framework [4] was used that was created and encoded with the two With regard to the German Criminal Code (§ Metasploit tools msfpayload and msfencode (List- 202c StGB), technical details of all the used anti- ing 1). virus evasion techniques and their implementa- tion are not further discussed in this paper. Remote access to computer systems using a Me- The created executable files containing malicious terpreter shell is very popular among penetration code were copied to the respective target systems testers as well as attackers who operate without an with installed antivirus software and then exe- official permission. Therefore, suchMeterpreter a cuted. The result of each test case was measured shell is a desirable objective and an interesting and documented according to the following three test vector for our research. TheMeterpreter shell possible outcomes: supports functions like extracting sensitive pass- word information, key logging, taking screen- • Shellcode was not detected and executed suc- shots, and of course remote shell access to an cessfully (green) affected target system. The chosenMeterpreter • Shellcode was detected and not executed shellcode windows/meterpreter/reverse_https (red) also uses a secure, encrypted communication • Shellcode was not detected but not executed channel (HTTPS connection) between the target successfully (blue) system and the system of the attacker. This con- nection is established from the target system to Results the attacker‘s system and thus is a so-called re- The results of our antivirus evasion tests with verse shell or connect back shell that works with twelve antivirus software products are shown in a high probability even if firewall or web proxy table 1. systems are in use, provided that network access to the attacker‘s system is given. Antivirus Evasion in IT Forensics and Incident In the course of our research, the TCP port 443, Response that is usually used for HTTPS connections, was The described strategies for malware detection selected as the communication endpoint on the also affect the retrospective forensic analysis of attacker‘s system. infected computer systems. Occasionally, de- tecting malware is cumbersome. But sometimes The two software toolsAvet and ShCoLo are so- malware can be identified by simple persistence called shellcode loaders with extended function- vectors because it somehow wants to be restarted ality concerning antivirus evasion techniques. after a system reboot. A straightforward way for During our tests, all executable files were created accomplishing this, for instance, is to use one of with the developed software toolShCoLo (Listing the many autorun mechanisms of the Windows 2). The used ShCoLo software version supported operating system. Thus, by analyzing automati-
SySS GmbH | August 2014 Page 4|8 Outsmarted - Why Malware Works in face of Antivirus Software cally started software, many types of malware can to this fact and they use different techniques in simply be found without much effort. order to tamper with timestamps, for instance, concerning file systems. However, this task becomes more difficult when it comes to malware that hides itself in a better For this reason, methods for rapidly detecting way. For example, there is malware that modifies malware were established that use techniques existing executable files like EXEs or DLLs so that which are conceptually similar to black- and it is also executed when the manipulated software whitelisting. By using databases of known mal- is started. If such a modification affects a device ware and software tools for automatically scan- driver or another operating system component, ning files for malicious code with scan engines of this can be sufficient for achieving an automat- different antivirus software products, infections ic restart of the malware after a system reboot. with known malware can be identified. Heuris- Modifications of frequently used software like tic signature-based methods are used for find- web browsers, e-mail software or office applica- ing known EXE packers, known strings, specific tions can also be promising anomalies in program code like NOP slides (se- to accomplish this task. Such modifications are quence of NOP opcodes [no operation]), or for far more difficult to identify by means of a -fo finding seemingly random and thus potentially rensic analysis. If the point in time of a malware encrypted code sections. infection is known, for example, changes of the file system can be analyzed. However, malware These techniques are also used in a modified developers are also active and creative in regard form in antivirus software, but regarding foren- sic analyses, they are allowed to produce many more false-positive results as these are (hopeful- Metasploit Shellcode Loader ly) checked afterwards. Nevertheless, these de- With the use of the two software toolsmsfpay - scribed techniques will only have a little chance load and msfencode of the Metasploit frame- of success if malware authors have analyzed work, executable files with chosen payloads them. Therefore, another method for detecting (shellcode) can be created and encoded for malware is used that is based on databases with different target platforms. Executable files, known files. For instance, a Windows system however, generated in this way are identified mainly contains files that do not differ from files as malware by the majority of antivirus soft- of other Windows installations. Dependent on ware products even if they do not contain any the software version, patch level, and installed malicious code. This fact can be demonstrat- software, there are different numbers of files with ed very easily with an executable file for Win- the same characteristics. These file characteristics dows created by msfpayload (Listing 3) that is can be used to build databases that serve the pur- scanned afterwards using the online service pose of finding all those files that deviate from VirusTotal [4] (see Figure 1). those characteristics. However, malware infec- In many cases, it is possible to achieve that tions in uncommon software, macro viruses in less antivirus software detects the malicious office documents or attachments to e-mails can- file as malware by simply using a self-made not be identified in this way. But as mentioned shellcode loader. above, malware often wants to persist itself on the A further encoding of the malware using the target system and most of the malware tries to ac- software tool msfencode does not guarantee complish this by modifying popular software via a lower detection rate as the publicly known autorun mechanisms. And precisely these meth- encoders are either detected due to signature- ods can be detected in the described way with a or behavior based methods. In order to coun- little bit of luck. teract this fact and to decrease the detection Specifically adjusted or exclusively developed rate, one can build her/his own encoder. malware for attacking individual systems – so- called targeted malware – will elude this kind of
SySS GmbH | August 2014 Page 5|8 Outsmarted - Why Malware Works in face of Antivirus Software detection. Anyhow, a method for identifying it IT administrators and other personnel responsi- successfully is a detailed analysis of the file sys- ble for information security can support IT foren- tem, log files, and file system changes. Fortunate- sic experts and incident responders significantly. ly, such cases are not the norm as they are very For instance, a network monitoring system that time-consuming and labor-intensive. was installed at the right time can be used for The last and also frequently used method for baselining purposes. Thus, the rule can be iden- finding malware during forensic analyses are be- tified by means of network data traffic, number havior-based techniques. Thereby, running pro- and type of network connections, and so on. Fur- cesses can be identified, log files can be analyzed thermore, managed lists of installed software, fre- for anomalies, or the network can be monitored. quent comparisons of the current and the target In doing so, a good IDS will not only search for state, and maybe even databases with hash values known command & control servers (C2 servers), or other characteristics suitable for identification but it will also report other anomalies. For in- purposes of files, centralized logging and net- stance, if a server suddenly accesses foreign sys- work monitoring are a first step. tems, this could and should cause distrust. Peri- To make it clear: Logging and the identification odically visited web sites, network data traffic on of the rule may later help to prevent time-con- unknown ports, incoming network connections, suming analyses or to raise initial suspicion in the encrypted connections, or other deviations from first place. the rule could indicate a malware infection. As stated before, deviations from the rule are Conclusion suspicious. But what if there is no rule? A net- In the course of the research project with the work monitoring system that was installed after topic antivirus evasion, the SySS GmbH could a malware infection may identify it in some cases demonstrate that the malware detection mech- as the rule and not as anomaly. Exactly the same anisms of current antivirus software can be by- problem exists, as mentioned above, by analyzing passed and that malware can be executed in this way. file systems: What is legitimate and what is not? Thereby, the applied antivirus evasion techniques are How can we decide retrospectively what software not new, they have been used by malware for years has been modified? And how can we accomplish and exploit described weaknesses in signature- and this task efficiently and within an acceptable time behavior-based detection methods of antivirus soft- frame? ware. The majority of the used antivirus techniques
Listing 2: Creating a Windows executable file with ShCoLo
$ python shcolomaker.py -f win32 -e meterpreter_reverse_https.bin _/_/_/ _/ _/_/_/ _/ _/ _/_/_/ _/ _/_/ _/ _/_/ _/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/ _/ _/ _/_/_/ _/_/ _/_/_/_/ _/_/ Shellcode Loader Maker v0.7 by Matthias Deeg
SySS GmbH | August 2014 Page 6|8 Outsmarted - Why Malware Works in face of Antivirus Software
Listing 3: Generating an msfencoded executable file without a valid payload (shellcode) $ echo test | msfencode -e genric/none -t exe > test.exe [*] generic/none succeeded with size 5 (iteration=1) is rather simple and can be leveraged by less skilled control should not be the only countermeasure attackers and their malware. Furthermore, for many against malware threats. A defense-in-depth years now there have been numerous antivirus eva- strategy should be followed as part of an en- sion tools or frameworks freely available on the In- terprise-wide IT security management system. ternet that also support more advanced and more Thereby, identified risks are not only avoided or complex antivirus evasion methods that can be used mitigated with a single security control but with by anyone without expert knowledge. A popular several security controls that ideally fall into one example for such an antivirus evasion framework of the three different categories preventive, detec- is Veil [5]. tive, and corrective. In IT networks, antivirus software is the last line In the opinion of the SySS GmbH, the following of defense against malware, especially on end security measures have been proven effective as user client systems. Because of the demonstrat- part of a defense-in-depth strategy in order to ed weaknesses of antivirus software, this security increase the security level of IT networks, par-
Figure 1: VirusTotal scan results for a Windows executable file created with msfpayload
ticularly concerning malware protection, and to disaster recovery management) reduce the impact of security incidents: • Baselining of the IT infrastructure
• Security awareness training of employees According to estimations of the SySS GmbH, • Implementation of a working patch manage- the situation for IT networks regarding malware ment threats will not ease in the near future – on the • Use of current antivirus software with regu- contrary – it will get worse. Reasons for this are lar updates steadily increasing professionalism and increas- • Implementation of the principle of least ing resources of malware developers – a trend privilege (least-privileged user accounts that that has been observable for several years now. only have the privileges actually needed for Besides targeted attacks that are usually per- fulfilling required tasks) formed by highly skilled attackers with the use • Antivirus detection at different locations of specifically adjusted or exclusively developed within the IT network (mail server, file serv- malware, mass computer-based attacks with mal- er, proxy server, client systems, etc.) ware generated by widely-used malware con- • Conduct of frequent IT security assessments struction or exploit kits are a growing threat for • Incident readiness (business continuity and enterprises and government agencies.
SySS GmbH | August 2014 Page 7|8 Outsmarted - Why Malware Works in face of Antivirus Software
Table 1: Results of antivirus evasion tests
Product Name Version Date of Signa- Operating System of the ture File Target System avast! Endpoint Protection 8.0.1603 2014/07/03 Windows 7 SP 1 (64 Bit) AVG AntiVirus Free 2014.0.4714 2014/06/30 Windows 7 SP 1 (64 Bit) Avira Professional Security 14.0.5.450 2014/07/02 Windows 7 SP 1 (64 Bit) ESET NOD32 Antivirus 7.0.317.4 2014/07/02 Windows 7 SP 1 (64 Bit) Kaspersky Anti-Virus 14.0.0.4651(g) 2014/07/02 Windows 7 SP 1 (64 Bit) McAfee VirusScan Enterprise 8.8.5400.1158 2014/07/02 Windows 7 SP 1 (64 Bit) Microsoft Security Essentials 1.177.1250.0 2014/06/30 Windows 7 SP 1 (64 Bit) Panda Antivirus Pro 2014 13.01.01 2014/06/30 Windows 7 SP 1 (64 Bit) Panda Cloud Antivirus 3.0.1 2014/07/03 Windows 7 SP 1 (64 Bit) Sophos Anti-Virus 10.3.7.527 2014/06/19 Windows 7 SP 1 (64 Bit) Symantec Endpoint Protection 12.1.4013.4013 2014/07/02 Windows 7 SP 1 (64 Bit) Trend Micro Titanium Antivirus+ 7.0.1255 2014/07/01 Windows 7 SP 1 (64 Bit)
A change of strategy away from blacklisting to References whitelisting has been observable for quite some [1] http://www.heise.de/security/meldung/ time. In the opinion of the SySS GmbH, this is a New-York-Times-Hack-Symantec-wehrt- step in the right direction. But there is also a need sich-1795358.html for further clarification, especially in finding the [2] http://www.heise.de/security/meldung/ right balance between usability and security and Auch-Washington-Post-gehackt-1796535.html considering cost-benefit ratios, particularly in re- [3] https://www.virustotal.com/en/faq/ gard to possibly increased administrative expens- [4] http://www.rapid7.com/products/metasploit/ es. [5] https://www.veil-framework.com/
SySS GmbH | August 2014 Page 8|8