Presented at
DeepSec 2013 „Secrets, Failures, and Visions“,
Unknown date/time
(Unknown duration).
All IT security professionals know that antivirus systems can be avoided.
But few of them know how very easy it is to elude them - and if it is easy the impact is big. In this presentation I am going to fully bypass many antivirus systems live,
using basic techniques.
- Bypass signatures
- Bypass emulation/virtualization
- Bypass sandboxing
- Bypass firewalls
How much time and money do i need for this result?
Not more than 15 hours time, not 1 cent of investment!
If I can do this, anyone can do it - I think we are in trouble.
In this presentation I will test only Windows systems and AV for Windows systems, but,
I think, that the techniques I'll introduce can easily be applied to any other system.
And for my demonstration I'll only use techniques AVs already are aware of:
- plain text signature
- virtualization and emulation
- behaviour analysis and process separation
- sandboxing
The code I´ll hide is a shell_reverse_tcp. It is a well-known to AVs and it is
the cheapest code for an attacker, because it is in the Metasploit and anyone can use it.
The techniques I use are well documented, just google "antivirus bypass"...
I use VirusTotal.com to speed up my research. Code testing is a time-consuming process: if you would like to test/scan each version of your code with multiple AVs the time you need for your research will also multiply...
The VirusTotal.com test is not the same like a real test, but good enough to discover a
good way of bypassing. If the detection rate is low, we are on the right track ;)
Once I reach a detection result that is low enough to satisfy me, I will test the code with virtual machines to verify the VirusTotal.com result.
After that I'll show the attendees that fully patched and trusted AVs
cannot detect the code and therefor can not protect us completely.
Presenters:
-
Attila Marosi
- GovCERT-Hungary
Attila Marosi has been working in the information security field since he started working. As a lieutenant of active duty he worked for years on special information security tasks occuring within the SSNS. Recently he was transferred to the just established GovCERT-Hungary, wich is an additional national level in the internationally known system of CERT offices. He has several international certificates such as CEH, ECSA, OSCP, OSCE. During his free time he does some teaching on different levels; including lessons for white hat hackers. Lately he gave a talk at the yearly organized national level conference dealing with ethical hacking - a presentation concerning the vulnerability of the best sold antivirus and firewall softwares.
Links:
Similar Presentations: