Posted on Leave a comment

How Anti Malware works – identifies malware

Hello aspiring ethical hackers. In this article, you will learn how Anti Malware works. In our July 2020 Issue of Hackercool Magazine, our readers have seen one scenario where a malicious payload we created bypassed one of the Antivirus and successfully got a meterpreter session on the OMEGA target.

In this article, our readers will learn about more about Antivirus and Anti malware and how they work to detect malware. It is very important to understand how Anti Malware works in order to devise methods to bypass them in penetration testing. Anti Malware is a software just like malware. Different Anti malware use different methods to detect malware. Lets see each one of them.

Signature Based Detection

This type of Antivirus detects malware by comparing its code with known malware samples. This samples the Anti Malware uses for comparison are known as signatures. These signatures are regularly updated (in most cases, daily) by the anti malware in order to stay one step ahead of malware. This is the reason why antimalware needs regular updates.

Heuristic Detection

The problem with signature based detection is that it can only detect known malware or malware that is around more. To overcome this problem, many of the antivirus nowadays detect malware using heuristic analysis. In this type of analysis, the Antivirus tries to identify malware by examining the code in a virus and analyzing the structure of malware.
By doing this, the antivirus actually tries to simulate running the code and see what it actually does. If it finds any malicious intention in the code like the malware replicating itself or trying to rewrite itself, it classifies the code program as malware. As already mentioned, this is used by almost all modern antivirus or antimalware.

Behavioral Detection

In behavioral detection, the antivirus detects suspicious activity in the operating system. If the antivirus notices that any new program is trying to modify or make changes to system like altering files or running a code to communicate with external systems, then it flags the program as virus and blocks it. So instead of scanning the code of -the malware, it just scans for any suspicious activity.

Sandbox Detection

In Sandbox detection, the Antivirus classifies a program as malware after executing the program in a contained environment separated from the operating system. This contained environment is known as sandbox. If the program performs any suspicious or malicious activity in the sandbox, the antivirus classifies the program as malware. This method of detection takes a heavy toll on the system resources.

These are the ways in which antivirus can detect malware or payloads we create in penetration testing. There are a few other concepts you need to understand about antivirus.

Real Time Protection

Nowadays most antivirus use not just one but a combination of the above mentioned methods. Also, many antivirus nowadays are in Real Time Protection mode, i.e providing protection and on screen scanning of the system. In this, the antivirus detects and blocks the malware as soon as it enters the system. This is because it is more easier to detect malware as soon as it enters than after it has already infected the system.

False Positive

When an antivirus classifies a genuine program as malware, it is known as false positive. When this happens, the antivirus may classify genuine programs as malware and either remove them or block them, thus affecting operations.

False Negative

When an antivirus fails to detect malware or a malicious file as what it is or classifies it as a harmless file, it is known as false negative. False negatives pose a bigger dangerous problem because malware has gone undetected and stays on the system.
In PART 1 of our Bypassing Antivirus, our readers have seen the OMEGA target system failed to detect our batch payload. This is a case of FALSE NEGATIVE.

As already stressed in the PART 1 of this feature, the battle between malware and anti malware is ever evolving. There is no perfect anti virus that can detect 100% malware an d there are always false negatives that help hackers beat antivirus. This payloads which go undetected by antivirus are known as Frequently UnDetected (FUD) payloads. The best example of a FUD payload is Stuxnet.

That’s all fellows. I hope you got a basic understanding as to how anti malware works . In our future Issues of Hackercool Magazine you will learn more advanced methods used by black hats to bypass anti malware.

Posted on Leave a comment

Bypass Antivirus with AV | ATOR

Hello aspiring Ethical Hackers. In this article you will see how to bypass Antivirus with AV | ATOR. AV | Ator is a backdoor generator utility that uses cryptographic and injection techniques to bypass AV detection. The AV in AV | Ator stands for Anti Virus. Ator is character from the Italian Film Series “Ator” who is a swordsman, alchemist, scientist, magician, scholar and engineer with the ability to sometimes produce objects out of thin air.

ATOR takes C# shellcode as input, encrypts it with AES encryption and generates an executable file. ATOR uses various methods to bypass Anti Virus. Some of them are,

Portable executable injection : In portable executable injection, malicious code is written directly into a process (without a file on disk). Then, this code is executed by either invoking additional code or by creating a remote thread. The displacement of the injected code introduces the additional requirement for functionality to remap memory references.

Reflective DLL Injection : DLL injection is a technique used for running code within the address space of another process by forcing it to load a dynamic-link library. This will overcome the address relocation issue.

Thread Execution Hijacking : Thread execution hijacking is a process in which malicious code is injected into a thread of a process.

ATOR also has RTLO option that spoofs an executable file to look like having an “innocent” extension like ‘pdf’, ‘txt’ etc. E.g. the file “testcod.exe” will be interpreted as “tesexe.doc” and of course we can set a custom icon. ATOR can be run on both Windows and Linux. We need Mono to run ATOR on Linux.

Let’s see how to install ATOR in Kali Linux. Clone the ATOR repository from Github as shown below.

Then unzip the zip archive.

Then, Install Mono as shown below.

After moving into the extracted directory, there will be an AVIATOR executable. We just need to run it with Mono.

If you want to run ATOR in Windows, you can just download the compiled binaries from Github . When you run the executable, the ATOR GUI opens.

Let’s see all the options in detail.
1. It contains the encryption key that is used to encrypt the shellcode. Keep it default if you want.
2. It contains the IV used for AES encryption. Keep it default too.
3. Shellcode in C# format.
4. It will show the encrypted payload.
5. The location to which the generated executable is to be saved.
6. Various Injection techniques.
7. Set a Custom Icon to the executable.

Let’s create the shellcode using msfvenom.

Copy the shellcode generated above and paste it in the payload column. Click on “Encrypt” to see the encrypted payload in (4). Click on (7) to set a custom icon (we are using pdf icon). Select the path of the executable (5) and select the injection technique (6) and click on “Generate EXE” button. Here’s the payload.

Before executing it on the target, start a listener on the attacker machine.

As soon the payload is executed on the target, we will have a shell as shown below.

See how to bypass antivirus with