Hello aspiring ethical hackers. In this article, you will learn how Antivirus works. In our July 2020 Issue of Hackercool Magazine, our readers have seen one scenario where a malicious payload we created bypassed one of the Antivirus and successfully got a meterpreter session on the OMEGA target.
In this article, our readers will learn about more about Antivirus and Anti malware and how Antivirus works to detect malware. It is very important to understand how Anti Malware works in order to devise methods to bypass them in penetration testing. Anti Malware is a software just like malware. Different Anti malware use different methods to detect malware. Lets see each one of them.
Signature Based Detection
This type of Antivirus detects malware by comparing its code with known malware samples. This samples the Anti Malware uses for comparison are known as signatures. These signatures are regularly updated (in most cases, daily) by the anti malware in order to stay one step ahead of malware. This is the reason why antimalware needs regular updates.
The problem with signature based detection is that it can only detect known malware or malware that is around more. To overcome this problem, many of the antivirus nowadays detect malware using heuristic analysis. In this type of analysis, the Antivirus tries to identify malware by examining the code in a virus and analyzing the structure of malware.
By doing this, the antivirus actually tries to simulate running the code and see what it actually does. If it finds any malicious intention in the code like the malware replicating itself or trying to rewrite itself, it classifies the code program as malware. As already mentioned, this is used by almost all modern antivirus or antimalware.
In behavioral detection, the antivirus detects suspicious activity in the operating system. If the antivirus notices that any new program is trying to modify or make changes to system like altering files or running a code to communicate with external systems, then it flags the program as virus and blocks it. So instead of scanning the code of -the malware, it just scans for any suspicious activity.
In Sandbox detection, the Antivirus classifies a program as malware after executing the program in a contained environment separated from the operating system. This contained environment is known as sandbox. If the program performs any suspicious or malicious activity in the sandbox, the antivirus classifies the program as malware. This method of detection takes a heavy toll on the system resources.
These are the ways in which antivirus can detect malware or payloads we create in penetration testing. There are a few other concepts you need to understand about antivirus.
Real Time Protection
Nowadays most antivirus use not just one but a combination of the above mentioned methods. Also, many antivirus nowadays are in Real Time Protection mode, i.e providing protection and on screen scanning of the system. In this, the antivirus detects and blocks the malware as soon as it enters the system. This is because it is more easier to detect malware as soon as it enters than after it has already infected the system.
When an antivirus classifies a genuine program as malware, it is known as false positive. When this happens, the antivirus may classify genuine programs as malware and either remove them or block them, thus affecting operations.
When an antivirus fails to detect malware or a malicious file as what it is or classifies it as a harmless file, it is known as false negative. False negatives pose a bigger dangerous problem because malware has gone undetected and stays on the system.
In PART 1 of our Bypassing Antivirus, our readers have seen the OMEGA target system failed to detect our batch payload. This is a case of FALSE NEGATIVE.
As already stressed in the PART 1 of this feature, the battle between malware and anti malware is ever evolving. There is no perfect anti virus that can detect 100% malware an d there are always false negatives that help hackers beat antivirus. This payloads which go undetected by antivirus are known as Frequently UnDetected (FUD) payloads. The best example of a FUD payload is Stuxnet.
That’s all fellows. I hope you got a basic understanding as to how Antivirus works . In our future Issues of Hackercool Magazine you will learn more advanced methods used by black hats to bypass anti malware.