Malware Testing Results

I decided to test a few systems to see if they could detect the malware I created. The first test, as mentioned in a previous post, was email clients to determine if they would detect the malware in an attempt to send it. I tested both Google’s Inbox and Gmail clients as well as Microsoft’s browser based Outlook client. Both of Google’s clients did not allow me to attach, send, or download the unobfuscated document, whether it was by itself or compressed a zip folder. However, neither was able to detect my obfuscated malware and allowed the uploading, sending, and downloading of the obfuscated malware. The outlook client was unable to detect either the unobfuscated or the obfuscated malware, and allowed the sending and downloading of the malware.

I next moved on to test a barebone Windows 10 OS that had no antivirus system. I was able to download the both versions of malware with no issues. I was also able to run both version of the malware, successfully connecting a reverse shell to my Kali Linux virtual machine. The only hiccup was that you needed to enable macros upon the opening of the the document, which is the default for Microsoft Office.

Next I decided to test out a Window 10 system that was running Windows Defender as an antivirus system. Windows Defender did was not able to detect either piece of malware upon their download. Defender was also not able to detect either file during a scan. I attempted to perform both a quick scan and a full scan both before I ran the files and after. However, Windows Defender was able to stop the malware’s execution after opening the word document, detecting at this point that the word document contained a virus. I decided to test turn off the ‘Real-time protection’ and test the malware again. As expected the malware was able to run perfectly, demonstrating that the ‘Real-time protection’ was the most effective part of the antivirus system.

After finishing my tests with Windows Defender I decided to try out the  Avast antivirus system as well. I set Avast up on a windows 10 system as well and attempted to download both the obfuscated and unobfuscated pieces of malware. Avast’s real time system was able to detect both upon an attempted download and stopped the download part way. I temporarily halted the web based system that avast implements in order to download the documents. I then reactivated. Upon running a scan with Avast, I learned that it too was not able to detect either file and determine that it was malware. I then tried to open the documents in an attempt to execute the malware, Avast was able to successfully detect the reverse shell attempt and was able to stop the execution. I once again tried the scan of Avast after it had stopped the execution of the malware once and it once again was not able to detect the malware.

I finally decided to try one last scan by using Malwarebytes. It was also not able to detect either of the documents, and it does not come with real time protection so I refrained from testing the execution of the malware on this system.

While the antivirus real-time protection systems seemed effective and stopping the malware’s execution, their scanner’s seemed less effective at detecting the malware. My best guess as to the reason of this is that the antivirus scans were not able to detect a malware based signature associated with the malware files that I created based on the fact that I created them and they had not been found on other systems. However, based on the simplicity of the malware, I would have imagined that a heuristic based approach would have allowed the malware to be detected by the antivirus systems. Without knowledge of how these particular antivirus systems work, I may not ever be able to determine the exact reason as to why they were not able to detect the malware I created.

Obfuscating Strings

While I was able to create a Word document macros to setup a reverse shell, I did have difficulty transferring it to the test virtual machines. I originally planned to setup an email account and email the document to the vms. However, I was unable to attach the document to the email, as Gmail and Inbox both detected that the document “contained a virus.” In order to get around this I setup a Dropbox account to upload the document. I then logged into the Dropbox account from the test virtual machines and downloaded the document successfully bypassing my email problem. I did want this project to be able to be transferred through email, however so I did a little bit of research. After searching through a few articles and tutorials online, I found several mentions or recommendations to obfuscate the strings that were found within the macros. These strings made up a majority of the malicious code found within macros as it was the command that was passed along to a cmd session from the document. I decided to about by transferring all of the characters to the ascii decimal values, in addition to adding more variables to the macro. This is annoying to do, however, especially as strings that need to obfuscated grow in length. So I created a python script to obfuscate it for me! This script will have the user enter a string. The program will then divide the string into ten character chunks, and make that many randomly named variables. Each of these variables will be assigned a chunk of ascii encoded characters that look like ChrW(89) from the string that user entered. The program will then randomly print out these randomized strings in a format read by Visual Basic before having a final line that compiles the strings together to be read as the string that the user input. After running the command string of the Macro through this obfuscation program, I transferred the output to the macro. This obfuscated macro was able to be uploaded to and sent through both Gmail and Inbox, successfully passing through whatever check Google would perform upon attachments.

Macro Based Malware

Upon starting to work with Microsoft word macros, it became pretty obvious why malware hidden within macros have become so popular. It was incredibly easy to setup a macro to perform a function. These macros are primarily written within visual basic. Within the macro you can setup a function called Auto_Open to have it automatically run upon the document being opened. From there I was able to easily setup the macro to run PowerShell commands. From there I was able to set the macro up to download a file from online once the file is opened.  

However, I didn’t want to stop at just just downloading a file from online. So I started up a Kali Linux virtual machine and proceeded to setup a reverse tcp shell connection. To begin I used the Social Engineering Toolkit (SET) to create a payload. In order to do this I opted for a “powershell alphanumeric shellcode injector.” I provided SET my VM’s local Ip address and a port number. SET then created a custom payload for me which I loaded up onto an apache webserver hosted upon the vm. Next I needed to set up the Metasploit framework to act as a listener for when someone would download and execute the payload. Upon starting up Metasploit, I set the proper ip and port to set up as a listener as well as directing the payload for a reverse_tcp connection. I then started up the listener within Metasploit. From here I updated the word document’s macros to download the payload, transferred the completed document to a test vm and opened it. I needed to allow Word access to macros, as you typically do with a fresh install of Microsoft Office, but then it executed the macros, and my Kali Linux vm had a shell setup within the test vm.

C/C++ Based Malware

The next portion of my research revolved around trying my hand at creating some malware in an attempt to run it against antivirus systems to see if it would be detected or not. For my initial test I decided to make a c/c++ program that would download and run a file from an online repository or web server and then execute the file. My goal was to make an exe file through this method that could be run on Windows machines. Since I currently have a better understanding of the Linux operating systems compared to Windows, I decided I would originally create it for Linux and then port it over to Windows. I started my implementing the libcurl library which allows a c/c++ program to make http requests. I would then make a request to my git lab repository to download an executable file raw code. This code would then be written to a file on the local machine and that file would be updated to a runnable file. Finally, the program would run the downloaded code before deleting the downloaded file from the system. After the Linux version was error free, I moved onto the Windows port. I re-implemented it to download a file and then save it to a file on the Windows file system instead. However, I had a conversation with my adviser at this point, and we discussed distribution of the program. We had discussed at one point how we would like to setup my project from last semester, a framework that would simulate a phishing campaign, to be able to send files as well. This brings up a problem as many email clients do not let you, or at least provide multiple warnings about, downloading exe files from emails. Due to this problem, I decide to switch over to attempt to implement a Microsoft word macro based malware solution instead.

How does Malware Attempt to Hide itself from Antivirus Systems

The second part of my project revolved around researching how malware attempt to disguise itself from antivirus systems. I once again completed this by reading through articles and blog posts. While antivirus systems always strive to detect and stop malware, malware creators seem to be one step ahead. This results in new malware constantly being deployed using new methods to hide itself from antivirus systems. In my research I found numerous methods currently being used and I will discuss the top few that has consistently come up.

One of the major ways that malware attempts to hide itself is through the method of self-encryption. This takes place when a virus will be delivered while it encrypted so that antivirus systems cannot detect what it does through scanning as well as hiding any signature detection. Typically, this type of malware will also either include its key within the actual program or it will be encrypted with a weak key, such as a single character that can quickly be broken in order to unlock and execute the malicious code. This method can still be detected by antivirus systems during runtime but it still will occasionally buy enough time from the antivirus to complete its objective.

Another method that malware has heavily implemented is polymorphic viruses. This is a method that is typically implemented with viruses that self replicate and attempt to affect other machines beyond the that was initially infected. This method of obfuscation is performed by implementing a piece of code that will replicate virus while changing small portions that still implement the same functions. This will allow the malware to appear to be different from the originally virus and will therefore have a different signature as well that will make it harder to detect by antivirus systems. The existence and implementation of polymorphic malware has contributed to and encouraged antivirus systems to implement heuristic-based detection. In a similar method to polymorphic obfuscation, some malware will make attempts to hide itself by modifying its own code. This self modifying code can be used at various levels from modifying itself at the memory level when in execution to modify the compiled code in an attempt to change it’s own signature.

Another method which malware will use to attempt to hide itself is by only running when executed upon the operating system. This method is used to attempt to avoid running on virtual machines is implemented for two primary reasons. The first is that it attempts to hide from antivirus systems that would sandbox it. This way when it detects that it within a virtual machine it will stop execution so the antivirus system does not believe that it performing any malicious operation. The second reason is that it makes it difficult to be run through a debugger which makes reverse engineering much more difficult. This added difficulty makes it harder for a malware analyst  to determine the purpose of the malware. The method of determining how malware determines if it is with a virtual machine varies, but can attempt methods such as checking drivers, ports, available hardware, or operating system registries.

Another method that malware creator will use to hide malware from antivirus systems is hiding code within other files. One popular method for this is by implementing malware within Microsoft word documents. This malware is hidden within macros of the word document, and would typically be written in visual basic. The macros are setup to automatically run upon the document being opened, and execute what payload has been set up. This method of malware distribution and hiding has become more popular because transferring a word document is typically easier than transferring an executable file.

How do Antivirus Systems Detect Malware.

I started this project by researching antivirus systems and how they detect malware. In order to accomplish this, I read through several online articles, forums, and blog posts. Many modern operating antivirus systems run multiple layers of defense against malware.

These layers each attempt to detect malware but usually at different points. One of the most common points at which antivirus systems detect malware is known as access scanning. This occurs when the antivirus system waits until the code in question attempts to run. The antivirus will then scan the code in order to determine if the program is malicious or not. Some access scanning systems also extend to scan files as they are being downloaded to a system, not just upon execution. Many antivirus systems also include an option to perform system scans. These scan will attempt to look at programs and files that exist within the computer’s hard drive. This is commonly used when antivirus systems are first installed, on systems where it is already known malware exists, and used on a semi regular basis in an attempt to catch dormant viruses. While these examples show times at which viruses and other malware are detected, it doesn’t show how exactly antivirus systems detect malicious software.

The first primary method that antivirus systems use to detect malware is signature-based detection. This method is when antivirus systems scan malware and compare it to other known viruses that exist and have already been catalogued. However, this method ineffective against new types of malware that have not yet been detected. In order to combat this new malware, many antivirus systems also implement heuristic-based detection in conjunction with signature-based detection. Heuristic-based detection will scan files in order to determine if it is similar to an existing piece of malware. This is used because often times malware will be created from a previous piece of malware, resulting in it acting and looking extremely similar to already known malware. This allows the antivirus systems to detect new types of malware and update existing definitions of malware to improve signature-based detection in the future. The next major tool that antivirus systems use to detect malware is known as behavior-based detection. Using this method, the antivirus systems will examine what the code will attempt to do at run time. The malware may attempt to unpack, or download other malicious code. It could attempt to read keystrokes from the user or install other software. None of these methods on their own definitively mean the code is malware, but it can set off red flags that indicate its possibility. Finally, some antivirus systems also implement what is known as a sandbox testing of the malware. This is when the antivirus systems attempts to completely run the software within a virtual environment and checks what results from the codes execution. It will check to see if any malicious result stems from the actions of the code in order to determine if the code is malicious or not. While these are not the only methods that are used to detect malware, they are the most common ones. However, this is field that continues to improve itself in order to protect people from malware.

A look at the Relationship of Malware and Antivirus Systems

Over this past semester, I have been examining the relationship between antivirus systems and malware. In this research, I have primarily looked at how the antivirus systems look detect and prevent the execution of malware.  In addition, I have also looked at steps that malware creators have been implementing in an effort to bypass antivirus systems. In order to accomplish this I read numerous online articles over the subject. In the later half of the semester, I also attempted to create some basic malware to test against a few antivirus systems.