I decided to test a few systems to see if they could detect the malware I created. The first test, as mentioned in a previous post, was email clients to determine if they would detect the malware in an attempt to send it. I tested both Google’s Inbox and Gmail clients as well as Microsoft’s browser based Outlook client. Both of Google’s clients did not allow me to attach, send, or download the unobfuscated document, whether it was by itself or compressed a zip folder. However, neither was able to detect my obfuscated malware and allowed the uploading, sending, and downloading of the obfuscated malware. The outlook client was unable to detect either the unobfuscated or the obfuscated malware, and allowed the sending and downloading of the malware.
I next moved on to test a barebone Windows 10 OS that had no antivirus system. I was able to download the both versions of malware with no issues. I was also able to run both version of the malware, successfully connecting a reverse shell to my Kali Linux virtual machine. The only hiccup was that you needed to enable macros upon the opening of the the document, which is the default for Microsoft Office.
Next I decided to test out a Window 10 system that was running Windows Defender as an antivirus system. Windows Defender did was not able to detect either piece of malware upon their download. Defender was also not able to detect either file during a scan. I attempted to perform both a quick scan and a full scan both before I ran the files and after. However, Windows Defender was able to stop the malware’s execution after opening the word document, detecting at this point that the word document contained a virus. I decided to test turn off the ‘Real-time protection’ and test the malware again. As expected the malware was able to run perfectly, demonstrating that the ‘Real-time protection’ was the most effective part of the antivirus system.
After finishing my tests with Windows Defender I decided to try out the Avast antivirus system as well. I set Avast up on a windows 10 system as well and attempted to download both the obfuscated and unobfuscated pieces of malware. Avast’s real time system was able to detect both upon an attempted download and stopped the download part way. I temporarily halted the web based system that avast implements in order to download the documents. I then reactivated. Upon running a scan with Avast, I learned that it too was not able to detect either file and determine that it was malware. I then tried to open the documents in an attempt to execute the malware, Avast was able to successfully detect the reverse shell attempt and was able to stop the execution. I once again tried the scan of Avast after it had stopped the execution of the malware once and it once again was not able to detect the malware.
I finally decided to try one last scan by using Malwarebytes. It was also not able to detect either of the documents, and it does not come with real time protection so I refrained from testing the execution of the malware on this system.
While the antivirus real-time protection systems seemed effective and stopping the malware’s execution, their scanner’s seemed less effective at detecting the malware. My best guess as to the reason of this is that the antivirus scans were not able to detect a malware based signature associated with the malware files that I created based on the fact that I created them and they had not been found on other systems. However, based on the simplicity of the malware, I would have imagined that a heuristic based approach would have allowed the malware to be detected by the antivirus systems. Without knowledge of how these particular antivirus systems work, I may not ever be able to determine the exact reason as to why they were not able to detect the malware I created.