New Viruses may Bypass Anti-Virus Programs

Hackers know that most users will be running some type of anti-virus program. Yes, many times the anti-virus is not up to date, but what if it is? The bad guys will take a piece of known malware and modify it to fit their needs. Then, knowing that an anti-virus signature scan may pick it up, they obfuscate the code by running it through a special program.

They now have an obfuscated binary file. But did it work? Will it bypass anti-virus detection? Many times, the evil hacker will take this file and upload it to a website that checks for viruses. Sites like Virus Total will check uploaded files against about 40 current anti-virus programs. If it comes back as undetected or a low detection rate, they release it.

Pretty scary, but this tactic has been known for years. Even ethical penetration testers use this technique when trying to inject a remote shell into a network for security testing. Unfortunately it is possible to get infected with a virus, even though your anti-virus is running and up to date.

But it looks like this obfuscation step may no longer be needed. According to an article on The Register, security researchers from Matousec.com have found that most current anti-virus programs are vulnerable to a System Service Descriptor Table attack.

Basically what this means is that when a malicious file is being scanned, it can offer garbage code up to the scanner, then switch it with the malicious code:

The method, developed by software security researchers at matousec.com, works by exploiting the driver hooks the anti-virus programs bury deep inside the Windows operating system. In essence, it works by sending them a sample of benign code that passes their security checks and then, before it’s executed, swaps it out with a malicious payload.

How effective could this be in a real attack? H D Moore, CSO and Chief Architect of the Metasploit project, told The Register in an instant message:

“Realistic scenario: someone uses McAfee or another affected product to secure their desktops, a malware developer abuses this race condition to bypass the system call hooks, allowing the malware to install itself and remove McAfee. In that case, all of the ‘protection’ offered by the product is basically moot.”

This is why it is imperative to have your Operating System security updates current and to use intrusion detection systems and network system monitoring and not rely on anti-virus protection alone to protect your network. For more information see The Register.

~ by D. Dieterle on May 11, 2010.

12 Responses to “New Viruses may Bypass Anti-Virus Programs”

  1. Is this different from the “polymorphic” virus in that it offers up “junk” code to the AV for authentication, as opposed to changing it’s coding to evade the AV overall? Or is it the same basic concept?

    • Excellent question Philo. From my understanding, a Polymorphic virus changes its signature each time it infects a new file, making it hard to detect. I found this on Symantec’s website:

      However, a polymorphic virus adds to these two components a third — a mutation engine that generates randomized decryption routines that change each time a virus infects a new program.

      In a polymorphic virus, the mutation engine and virus body are both encrypted. When a user runs a program infected with a polymorphic virus, the decryption routine first gains control of the computer, then decrypts both the virus body and the mutation engine. Next, the decryption routine transfers control of the computer to the virus, which locates a new program to infect.

      At this point, the virus makes a copy of both itself and the mutation engine in random access memory (RAM). The virus then invokes the mutation engine, which randomly generates a new decryption routine that is capable of decrypting the virus, yet bears little or no resemblance to any prior decryption routine. Next, the virus encrypts this new copy of the virus body and mutation engine. Finally, the virus appends this new decryption routine, along with the newly encrypted virus and mutation engine, onto a new program. – http://www.symantec.com/avcenter/reference/striker.pdf

      So, in this case, the virus code is altered for each file and physically looks different than the previously infected file.

      This new technique actually attacks a programming weakness that is inherent in anti-virus programs and how Microsoft Windows handles program thread execution. From what I understand, due to limitations of anti-virus programs communicating with the kernel mode operating system, programmers had to write their own drivers or hooks to talk to the kernel mode or protected mode of the OS.

      As the process of scanning is performed, it runs as a thread. Because it runs as a thread, it can be preempted at any time. If it is preempted after it has performed the scan, the name of the process to run after a successful scan can be altered, because the variable exists in alterable memory.
      It’s kind of like a bait and switch technique. The operating system runs the thread for the scan. Say it is a ten line program. Line 9 says, “OK if the scan is successful, go to line 10”. Then line 10 lists a file or service to run. But, before it can get to line 10 the thread is interrupted, and the name of an infected file or service is placed into line 10. Line 10 can be changed because it is just a variable name. Then when the thread continues execution, it takes off at line 10 in ignorant bliss, executing the infected service.

      Kind of scary stuff. More information can be found at Matousec.com.

      I could be wrong, but this is how I think it works. Sorry about the long reply Philo, I’m trying to wrap my head around this too. 🙂

  2. Unbelievable! It’s like SQL injection into a running program in real time. I’m going to guess that the AV’s will address this by adding code that quickly checks each thread prior to initiation to verify no recent changes? If the Av’s keep record of their own threads, the program should be able to recognize that something has been altered.
    Of course any new code will open even more vulnerabilities up in the end.
    Thanks for the explanation, I’m mostly a n00b to this stuff. I will keep an eye on this one for sure.

    • Exactly! I’m not a programmer, but this reverse engineering stuff is pretty fascinating. These guys have some real talent.

      It is amazing what they can find when they look at a program at code level. A while back I took an Ubuntu Linux class. The instructor said that when they wanted to add NTFS support to Linux, Microsoft would not allow them to see the source code for NTFS. So, the programmers took a Windows machine and had to analyze the code on a low level, watching what each command did, what bytes were changed, how the file structures on the drive were manipulated.

      Over time they figured it all out, put the support into Linux, and had a thorough understanding on how NTFS worked. These guys that are able to do this find many loopholes and flaws in the code itself.

  3. LOL That’s awesome. I went over this with my professor in class. He’s a NetSec guy for a big bank out here. I wish I had camera ready to capture how far his eyes bugged out of his head! LOL I think your article ruined his Friday.🙂

    • Thanks Philo, that’s my job, LOL. 🙂

      I think that’s the real reason why I started this blog. I was an MCSE and thought I had this network security stuff down pretty good. I ran Metasploit against a patched 2003 server once, thinking it was a waste of time, and within a few moments I had a remote command prompt. I was stunned. It grabbed my interest and I have been hooked ever since.

      So, I’ve kinda started a mini-quest on trying to get some of this information out to the good guys.

  4. In my experience I have yet to find a computer that has all of the latest windows updates be vulnerable to any of the metasploit injections.

    San Antonio Computer Repair

    • Yup, currently the security patches are a bit ahead of the stock Metasploit exploits. Microsoft is getting much better at pushing out updates and listening to white hat security groups that are finding the exploits. Metasploit also allows you to use custom exploits created by third parties that are not included with the Metasploit package.

      Many of the viruses/ botnets that are active today are just rehashes of older malware that has been slightly changed or obfuscated to bypass anti-viruses. The Kneber botent infected many machines that had current anti-virus/ patches. The best way to catch these types of advanced threats is through packet analysis and network system monitoring.

  5. Intrusion detection systems and network system monitoring may not be enough if a hackers knows how to hide their activity over a covert channel.

    • Excellent point Mister Reiner. Covert channels are very stealthy and will bypass most firewalls and IDs systems because they use standard ports (like 80), look like a random packet, but carry extra data in the control fields of the packet. This extra data when pieced together from several packets contain strings of text or commands. A very good article on this can be found at the SANS website.

      Though stealthier than most other types of communication, covert channels still create a signature that can be detected by analyzing the traffic with tcpdmp captures. An excellent book on capturing, monitoring and analyzing large amounts of data is The Tao of Network Security Monitoring: Beyond Intrusion Detection by Richard Bejtlich.

  6. Thank you very mutch.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: