Bypassing antivirus detection with encryption
Τασιόπουλος, Βασίλειος Γ.
SubjectComputer security ; Computer hackers ; Computer viruses ; Malware ; Data encryption (Computer science)
It is considered a common occurrence during security evaluations that someone must be convinced that antivirus software does not offer complete security. There are also times when a penetration tester encounters antivirus software. For these and several other reasons a variety of ways for bypassing antivirus systems has been invented. In this thesis we are going to deal with the use of encryption for bypassing antivirus detections. The idea of using encryption as an anti-detection technique is not new. It has been introduced previously by researchers along with their implementation of programs, called "Crypters", which is the means to accomplice that. These programs are able to encrypt a malware and store it inside a legitimate file without affecting his original functionality. This file is able to bypass detection and then decrypt the malware and store it in a specific part of the disc or load it directly into computer's memory and execute it. Even though the general functionality of a crypter has remained the same over time, it is essential to create an architecture which would be compatible with the current systems and be able to avoid detection of the constantly developing antivirus systems. In this master thesis we are not going to invent a new way to bypass an antivirus detection. On the contrary, we are going to rely on previous researches in order to introduce a new architecture of a crypter that offers a unique output every time it is being used. The implementation is going to follow the same principals, as the previous ones, these of encrypting the malware but it will also inject into another process. The injection will be performed by a DLL that will also be encrypted inside the legitimate file. The encrypted DLL will be decrypted and will be loaded into memory. After that the DLL will inject the decrypted malware in a legitimate process. The crypter is in place to offer a unique output every time someone uses it. The encryption key along with the function names, DLL names, variables and strings are random and so different every time. Several tests have been contacted with the specific implementation and it has successfully bypassed detection of over forty antivirus software.