Book Image

Antivirus Bypass Techniques

By : Nir Yehoshua, Uriel Kosayev
Book Image

Antivirus Bypass Techniques

By: Nir Yehoshua, Uriel Kosayev

Overview of this book

Antivirus software is built to detect, prevent, and remove malware from systems, but this does not guarantee the security of your antivirus solution as certain changes can trick the antivirus and pose a risk for users. This book will help you to gain a basic understanding of antivirus software and take you through a series of antivirus bypass techniques that will enable you to bypass antivirus solutions. The book starts by introducing you to the cybersecurity landscape, focusing on cyber threats, malware, and more. You will learn how to collect leads to research antivirus and explore the two common bypass approaches used by the authors. Once you’ve covered the essentials of antivirus research and bypassing, you'll get hands-on with bypassing antivirus software using obfuscation, encryption, packing, PowerShell, and more. Toward the end, the book covers security improvement recommendations, useful for both antivirus vendors as well as for developers to help strengthen the security and malware detection capabilities of antivirus software. By the end of this security book, you'll have a better understanding of antivirus software and be able to confidently bypass antivirus software.

Related Content you might be interested in

Current Title:

Small book image
Antivirus Bypass Techniques
Nir Yehoshua | Uriel Kosayev
Jul, 2021 | 242 pages
Small book image
Malware Analysis Techniques
Dylan Barker
Jun, 2021 | 282 pages
Small book image
Mastering Reverse Engineering
Reginald Wong
Oct, 2018 | 436 pages
Small book image
Mastering Malware Analysis
Alexey Kleymenov | Amr Thabet
Sep, 2022 | 572 pages
Table of Contents (13 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Code in Action
Download the color images
Conventions used
Disclaimer
Get in touch
Reviews
1
Section 1: Know the Antivirus – the Basics Behind Your Security Solution
Section 1: Know the Antivirus – the Basics Behind Your Security Solution
Free Chapter
2
Chapter 1: Introduction to the Security Landscape
Chapter 1: Introduction to the Security Landscape
Understanding the security landscape
Defining malware
Exploring protection systems
Antivirus – the basics
Antivirus bypass in a nutshell
Summary
3
Chapter 2: Before Research Begins
Chapter 2: Before Research Begins
Technical requirements
Getting started with the research
The work environment and lead gathering
Defining a lead
Working with Process Explorer
Working with Process Monitor
Working with Autoruns
Working with Regshot
Third-party engines
Summary
4
Chapter 3: Antivirus Research Approaches
Chapter 3: Antivirus Research Approaches
Understanding the approaches to antivirus research
Introducing the Windows operating system
Understanding protection rings
Protection rings in the Windows operating system
Windows access control list
Permission problems in antivirus software
Unquoted Service Path
DLL hijacking
Buffer overflow
Summary
5
Section 2: Bypass the Antivirus – Practical Techniques to Evade Antivirus Software
Section 2: Bypass the Antivirus – Practical Techniques to Evade Antivirus Software
6
Chapter 4: Bypassing the Dynamic Engine
Chapter 4: Bypassing the Dynamic Engine
Technical requirements
The preparation
VirusTotal
VirusTotal alternatives
Antivirus bypass using process injection
Antivirus bypass using a DLL
Antivirus bypass using timing-based techniques
Summary
Further reading
7
Chapter 5: Bypassing the Static Engine
Chapter 5: Bypassing the Static Engine
Technical requirements
Antivirus bypass using obfuscation
Antivirus bypass using encryption
Antivirus bypass using packing
Summary
8
Chapter 6: Other Antivirus Bypass Techniques
Chapter 6: Other Antivirus Bypass Techniques
Technical requirements
Antivirus bypass using binary patching
Antivirus bypass using junk code
Antivirus bypass using PowerShell
Antivirus bypass using a single malicious functionality
The power of combining several antivirus bypass techniques
Antivirus engines that we have bypassed in our research
Summary
Further reading
9
Section 3: Using Bypass Techniques in the Real World
Section 3: Using Bypass Techniques in the Real World
10
Chapter 7: Antivirus Bypass Techniques in Red Team Operations
Chapter 7: Antivirus Bypass Techniques in Red Team Operations
Technical requirements
What is a red team operation?
Bypassing antivirus software in red team operations
Fingerprinting antivirus software
Summary
11
Chapter 8: Best Practices and Recommendations
Chapter 8: Best Practices and Recommendations
Technical requirements
Avoiding antivirus bypass dedicated vulnerabilities
Improving antivirus detection
Secure coding recommendations
Summary
Why subscribe?
12
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Leave a review - let other readers know what you think

Defining malware

Malware is a portmanteau of malicious software. It refers to code, a payload, or a file whose purpose is to infiltrate and cause damage to the endpoint in a few different ways, such as the following:

  • Receive complete access to the endpoint
  • Steal sensitive information such as passwords and the like
  • Encrypt files and demand a ransom
  • Ruin the user experience
  • Perform user tracking and sell the information
  • Show ads to the user
  • Attack third-party endpoints in a botnet attack

Over the years, many companies have developed antivirus software that aims to combat all types of malware threats, which have multiplied over the years, with the potential for harm also growing every single day.

Types of malware

To understand how to bypass antivirus software, it's best to map out the different kinds of malware out there. This helps us get into the heads of the people writing antivirus signatures and other engines. It will help us recognize what they're looking for, and when they find a malicious file, to understand how they classify the malware file:

  • Virus: A malware type that replicates itself in the system.
  • Worm: A type of malware whose purpose is to spread throughout a network and infect endpoints connected to that network in order to carry out some future malicious action. A worm can be integrated as a component of various types of malware.
  • Rootkit: A type of malware that is found in lower levels of the operating system that tend to be highly privileged. Many times, its purpose is to hide other malicious files.
  • Downloader: A type of malware whose function is to download and run from the internet some other malicious file whose purpose is to harm the user.
  • Ransomware: A type of malware whose purpose is to encrypt the endpoint and demand financial ransom from the user before they can access their files.
  • Botnet: Botnet malware causes the user to be a small part of a large network of infected computers. Botnet victims receive the same commands simultaneously from the attacker's server and may even be part of some future attack.
  • Backdoor: A type of malware whose purpose is – as the name suggests – to leave open a "back door", providing the attacker with ongoing access to the user's endpoint.
  • PUP: An acronym that stands for potentially unwanted program, a name that includes malware whose purpose is to present undesirable content to the user, for instance, ads.
  • Dropper: A type of malware whose purpose is to "drop" a component of itself into the hard drive.
  • Scareware: A type of malware that presents false data about the endpoint it is installed on, so as to frighten the user into performing actions that could be malicious, such as installing fake antivirus software or even paying money for it.
  • Trojan: A type of malware that performs as if it were a legitimate, innocent application within the operating system (for example, antivirus, free games, or Windows/Office activation) and contains malicious functionality.
  • Spyware: A type of malware whose purpose is to spy on the user and steal their information to sell it for financial gain.

    Important Note

    Malware variants and families are classified based not only on the main purpose or goal of the malware but also on its capabilities. For example, the WannaCry ransomware is classified as such because its main goal is to encrypt the victim's files and demand ransom, but WannaCry is also considered and classified as Trojan malware, as it impersonates a legitimate disk partition utility, and is also classified and detected as a worm because of its ability to laterally move and infect other computers in the network by exploiting the notorious EternalBlue SMB vulnerability.

Now that we have understood malware and its varieties, we should take a look at the systems created to guard against these intrusions.

Previous Section
End of Section 3
Next Section