Anti Virus Techniques Ideas

Problems? Post here...
Post Reply
ebrizzlez
Kage
Kage
Posts: 732
Joined: 31 Mar 2007, 16:00
17
Location: Hidden in a Buffer Protection.
Contact:

Anti Virus Techniques Ideas

Post by ebrizzlez »

I dont know what I have been doing lately. But I sprained my ankle skateboarding so I was in from school all week so I had time to think about things and I looked at my computer and wiped the dust off of it...

Most anti-virus companies have a special signature scanner to scan your entire computer for viruses, this could be cumbersome and long with the more files you got so I thought of a few cool ideas.

I.Execution Debugging
When reversing code, I came up with this idea. Most viruses I've seen/reversed have the same structures and calls. Most would xor the registers there about to use to flush them out and make a specific call to a certain function or move its file contents and bytes into memory. When an executable is binded, I noticed two kind of binders are popular.

Ones like AIO files where it extracts the orginal file and virus into the /temp folder. The AIO than points to execute the orginal file than the virus. Than deletes the files from /temp folder after execution. The user notices nothing...

Another type of binder was far more complex. It would add the virus mainly at the end of the file, or could sometimes inject the virus in the middle of the code but it always had the virus in some sort of function with a call to that function.

Code: Select all

Call 0040301F ;execution of orginal file
Call 00403022 ;execution of binded virus.
Most anti-virus software would just quarantine an infection if it cannot heal. And most anti-virus software just renames the file or completely deletes them. An infected file would be renamed to VIRUS.VXE or so, but what if you really needed this file?

Most beginning crackers use NOP as their answer to most cracks and crackmes. NOP stands for No Operation. If a call such as JMP To Error Message is made, the JMP is an unconditional jump which is forced. You would replace it with NOP which would force the continuation and execution of the code.

Code: Select all

JMP SHORT 0040102F

...commands go here.

MessageBoxA , "Error" ;0040102F Address <- Error

...commands go here.

MessageBoxA, "Success" ;where we want to be at. 
Would turn into.

Code: Select all

NOP

...commands here.

MessageBoxA, "Error" ; we avoiding jumping here.

MessageBoxA, "Success" ; you end up here somehow.
[/code]
If Anti-virus software offered a NOP Malicious address feature, you would be able to still use the infected executable , and avoid the binded of infected execution.

cONs
Debugging a 100mb or more executable would take to long. Too much code would be flagged as Virus functions, and thus be NOP'd over. Only works for certain binders and maybe advance malwares.


II.Byte By Byte Checking
I got this idea from a rootkit program I used in SuSe Linux...
:wink:

The idea is to map out all executable on the harddrive, each directory would have a new text file of all the executable in that directory. The executable are mapped into a text file where its bytes are recorded.

Code: Select all

Program.exe = 55kb
InfectedFile.exe = 1.2mb
Noninfectedfile.exe = 0kb
When a parasitic virus is on the lose, it starts infecting all the files it can. The first mapping of the hard disk would obviously scan all files[using signature scanning], scanned files that are not infected are mapped into a text file with a new text file for each directory scanned. When a virus infects another file, file mapping would first check all the files in that directory to see if any new files were added. Than it would check its total byte size to see if it was modified, IF it was modified than the file would be scanned, if not modified than the file is left alone. For example of our infectiledfile infected all files in that directory the text would look like this:

Code: Select all

Program.exe =1.2mb
Infectedfile.exe = 1.2mb
Noninfectedfile.exe = 1.2mb
The byte-by-byte checker would compare the results of the mapped file it has saved from the first scan, and its current mapped file. It would notice that these programs bytes are modified so it would perform a normal scan.

The byte-by-byte checker would only need to map the harddrive once because mapping the harddrive constantly would take forever to scan.

Cons
Rootkits can modify its total bytes to be the same and so does advance malware, but this would most likely effect the original executable thats infected so it would force it to be slightly noticeable but is only obvious during full execution.

III. Emulated Kernel
An operating system made virtual with all virtual functions... the future. ^^

All executables could be run under a special kernel mode operation. Just like a sandbox, but it prevents any modification to system files. It would flag any operations trying to edit system files and set a breakpoint at that operation and ask if the user if its okay or just completely prevent it and stop execution. To modify system settings a user would have to modify them under a root account and manually.

cONS
Would take forever to code such software, system would run twice as slow. And most programs that REQUIRE modification wouldn't execute properly.

IV. API Hooker
An API Hooker that listens to all API functions. When an API that looks suspicious is executed it is mointered and asks the user if its okay. Most viruses use the same API hook for keyloggers so this would most likely prevent mainly keyloggers. Also, most skiddes make use of API functions for viruses to hide system tray and open the cd-rom , these APIs could be stopped and prevented by setting breakpoints at this point and allows the user to determine if execution would continue.

cOns
Not all keyloggers and malware use API functions. Infact advance malware make use of their own keylogging functions. I know some reverse engineers have managed to reverse a few APIs and make some Assembly alternative code which is far more dangerous and stealth than the APIs used by default.

V. EnD
In conclusion, viruses are just artificial intelligence. Their programs as well, but they artifically pertain their own mindset. So no matter how well an Anti-Virus software is constructed, their is always a new virus bypassing and more stealthier than the next virus showed on AV's top infection list.

And remember kids, support the scene, dont destroy it. :wink: [/b][/code]
[img]http://i81.photobucket.com/albums/j205/ebrizzlez/4lsint1.jpg[/img]

User avatar
Nerdz
The Architect
The Architect
Posts: 1127
Joined: 15 Jun 2005, 16:00
18
Location: #db_error in: select usr.location from sucko_member where usr.id=63;
Contact:

Post by Nerdz »

Nice post, that was a good read.

Most of the AV use proactive defense... Because let's face reality, an av based on signature is not good anymore. So yeha you get noticed when a file try to inject something into a dll, when the registry are changed, etc.

BUT the most important thing is that regular user simply desactivate these because when the AV is in "learning mode", there are to much false-positive to exclude from the list.

Of course, you can't rely only on an antivirus. And I'm not talking about other anti malware... I'm thinking about an aware user.
Give a man a fish, you feed him for one day.
Learn a man to fish, you feed him for life.

ebrizzlez
Kage
Kage
Posts: 732
Joined: 31 Mar 2007, 16:00
17
Location: Hidden in a Buffer Protection.
Contact:

Post by ebrizzlez »

yea. I know.

Recently I was coding a copy of the Mini-44 Virus in TASM with a few of my tweaks. All the virus is, is a simple COM Infector. AVG did not actually detect the virus until after execution when the infector tried writing itself into another file.

If AV companies boosted up their security maybe I would feel more secure about my files.

But no user is actually "aware" of whats really going on during execution. If OS's came equipped with system monitoring tools I think it would provide sorta like a red light for malware. At least 50% of viruses would be noticed, or programs trying to modify unwanted modifications in your computer. I know SysInternals put out some great tools, but they are often quiet hard to handle and juggle around and you would honestly use them if you became extremely suspicious.

One really neat way to bypass most AVs is level of encryption. A virus can throw each segment with a function, and the virus can either encrypt the function directly or the segment that its thrown into. When a virus needs that function it would decrypt it and use it. AVs only chance of catching the virus is if happens to be scanning the file while its executing its functions. Most AVs just scan the file once during execution and not afterward! Another virus I was amazed by in the scene was a brute forcing one. It uses an MD5 or homebrew algorithm and encrypts itself with a password it doesnt know. But than it brute forces itself for each level of encryption to use a function.
[img]http://i81.photobucket.com/albums/j205/ebrizzlez/4lsint1.jpg[/img]

Post Reply