Circumventing Antivirus via Transmutation
Researchers at Kumatori Accelerator-driven Reactor Test Facility (KART) (Economist article, if you subscribe) have discovered a way to forcibly decay radioactive waste (neptunium, plutonium, americium, curium, etc.) into less-lethal isotopes of elements that are only radioactive for years, instead of tens of thousands or tens of million years. Essentially, they slam radioactive waste with a neutron beam that adds mass to the radioactive waste, causing it to transmutate into another element, which in turn causes it to decay faster. This got me thinking, if you can slam an element with with a neutron beam to create a new element, well, maybe you can do the same thing to a file in order to avoid "pesky Anti-Virus"?
Well, it seems you can. A good example of this is Holy Father's Morphine. Morphine works by including its own PE loader. This enables it to put whole source image to the .text section of new PE file. It also contains a polymorphic engine which always creates absolutely different decryptor for the new PE file each time Morphine is run. Morphine was released in March of 2004, and the major Antivirus companies did not have a method of generically detecting "Morphined" executables until Q4 2005. The private version of Morphine still creates verisons of binaries that are undetectable to every Antivirus maker on the market.
Other ideas are simply to rearrange the executable so that it does essentally "the same thing", but modify the underlying instructions of the binary. An example would be to move the value in the edx register into the eax register. Typically, the program would do a mov edx, eax instruction to accomplish this. Well, a push eax followed by a pop edx will do effectively the same thing as a mov edx,eax --- take the value in edx and put it into eax. You see where I am going here, we can totally modify the static signature of the binary in this process. But, does it work....
....Well, not really. If I take a 3 byte instruction (mov edx, eax) and replace it with two 2 byte instructions (push eax and pop edx), I have changed the offset within the program by one byte. This means that every jump, every call in the program will be off by one byte, meaning the program will no longer work. Three possible solutions to this problem:
1. Only substitute equal size instructions
2. Recalculate all jumps and calls after the insertion or deletion of the total number of bytes.
3. Write our own trojan/virus, or whatever we are trying to accomplish (not the focus of this article though)
Ok, well if we do some googling, someone has already attempted #1. A guy named z0mbie already wrote a program called code pervertor that did this. Unfortunately, it didnt work very well as the heueristic engine in most AVs can catch these simple modifications. For #3, go ahead a create your own trojan or virus. But this is not an option if you aren't a trojan writer or programmer, or dont have the time to learn.
For #2, we actually find that another guy, tibbar, has created a very cool program to do just this. He calls his program CodeCrypter. He was nice enough to email me a verision with source to play with. You can see the result of tibbar's CodeCrypter here. You can see in the first column the address of the instruction, in the next, is the original instruction, and in the last is the new instruction(s) . Well, how does it work? Pretty well, most AV will be defeated by it. If you take a standard program you know AV will freak out out (Hacker Defender) and send it over to one of many sites that will check a binary against all 20 AV companies (I use virustotal.com), you will get a report similar to this:
This is a report processed by VirusTotal on 04/05/2006 at 00:03:33 (CET) after scanning the file "hxdef100.exe" file.
Note: The only Antivirus that doesnt find Hacker Defender is CA's eTrust. I can't believe anyone would attempt selling something even called "Antivirus" if it didnt at least find Hacker Defender. If you have eTrust installed, it is just wasting processor cycles, you are better off virtually folding protiens or something.
Anyway, if we run the binary through tibbar's code cryptor, we get much better results:
This is a report processed by VirusTotal on 04/05/2006 at 00:20:29 (CET) after scanning the file "hxdef100.exe" file.
The only "big name" Antivirus to discover the modified program is Kaspersky. All of the big guns, Symantec, McAfee, Sophos, Clam-AV are circumvented! Of course eTrust likely thinks this new version of the binary is winword.exe or something. ;)
So, why is it detected at all? Well, the version of CodeCrypter that I used retained the same OEP (original entry point). I suspect if this was randomized, all AV would be circumvented.
Comments? Suggestions?
~jack koziol~
Well, it seems you can. A good example of this is Holy Father's Morphine. Morphine works by including its own PE loader. This enables it to put whole source image to the .text section of new PE file. It also contains a polymorphic engine which always creates absolutely different decryptor for the new PE file each time Morphine is run. Morphine was released in March of 2004, and the major Antivirus companies did not have a method of generically detecting "Morphined" executables until Q4 2005. The private version of Morphine still creates verisons of binaries that are undetectable to every Antivirus maker on the market.
Other ideas are simply to rearrange the executable so that it does essentally "the same thing", but modify the underlying instructions of the binary. An example would be to move the value in the edx register into the eax register. Typically, the program would do a mov edx, eax instruction to accomplish this. Well, a push eax followed by a pop edx will do effectively the same thing as a mov edx,eax --- take the value in edx and put it into eax. You see where I am going here, we can totally modify the static signature of the binary in this process. But, does it work....
....Well, not really. If I take a 3 byte instruction (mov edx, eax) and replace it with two 2 byte instructions (push eax and pop edx), I have changed the offset within the program by one byte. This means that every jump, every call in the program will be off by one byte, meaning the program will no longer work. Three possible solutions to this problem:
1. Only substitute equal size instructions
2. Recalculate all jumps and calls after the insertion or deletion of the total number of bytes.
3. Write our own trojan/virus, or whatever we are trying to accomplish (not the focus of this article though)
Ok, well if we do some googling, someone has already attempted #1. A guy named z0mbie already wrote a program called code pervertor that did this. Unfortunately, it didnt work very well as the heueristic engine in most AVs can catch these simple modifications. For #3, go ahead a create your own trojan or virus. But this is not an option if you aren't a trojan writer or programmer, or dont have the time to learn.
For #2, we actually find that another guy, tibbar, has created a very cool program to do just this. He calls his program CodeCrypter. He was nice enough to email me a verision with source to play with. You can see the result of tibbar's CodeCrypter here. You can see in the first column the address of the instruction, in the next, is the original instruction, and in the last is the new instruction(s) . Well, how does it work? Pretty well, most AV will be defeated by it. If you take a standard program you know AV will freak out out (Hacker Defender) and send it over to one of many sites that will check a binary against all 20 AV companies (I use virustotal.com), you will get a report similar to this:
This is a report processed by VirusTotal on 04/05/2006 at 00:03:33 (CET) after scanning the file "hxdef100.exe" file.
| Antivirus | Version | Update | Result |
| AntiVir | 6.34.0.14 | 04.04.2006 | BDS/HacDef.073.B.1 |
| Avast | 4.6.695.0 | 04.03.2006 | Win32:Hacdef-G |
| AVG | 386 | 04.04.2006 | BackDoor.Generic.XPG |
| Avira | 6.34.0.54 | 04.04.2006 | BDS/HacDef.073.B.1 |
| BitDefender | 7.2 | 04.04.2006 | Backdoor.Hacdef.AE |
| CAT-QuickHeal | 8.00 | 04.04.2006 | Backdoor.HacDef.ae |
| ClamAV | devel-20060202 | 04.04.2006 | Trojan.HacDef.073.B |
| DrWeb | 4.33 | 04.04.2006 | BackDoor.HackDef.134 |
| eTrust-InoculateIT | 23.71.119 | 04.04.2006 | no virus found |
| eTrust-Vet | 12.4.2148 | 04.04.2006 | Win32/HacDef.E |
| Ewido | 3.5 | 04.04.2006 | Backdoor.HacDef.ae |
| Fortinet | 2.71.0.0 | 04.04.2006 | W32/HacDef.AE!tr |
| F-Prot | 3.16c | 04.04.2006 | security risk named W32/Hackdef.FI |
| Ikarus | 0.2.59.0 | 04.04.2006 | Backdoor.Win32.HacDef.084 |
| Kaspersky | 4.0.2.24 | 04.04.2006 | Backdoor.Win32.HacDef.073.b |
| McAfee | 4733 | 04.04.2006 | HackerDefender.gen.c |
| NOD32v2 | 1.1471 | 04.04.2006 | Win32/HacDef |
| Norman | 5.90.15 | 04.04.2006 | W32/Hacdef.CM |
| Panda | 9.0.0.4 | 04.04.2006 | Bck/Hacdef.ED |
| Sophos | 4.04.0 | 04.04.2006 | Troj/HacDef-Fam |
| Symantec | 8.0 | 04.04.2006 | Backdoor.HackDefender |
| TheHacker | 5.9.7.124 | 04.03.2006 | Trojan/hackdef.d3 |
| UNA | 1.83 | 04.04.2006 | Backdoor.Hacdef |
| VBA32 | 3.10.5 | 04.04.2006 | Backdoor.Win32.HacDef.ae |
Note: The only Antivirus that doesnt find Hacker Defender is CA's eTrust. I can't believe anyone would attempt selling something even called "Antivirus" if it didnt at least find Hacker Defender. If you have eTrust installed, it is just wasting processor cycles, you are better off virtually folding protiens or something.
Anyway, if we run the binary through tibbar's code cryptor, we get much better results:
This is a report processed by VirusTotal on 04/05/2006 at 00:20:29 (CET) after scanning the file "hxdef100.exe" file.
| Antivirus | Version | Update | Result |
| AntiVir | 6.34.0.14 | 04.04.2006 | no virus found |
| Avast | 4.6.695.0 | 04.03.2006 | no virus found |
| AVG | 386 | 04.04.2006 | no virus found |
| Avira | 6.34.0.54 | 04.04.2006 | no virus found |
| BitDefender | 7.2 | 04.04.2006 | MemScan:Backdoor.Hacdef.AE |
| CAT-QuickHeal | 8.00 | 04.04.2006 | (Suspicious) - DNAScan |
| ClamAV | devel-20060202 | 04.04.2006 | no virus found |
| DrWeb | 4.33 | 04.04.2006 | no virus found |
| eTrust-InoculateIT | 23.71.119 | 04.04.2006 | no virus found |
| eTrust-Vet | 12.4.2148 | 04.04.2006 | no virus found |
| Ewido | 3.5 | 04.04.2006 | no virus found |
| Fortinet | 2.71.0.0 | 04.04.2006 | suspicious |
| F-Prot | 3.16c | 04.04.2006 | no virus found |
| Ikarus | 0.2.59.0 | 04.04.2006 | Backdoor.Win32.HacDef.084 |
| Kaspersky | 4.0.2.24 | 04.04.2006 | Backdoor.Win32.HacDef.073.b |
| McAfee | 4733 | 04.04.2006 | no virus found |
| NOD32v2 | 1.1471 | 04.04.2006 | a variant of Win32/HacDef |
| Norman | 5.90.15 | 04.04.2006 | no virus found |
| Panda | 9.0.0.4 | 04.04.2006 | Suspicious file |
| Sophos | 4.04.0 | 04.04.2006 | no virus found |
| Symantec | 8.0 | 04.04.2006 | no virus found |
| TheHacker | 5.9.7.124 | 04.03.2006 | no virus found |
| UNA | 1.83 | 04.04.2006 | no virus found |
| VBA32 | 3.10.5 | 04.04.2006 | Backdoor.Win32.HacDef.ae |
The only "big name" Antivirus to discover the modified program is Kaspersky. All of the big guns, Symantec, McAfee, Sophos, Clam-AV are circumvented! Of course eTrust likely thinks this new version of the binary is winword.exe or something. ;)
So, why is it detected at all? Well, the version of CodeCrypter that I used retained the same OEP (original entry point). I suspect if this was randomized, all AV would be circumvented.
Comments? Suggestions?
~jack koziol~
