Features scanning antivirus executable files and trust the results of VirusTotal

Hello. Below is a lot of stupid text, nostalgic memories and school code. In addition, the effectiveness of the VirusTotal service, as well as the antivirus engines for executable files, will be reviewed.

Part 1. Delusional nostalgic introduction

In my life a lot has changed. My current work became interesting to me (in places - to lack of sleep), in my region there is a war going on for the fourth year, much has changed and has been rethought in my personal life.

Many views and opinions have changed.
')
About 15-20 years ago, I was interested in the topic of hacking and writing malicious code, then interests changed to just the opposite - protection from this case, and then I realized that money and personal interests rule everything, and not altruism and the desire to help.

But that is. In any case, IT turned out to be part of even my current job, although it does not at all relate to the initial specialization.

About 10 years ago I wrote in a very narrow circle about the possibility of removing antivirus detection using self-extracting archives. Then it was, it seems, on Virusinfo, then some people reposted it under their nickname on DrWeb - so to speak, without copyrights and with their authorship, then there was even a scandal - but that was also not true for a long time.

And recently I remembered the old. Much has passed, many things have been updated and to keep up with the progress, without bothering with the topic, it turned out to be difficult.

But the essence remains the same: sensations, money and personal interests. And the game on ignorance - which sometimes comes to the point that the vulnerabilities of Meltdown / Specter are sought in televisions and on-board computers of cars)))

But enough of this uninteresting nonsense. So, I decided to remember the old, and since I remembered a little, I decided to remove detections from several viruses in the old manner.

We will need:

1. Knowledge of Windows command bat scripts at the student level.
2. Quick Batch File Compiler (hereinafter - QBC)
3. 7za.exe from the 7z1800-extra.7z package (hereinafter - 7Z)
4. upx.exe from the package upx394w.zip (hereinafter referred to as UPX)
5. file eicar.com, you can download, for example, here (hereinafter - Eicar)
6. The most basic computer with Internet access running any Windows OS

Part 2. Quite a bit of theory.

In order to move on, let's find out what will be discussed. At the moment, as, however, and earlier, the subject of antiviruses is actively promoted. Say, antiviruses help to prevent the loss of important data, antiviruses save from vulnerabilities, antiviruses - that, antiviruses - that and so on.

At the same time, an ordinary user does not even understand that an antivirus is not just a scanner, it is both resident protection, and heuristics, and often - proactive protection, firewall and sandbox.

We can devote to each of these components not only an article - a book, but we will dwell on the most basic one: a scanner.

This component will not prevent connections to malicious sites, it will not catch the malicious code on the fly, but it allows you to check the file and give an answer: whether to store it - or better to delete it immediately and permanently.

Below we will test different antivirus engines and see how well they cope with this task.

Separately, I would like to mention the VirusTotal resource - it allows you not only to check the file with various antivirus engines, but also represents a kind of sandbox for testing malicious (and generally any) code. Plus platforms are free of charge, minus - all samples that are sent to VirusTotal are subsequently transferred to all anti-virus laboratories.

It is for this reason that below I will not provide links to pages with scan results, but will provide screenshots of these results obtained during the course of work. Obviously (and I want to believe it!) After this article, the results will improve.

Malicious code authors extremely often use packers and protectors, which not only compress a malicious file, but also make it difficult for it to be detected by signatures, as well as its subsequent analysis. When using stolen licenses of protectors such as WinLicense and Themida, usually antivirus laboratories do not make it difficult to unpack, but simply add protector signatures with a stolen key to the detector (the famous Trojan detectors: W32 / Black.A). This leads to the appearance of false positives - the authors of key generators, patchers, and some programs that are not malicious in nature, but are nevertheless protected from reversing, use similar stolen licenses.

Since everything described in this article will be presented below to the reader for review, I did not work with real malicious code (although I’ll provide his scan results below), but used the Eicar file, which is popular when testing anti-viruses: this is a kind of stub for which any Antivirus should give a persistent detect.

So let's get started.

Part 3. Practice

Frankly, I was somewhat struck by what I saw, because two anti-virus engines, Comodo and Malwarebytes, for some reason decided not to follow common standards and ignore the detection. Nevertheless, the result is obvious - the file has a detector close to 100%.

As we agreed at the very beginning, we are a complete shkolota, and therefore we will not invent our own packaging methods, but simply package the file into the archive using 7Z:

7za a eicar.7z eicar.com 

Yes, there are fewer detections, because not all anti-virus engines include the 7Z archive unpacker (well, or this setting is not included in VirusTotal by default) - but the detection is still high.

Complicate the task: pack the file in the archive with a password. Let the password be fun:

 7za a -mhe=on -pfun eicar-fun.7z eicar.com 

The file is clean, because even with the unpacking procedure, the antivirus does not know the password to the file.

Detect removed - but we did not receive the executable file.

In real packers, the solution is quite complicated and we will not go into these details. Let's use the QBC services and write the simplest script:

 7za e -pfun eicar-fun.7z start eicar.com 

The script simply unpacks the archive and runs the resulting file. QBC allows not only to create the simplest executable file based on this script, but also to include in this file the necessary (7za.exe and eicar-fun.7z archive), which is accessed through the variable% myfiles%.

The resulting executable file can be without opening a terminal window (the so-called "Ghost"), and this is what we need:



The final code looks like this:

 cd %myfiles% 7za e -pfun eicar-fun.7z start eicar.com 

After compiling, the resulting file dumb_bat.exe unpacks Eicar and launches it.


Funny, the detection has decreased from 60 for unpacked file and 41 for archive to 17 - while none of the anti-virus engines detected Eicar, the detections obviously have a heuristic character, and in some cases they resemble a false positive (DrWeb, Baidu, etc.)

Let's go further - we will add protection from execution in our script to the test environment — the simplest test that the file is executed in a real system. To do this, run the unpacking only if there is a D drive in the system and there is at least one file on it:

 cd %myfiles% if exist d:/* (7za e -pfun eicar-fun.7z) start eicar.com 

So, the D check “broke off” the detections of the Chinese, Russians and Ukrainians: Baidu, DrWeb, Zillya. At the same time, these engines, like a number of others, were stopped by a timeout (!)


However, in this case, the experiment cannot be considered “pure”, since a considerable time has passed since the first check.

I found this situation curious - and I changed the line in the code to the following:

 ... if <b>not</b> exist d:/* (7za e -pfun eicar-fun.7z) ... 

There is a difference in the heuristics of a number of antiviruses (for some reason, AegisLab and Baidu did not find anything in the second case), and there is also a scanning problem in case of checking for a disk D. However, this may be a coincidence, although I’ve never seen anything else during the whole study. I have never seen the "dump" of so many engines at once.

Moving on, we add interactivity to our file, which we definitely won't have in any test environment. Modify the script - let's make it a full console (not “Ghost”), and also add the pause command:

 @cd %myfiles% @pause @if exist d:/* (7za e -pfun eicar-fun.7z) > nul @start eicar.com 

Here is the result of the execution of such a file:



I do not want to slander users, but it seems to me that almost everyone will press a key in this case :) In any case, we have a simple example, which can be turned into a brighter wrapper of social engineering.


6 of 67 detects. Six, Karl! All are heuristic. And most likely the unsuspecting user will find the file safe.

I got an interesting result after compressing the final file with the UPX command:

 upx --best --ultra-brute --8086 --backup --compress-icons=3 dumb_bat3.exe 

Detectors added Chinese, but Ukrainian Zillya successfully failed the test.

Part 4. Conclusions

Is it possible without them? ;) Okay.

Of course, the above is primitive, simple, and everything in life is not so. If only because in reality the execution of our file will first trigger the activation of the pro-activation, and then it will be blocked by the resident module, which will see the final Eicar file.

But the point is not that.

The fact is that modern antivirus scanners have remained junk, which were a dozen or two years ago, absolutely grazing before the simplest types of code packaging. Solutions in the form of test environments - sandboxes, heuristic analyzers, etc. only added confusions, false positives, but in fact do not protect against a real threat. With the old, open and chewed up giblets, UPX as it was a mess - so it remained. But I could easily pack not the file causing the malicious activity, but the code itself, work not with files on the disk in% temp%, but in memory, use not freely available utilities, but own or closed development - and thus circumvent the resident triggering protection. I could easily add interesting elements of the interface or copy one of the common program - and bypass the proactivate from an inexperienced user who will simply agree with any requests, trusting what he launched.

What we have done above is a primitive way to deceive an antivirus that almost anyone can understand and implement. And it worked. What to say about sophisticated professionals!



The archive with files, scripts and results can be downloaded here .

The following was not included in the archive (it will not be included and will not be provided at any request for obvious reasons): files processed according to the above mechanism and containing:

• File Infector Sality.aa
  
  
  The results of the scan of the infector itself

  
  
  
  
  Shame on the jungle

  
  
  
  
  'Packing' scan results

  
  
• Quite loudly most recently hit Petya locker
  
  
  The results of the scan of the infector itself

  
  
  
  
  Twice the shame of the jungle

  
  
  
  
  'Packing' scan results