About antivirus bypass in practice
The other day a link to the news about a universal antivirus workaround was published on this blog. However, the essence of the message is distorted by a chain of English and Russian copy-passer journalists into a heresy so incompatible with reason and reality that I, as an expert on (anti) viral technologies, had to re-read the text twice before I understood what it was about. Therefore, it is recommended to get acquainted with the source .
I will not comment on the proposed concept - antivirus vendors will successfully cope with this task. The essence is different: bypassing anti-virus protection is not the science of missiles, which requires a conceptual approach, but is quite commonplace. To illustrate this fact, I will give a few technical examples from life.
Examples will be extracted from our favorite little creature - the TDSS bot rootkit, which has been talked about a lot lately. Which is not surprising: this is one of the most common, technically advanced and actively developing bots.
')
The diagram on the left shows statistics on anti-virus protection installed on users' computers simultaneously with the infection with TDSS.
Notes to the chart:
Appearing about two years ago, a TDSS bot rootkit (also known as Alureon, Tidserv, TDL / TDL2 / TDL3 +) quietly and quietly multiplied to alarming numbers.
Namely:
The fundamental factor in such a rapid and, at the same time, silent victory is a bet on antivirus bypass and advanced technologies . The task is successfully solved from the first days of the bot's existence to this day: as the antiviruses are updated, the technologies of their crawling in the TDSS code are updated, invariably pleasing researchers and “pleasing” developers of protection with originality of innovations.
In fact, throughout the lifetime of TDSS, it was continuously unattainable for all existing remedies, including the most popular antiviruses and professional anti-rootkits. Moreover, until recently, the bot has quietly developed under the cover of its own efficiency, since it was unprofitable for antivirus vendors to publicize a threat that they could not cope with.
Over the past six months, the situation has improved slightly. The confrontation continues, the “big” antiviruses still fail to cope, but they have begun to produce specialized utility tools (Norman TDSS Cleaner, Kaspersky TDSSKiller).
From the point of view of survival, the malware has two major tasks:
The techniques are listed in the order in which we found them in the evolving TDSS. All the described techniques are not as effective as they were at the time of their appearance.
The essence of the technique: the malicious code is placed in the system cache of frequently used libraries \ KnownDLLS , from where it is called by a legitimate system application when it uses one of these libraries.
Profit: one shot killed two hares: bypassing behavioral protection and bypassing a personal firewall. The latter is possible due to the fact that the malicious code is executed in the context of the system process “trusted” by default.
Pseudo-code:
The essence of the technique is the same as in the previous example - a passive implementation in the system process. The mechanism is somewhat different: the malicious code is pushed off to the print dispatcher service under the guise of its utility library.
Pseudo-code:
The previous examples illustrated the behavioral defense bypass. Now consider how TDSS avoids detection and treatment.
The essence of the approach: minimizing changes to the system, + powerful low-level masking of the remaining "tails".
Since the end of last year, TDSS has virtually no own files or links to it in the startup lists. The power of the “tails” masking is ensured by the fact that the rootkit filters are located below the level of all existing anti-rootkit technologies.
At the end of April, the bot was once again updated.
This time, the task of circumventing the defenses is solved by a minimal modification of the techniques from an already existing arsenal. Namely:
I note that it is exactly the same as in the last example that the primitive one-step protection bypass scheme is found at every step in the mass malware. Such a solution requires neither a special genius from the developer, nor special vulnerabilities from protection, and is characterized by an extremely short lifespan.
Techniques as complex (as in Example # 3) or cunning (Examples # 1 and 2) are more characteristic of well-funded targeted rootkits. It remains an open question whether the TDSS team has lost its best developer, or is it still a fair amount of funding? ..
I will not comment on the proposed concept - antivirus vendors will successfully cope with this task. The essence is different: bypassing anti-virus protection is not the science of missiles, which requires a conceptual approach, but is quite commonplace. To illustrate this fact, I will give a few technical examples from life.
Examples will be extracted from our favorite little creature - the TDSS bot rootkit, which has been talked about a lot lately. Which is not surprising: this is one of the most common, technically advanced and actively developing bots.')
The diagram on the left shows statistics on anti-virus protection installed on users' computers simultaneously with the infection with TDSS.
Notes to the chart:
- Baseline data - statistics from users of the TDSS Remover utility for the first quarter of 2010.
- A total of about a thousand infected machines were processed.
- Of these, 12% were equipped with known antivirus
- The diagram does not display statistics on antivirus programs that failed treatment, but do not block or hide their files. The fact of locking or hiding files falls into the statistics as an anomaly significant for the anti-rootkit.
A few words about the little animals
Appearing about two years ago, a TDSS bot rootkit (also known as Alureon, Tidserv, TDL / TDL2 / TDL3 +) quietly and quietly multiplied to alarming numbers.
Namely:
- The TDSS family (here - Alureon) ranks third in the number of infected machines in April 2010.
- TDSS botnet (here - Tidserv) is among the TOP10 largest botnets in the world, representing a population of 1.5 million zombie machines only in the US
- According to our own research, the figure of "1.5 million" infected machines greatly underestimated.
The fundamental factor in such a rapid and, at the same time, silent victory is a bet on antivirus bypass and advanced technologies . The task is successfully solved from the first days of the bot's existence to this day: as the antiviruses are updated, the technologies of their crawling in the TDSS code are updated, invariably pleasing researchers and “pleasing” developers of protection with originality of innovations.
In fact, throughout the lifetime of TDSS, it was continuously unattainable for all existing remedies, including the most popular antiviruses and professional anti-rootkits. Moreover, until recently, the bot has quietly developed under the cover of its own efficiency, since it was unprofitable for antivirus vendors to publicize a threat that they could not cope with.
Over the past six months, the situation has improved slightly. The confrontation continues, the “big” antiviruses still fail to cope, but they have begun to produce specialized utility tools (Norman TDSS Cleaner, Kaspersky TDSSKiller).
Antivirus bypass: technical information
From the point of view of survival, the malware has two major tasks:
- At the stage of installation - bypassing behavioral protection (HIPS, proactive defense, sandbox).
Methods: the use of legitimate system mechanisms that are not provided by the developers of protection, and "white lists" of protection; less commonly, exploitation of vulnerabilities in the antivirus code or operating system. - At the stage of active infection - protection of its own code from detection and deletion.
Methods: from prohibiting anti-virus updates and blocking access to files, to hiding files (rootkit-technology) and their complete absence (more on that below).
Examples of protection bypass techniques
The techniques are listed in the order in which we found them in the evolving TDSS. All the described techniques are not as effective as they were at the time of their appearance.
Example number 1. System Cache Dynamic Libraries
The essence of the technique: the malicious code is placed in the system cache of frequently used libraries \ KnownDLLS , from where it is called by a legitimate system application when it uses one of these libraries.
Profit: one shot killed two hares: bypassing behavioral protection and bypassing a personal firewall. The latter is possible due to the fact that the malicious code is executed in the context of the system process “trusted” by default.
Pseudo-code:
// 1.
NtCreateSection(”\knowndlls\dll.dll”)
// 2. ,
// -
CopyFile(”msi.dll”, "patched_msi.dll")
WriteFile("patched_msi.dll", < dll.dll>)
// 3.
NtOpenSection(”\knowndlls\msi.dll”)
NtMakeTemporaryObject(...) // , ...
CloseHandle(...) //
NtCreateSection(”patched_msi.dll”)
// 4. , msi.dll => dll.dll
StartService (”Windows Installer (msiexec.exe)”)Example number 2. Print manager
The essence of the technique is the same as in the previous example - a passive implementation in the system process. The mechanism is somewhat different: the malicious code is pushed off to the print dispatcher service under the guise of its utility library.
Pseudo-code:
//1.
GetPrintProcessorDirectory(...)
GetTempFileName(...)
CopyFile(<self>,<tempname>)
// 2.
StartService("spooler")
// 3.
AddPrintProcessor(<tempname>)
Example number 3. Infecting a legitimate driver
The previous examples illustrated the behavioral defense bypass. Now consider how TDSS avoids detection and treatment.
The essence of the approach: minimizing changes to the system, + powerful low-level masking of the remaining "tails".
Since the end of last year, TDSS has virtually no own files or links to it in the startup lists. The power of the “tails” masking is ensured by the fact that the rootkit filters are located below the level of all existing anti-rootkit technologies.
- The microdifferentiation of the miniport disk driver is being carried out (atapi.sys for IDE disks, iastor.sys for all others). The size of the driver does not change, and the infection code is minimal and only provides loading of the main body of the rootkit.
Profit: autoload with miniport driver. - The code and configuration file of the rootkit is stored in the last sectors of the disk, in its own file system.
Profit: rootkit files "do not exist" for the operating system, but remain available for applications that know the secret path to them. - Masking infection of the system driver and the last sectors of the disk is done by filtering data at the miniport level.
Profit: invisibility for all existing protection mechanisms (see the diagram).
Example number 4. "Odnoshagovka"
At the end of April, the bot was once again updated.
version= 3.273
builddate= 20.4.2010 16:17:53This time, the task of circumventing the defenses is solved by a minimal modification of the techniques from an already existing arsenal. Namely:
- Files atapi.sys / iastor.sys under the watchful eye of protection? - The new version is infected with a random driver.
- Behavioral defenses learned to notice the call to the AddPrintProcessor function — it was replaced with a call to the similar function AddPrintProvidor . (!)
- Some healer tools reached the protected areas of the rootkit on the disk via the SCSI Pass Through interface - in the new version of the rootkit, the corresponding IRPs are filtered.
I note that it is exactly the same as in the last example that the primitive one-step protection bypass scheme is found at every step in the mass malware. Such a solution requires neither a special genius from the developer, nor special vulnerabilities from protection, and is characterized by an extremely short lifespan.
Techniques as complex (as in Example # 3) or cunning (Examples # 1 and 2) are more characteristic of well-funded targeted rootkits. It remains an open question whether the TDSS team has lost its best developer, or is it still a fair amount of funding? ..
Source: https://habr.com/ru/post/93027/
All Articles