Bypassing Antivirus with Ten Lines of Code

[TheRyuu]

This[1] was on Hacker News[2] the other day. It's a slightly more technical article which shows certain weaknesses that antivirus products can have. To be fair a point was raised about VirusTotal not representing actual A/V detection rates so I'm not sure we can draw any actual conclusions out of this, but it's still interesting nevertheless.

tl;dr If you take shell code which has a high detection rate and just xor it with a single letter (that is, your shell code must be pre-xored with the letter so that when it gets read back in the original code results) it becomes undetectable.

[1] http://www.attactics.org/2016/03/bypassing-antivirus-with-10-lines-of.html
[2] https://news.ycombinator.com/item?id=11324792

 

[mikeymikec]

One should consider AV software to be about 50% effective at detecting malware. The best line of defence is a knowledgeable/cautious user.

 

[PliotronX]

One should consider AV software to be about 50% effective at detecting malware. The best line of defence is a knowledgeable/cautious user.

Yup, these people are the weakest link.

 

[Elixer]

One should consider AV software to be about 50% effective at detecting malware. The best line of defence is a knowledgeable/cautious user.

I don't think it is even that high...AV software is only OK for older, known stuff, not 0 day malware.
Right before they launch an attack, you know they run malware through all detectors they have locally, and if nothing trips, they send it out.

 

[John Connor]

Sandboxie

/Thread.

 

[balloonshark]

Sandboxie

/Thread.

I force my internet facing applications and download folder to run sandboxed. Everything I download is from the vendor or reputable download sites. The download gets scanned with virustotal, hitman pro, Mbam on-demand and my resident AV. If none of those detect a bad file then I could be screwed when I run the file if my resident AV/behavior blocker doesn't stop the malware. Or hopefully the standard user account can limit the damage. Yes I could run the file sandboxed but that's even more work and there comes a point where you have to say enough's enough.

Unfortunately sandboxie is not enough if you download anything at all. There comes a point where you have to run the program outside the sandbox. When that happens you have to rely on some kind of a detection based program unless of course you can forensically analyze your downloads yourself.

And not updating is not an option. Why would anyone run a vulnerable program in a sandbox or run Sandbox on a vulnerable OS? Doing either is taking an unnecessary and easily fixable risk.

Like it or not we have to rely on detection based security programs. The trick is only making it one part of many layers in your security setup instead of the only layer.

 

[John Connor]

I guess I should have mentioned I also use Bitdefender Free.

 

[Dude111]

Yup, these people are the weakest link.

Yup people themselves ARE THE WEAKEST!!

 

[PliotronX]

Yup people themselves ARE THE WEAKEST!!

 

[mikeymikec]

With a smile like that, I wouldn't cross that guy (though he may be the sort who'd go for poisoning my water supply or putting ground glass into food products, rather than a more direct approach to conflict resolution). However the woman on the right could be putting on a fake smile because that's the fiftieth time that he's shown her a porny image and she's about ready to snap.