1

I'm not sure how antivirus software works exactly, but from what I understand it just checks the hashes against its database of known viruses (how it decides that something is a virus is a different story).

So is it possible that an malicious site would add some random useless code to its virus so that when it compiles the code into an executable it'll always have a unique hash, thus the antivirus would not have a hash reference for it?

If so, why isn't it done, and what's the point of antivirus software that works using only hash comparison?

kat
  • 411
  • 1
  • 3
  • 11
  • 4
    While not exactly a duplicate it tells you about metamorphic and polymorphic virus which answer your question if such things exist: [Where does mutation engine resides in Metamorphic \polymorphic viruses?](http://security.stackexchange.com/questions/26197/where-does-mutation-engine-resides-in-metamorphic-polymorphic-viruses). And [What is the precise difference between a signature based vs behavior based antivirus?](http://security.stackexchange.com/questions/95186/) tells you about antivirus which does not only check a signature. – Steffen Ullrich Aug 28 '16 at 12:40

3 Answers3

3

Antivirus is only ever going to catch broad attacks, or default payloads from commonly used tools.

A skilled attacker will be able to modify, encode, or obfuscate his payload to avoid this type of detection.

That being said, most antivirus will also search the executable file for strings known to only be found in the malware. For example, here is a snippet from Invoke-Mimikatz.ps1:

$e_res2Field = $TypeBuilder.DefineField('e_res2', [UInt16[]], 'Public, HasFieldMarshal')

Antivirus can search for strings like this within the file, and then flag it if it detects a match. This can also be defeated fairly easily. One example would be to take the file and break it up into small strings. Like this:

"$e_res2Fi" + "eld = $TypeBui" + "lder.DefineField('e_res2'," + " [UInt16[]], 'Public, HasFieldMarshal')"

(not trying to be syntactically correct here, but you get the idea)

And then use a wrapper script to piece the strings together in memory and execute the original code. Another more common example would be encrypting the primary payload and then have a stub decrypt and execute the payload in memory.

Some antivirus will also conduct dynamic analysis, where the file is ran in a virtualized or simulated environment to detect the actions that the executable would perform, or to analyze post decryption memory.

This type of antivirus can usually be bypassed simply by consuming enough of either time or memory before decrypting the primary payload.

Lighty
  • 2,368
  • 1
  • 23
  • 36
Justin LeMay
  • 66
  • 1
  • So essentially the time of antivirus software is over, it's more of an infection prevention now - i.e. don't do stuff that might get you infected, because once you do - you might not become aware of it for quite some time? – kat Aug 30 '16 at 17:23
0

Binary editing involves finding virus signatures and altering it. Once the signature is changed, the antivirus will no longer recognize the signature. This can be done using a Hex Editor. ****Some Antivirus does “heuristic” checking programs for types of bad behavior that may indicate a new, unknown virus.

Adel Algbawi
  • 11
  • 1
0

Yes. Virus and malware creators use what's called crypting services to modify their payloads in a way that avoids detection by current antivirus software.

When the new signature is added to the databases the creators run their malware through the crypting service again and the cycle restarts.

There are other heuristic techniques to stop some malware (for instance, there are operations that no legitimate software would need to perform) that could prevent certain classes of malware no matter how obfuscated, but in general antivirus should only be seen as one of many layers in a security architecture.

GnP
  • 2,299
  • 1
  • 15
  • 25