Anti-Virus Protections and Common Bypasses
Types of protections
Anti-Virus has evolved since the early days of computers. Originally they just checked files against a database of known malware, this was called static analysis and was good at stopping known malware and is still used today. However, if a new malware came along there was nothing it could do to detect it.
This is when what we call Endpoint Detection and Response (EDR) expanded upon this basic Anti-Virus idea. This was effectively a combination of lots of different types of protections as well as the initial idea of original anti-viruses in static analysis.
Security researchers commonly use EDR and AV to mean the same thing but they often just mean the collection of techniques that are used together to protect systems.
These systems all together then are used to give each program a probability of being malware or benign. If for example, a file is doing things that are commonly used by malware the probability of it being a malware is increased. The EDR will then combine these scores and try to tag whether it is a dangerous program or not. This is a fine balance as normal programs often use the same ideas as malware to do things that they should be allowed to do. Therefore, inherently malware has an advantage as the EDR has to detect as many dangerous programs and with as few possible false possibles. This is effectively a balancing act and due to this; there will always be some malware that will get through as its score is similar to normal programs. This is the goal of the malware developer.
Goal
The goal of malware creation is to combine multiple techniques so that the current EDR protections are useless against the malware. Examples of this are plentiful however all of them are now detected as when they are released publicly they are then tagged by EDR manufactures so that they will no longer work
Researching past examples of malware that worked well is a good start to begin thinking in the mindset of someone who develops malware.
Examples of Protections
-
Static Analysis
-
Sandboxing
-
Import Table Analysis
-
Event Tracing for Windows
-
Removing Hooks
-
In-Memory Detection
This is effectively a on disk attempt at comparing programs to a massive database of known malware. If a new malware is created from scratch it will bypass this easily however often there is a part of the malware that is used by multiple different malware. This is called a stub. New Static Analysis techniques do not need most of the file to be the same but can tag just small sections of the code and then block/quarantine them
Bypass
To get around Static Analysis the parts of the code that are dangerous are encoded so that they look completely different and only when the program is run is it actually decoded into the harmful code.
This works well however this gives the file an appearance of being random bits. Another part of the EDR often then will trigger watches the entropy(randomness) of the program. This will increase the score that EDR gives it and could push the file over the threshold that is said to be dangerous
Entropy Bypass
This entropy score can be artificially reduced by adding low entropy data such as photos to the binary. Then the malware will appear to have a similar score as normal programs. This is a example of the arm race between malware detectors and malware developers
This is where a program is run initially in a environment where it is monitored very heavily. This is used by EDR's to understand what the program wants to do when it is run. However, due to the competition of different EDR's this usually only lasts the first 0.25seconds (first million instructions)
The reason it is only run for a short period is because running in this sandbox significantly slows down the program. If a user installs a EDR and all of a sudden everything is much slower they will not be happy.
Bypass
Often a sleep function is used to delay the main malicious code from running during this time. However, this is now a bad idea as the EDR will realise that it is being bypassed and increase the score also. Often doing calculations that take time to do is used such as large prime numbers or hash generation is used to delay this.
This can be combined with the encryption/encoding and the result of this calculation is used as key to decrypt the encoded payload of the malware
Each program has a list of functions it imports/uses inside it. Certain functions are used maliciously in malware. Thus, EDR monitors what the program imports and uses, if these are suspicious then the score of the malware will be increased. The photo shows some suspicious imports from basic malware.
Bypass
Instead of calling these functions through the Windows API we call them directly using pointers to the memory area that the function is. However, This uses code that is very similar each time, this leads it to being caught by the Static Analysis of the EDR
This is a good place to mention that the protection of the EDR is effectively a mesh. Each protection is to make it harder to do whatever you want and often the bypass to one protection can be detected by another protection. This shows the great work that ethical hackers have done to combine methods together to get around each one of these.
Developing malware can be very difficult as often when the malware is detected the developer doesn't actually know what set the program over the threshold of being a dangerous program. This means that a lot of trial and error is needed to create a undetectable malware.
This is one of the many types of behavior analysis used by EDR's to understand what a program does. The idea is that each action that the program does is then logged and can be seen by the EDR. The EDR then can decide depending on rules whether what the program is doing should be allowed or whether it is suspicious.
Effectively every time our program does any thing it is sent to the EDR so it can understand what it is doing
Bypass
This can be bypassed by patching the function that sends the message to the EDR. This is done by simply changing what the first instruction of the function that sends messages to the EDR (called EtwEventWrite). This instruction is set to return 0 and therefore the rest of the function is not completed so the EDR gets no information about what the program does.
This can still be detected by the EDR as often if a program that is running does not send back messages to the EDR every so often it is suspicious. Even this can be gotten around by sending completely fake logs to the EDR however this is a lot harder.
As discussed all programs use other functions of the operating system to do things. These are stored in what are called DLL's but this is not that important. These DLL's are loaded into the program when it is ran. However, the EDR then patches the loaded DLL's with its own code. This effectively makes every function first go through the EDR and then if it is safe then it is ran. This is called hooking.
Bypass
The idea is to bypass the red arrows in diagram so EDR can't see what we do.
This can be bypassed by reloading the DLL's from disk after the program has been loaded. This will overwrite the patch the EDR has and will then allow functions to be called without the EDR monitoring them
Again sandboxing and Import Table Analysis are used by the EDR to stop this. Each part of the EDR makes another part of the EDR harder to be bypassed. Each part is simple to bypass on its own but its the combination of them that makes it difficult
When we have an Implant (malware that controls PC) 99% of the time the program is doing nothing. When it is sleeping the implant is vulnerable to memory scanning techniques. When sleeping the implant has a pointer to it sitting in the thread stack. This can easily be detected by the EDR due to it sitting in thread stack.
Bypass
Our malware wants to distance itself from this return address. Often we hook the sleep function and then call the hook instead of the actual sleep function
Another technique is before we sleep we set our implant in memory to what is called NO_ACCESS. This does what you expect and makes the memory unreadable to anything. However when sleep function finished and tries to run the NO_ACCESS code it causes an error. The real bypass is to then add some code that handles this error. This is called Vectored Exception Handling, this code should then set the implant memory to READ_EXECUTABLE and then tries to run it again
We can combine encryption to this method as well and before setting NO_ACCESS we encrypt and after we set it back to READ_EXECUTABLE we decrypt it before running again.
Summary
EDR solutions protect endpoint devices from malware and other cyber threats. It's important for those in the cybersecurity field to understand EDR and malware, and stay informed about the latest threats and solutions. This knowledge will help them defend against malware and contribute to the overall security of organizations and their endpoint devices.
Conclussion
EDR and malware are crucial in modern cybersecurity. A strong understanding of EDR and malware is important for those starting a career in cybersecurity, as they need to be informed and proactive in the face of evolving threats. By staying informed, they can defend against malware and improve endpoint security.