Antivirus Evasion

A few weekends back i was wondering how do malware evade antivirus solutions, is it really that easy ?

With that in mind i started looking at some known malware piece and randomly pick a anti malware solutions to my surprise AVs can still be tricked with old technique such as string substitution method, so today we will explore this very well known technique. For testing purpose i choose ncx as a test malware which binds itself on port 99 and when someone connects to ncx it gives command prompt of the system.

First let’s scan the default malware to check if it’s detected or not.

 

 

 

 

 

 

 

 

 

 

 

 

As it can be seen in below screenshot that ncx is detected by our antivirus

 

Let’s split file into small chunks, after a bit of trial and error i found that splitting into 17 bytes does not break any signature of av, the trick here is we have to keep splitting files as long as the av keeps flagging those files

 

On scanning split chunks two detection were made by our av i.e chunk 1 and 4 were identified as malicious

 

 

Change lower case ‘cmd’ to upper case ‘CMD’ and save it

 

 

Yes no more detection !

 

 

In sixth line of split chunk number 1 let’s change upper case ‘S’ to lower case ‘s’ and save it

 

 

Scan it again, and av no longer detects this chunk.

 

 

Finally join files back

 

 

Rename the joined file

 

 

Scan shows no more detection 🙂

 

 

And we can see on execution it is indeed listening on port 99

 

 

POC Video:-

 

Leave a Reply

Your email address will not be published. Required fields are marked *