Bypassing Antivirus using De-Obfuscation

• 2010-02-23
• antivirus  

About six months ago I was working on an idea for a new executable packer. Before I started coding, I performed some tests to see how easy current Antivirus products can be bypassed.

I chose the tool PwDump3 for testing as I did not want to handle real malware for the small test and this was sufficient as most AV products detect it as malicious software.

Two of my tests were quite simple:

Test1:

• pack the program with upx

 Test2:

• pack the program with upx
• rename sections
• add a time consuming loop to the programm, hoping that an AV scanner using generic unpacking will fail
  

The second test was somewhat successful - the detection rate dropped by 50%, whereas the first one did not really help bypass detection.

Now I wanted to take up the project again - checking what I did 6 months ago I also re-uploaded the testfiles to virustotal. To my surprise, these two testfiles led to almost identical results: ³¹⁄₄₁ compared to ²⁸⁄₄₁.
As we all know and Kaspersky showed again recently, AV vendors often add detection for programs that are detected by other vendors, so one question arises: did they just add a static signature detecting my obfuscated version of the program or did the generic detection really improve?

The time consuming loop was really trivial, this is the code:

pushad  
mov eax, 5  
outer:  
mov ecx, -1  
inner:  
xor ebx, ebx  
loop inner  
dec eax  
jnz outer  
popad  

It should be fairly easy to detect something like that. I modified the executable so that it jumps to the end of the code section, executes the loop and then returns to the original entry point of the program.

After renaming the sections back to their original names set by UPX and replacing the loop with NOPs, I uploaded the program again. Surprisingly, only 16 of 39 scanners still detect that one, so now I bypassed 12 AV products by removing the obfuscation originally implemented…