Practical application of open source frameworks to achieve anti-virus avoidance

Abstract

A common aim of malware creators is to have the ability to spread their software undetected through various networks until the required goal is completed. In response to this, anti-virus vendors have implemented various strategies to detect viruses as they attempt to execute and propagate from one target to the next. Some of the anti-virus vendors claim to achieve impressive success rates as high as 98.7% that indicates the problem of spreading viruses and malware is well taken care of. Yet, despite the impressive detection rates, a proliferation of open source tools, frameworks and utilities are being introduced that claim to have the ability to avoid anti-virus detection. As an example, the very popular Metasploit framework has several encoders available that can alter the virus signature in such a way that it will avoid the anti-virus engine and allow the malicious code to be executed. This approach has been implemented and simplified in the Social Engineering Toolkit (SET) as part of a menu driven approach that is accessible to people with a relatively low skill level. The SET framework, implemented in Metasploit, is only one such framework and several more specialised open source tools exist, that does not only focus on encoding but on other common anti-virus avoidance techniques such as binary editing, packing and encryption. Open source packages such as UPX compress the data in the selected virus executable to such an extent that it will most likely completely circumvent the anti-virus and similarly so for a program that is encrypted with a common encryption product such as TrueCrypt. Should the anti-virus still detect the offending executable after either packing or encryption a combination of the two applications might yield superior results. The aim of this paper is to experiment on a common executable that is classified as malware e.g. the meterpreter module of Metasploit, and make use of the various open source frameworks and utilities to document the techniques and success rate of anti-virus avoidance. By presenting the results of this research, it will contribute to the understanding of security personnel / researchers on what can be achieved with open source frameworks and how to better protect against the virus threat.