« Antivirus are easy to bypass », « Antivirus are mandatory in defense in depth », «This Cryptor is FUD»
are some of the sentence you hear when doing some researches on antivirus security. I asked myself,
hey is it really that simple to bypass AV? After some research I came (like others) to the conclusion that
bypassing Antivirus consists in two big steps:
Hide the code which may be recognized as malicious. This is generally done using encryption.
Code the decryption stub in such a way it is not detected as a virus nor bypassed by
emulation/sandboxing.
In this paper I will mainly focus on the last one, how to fool antivirus emulation/sandboxing systems.
I’ve set myself a challenge to find half a dozen of ways to make a fully undetectable decryption stub (in
fact I found way more than that). Here is a collection of methods. Some of those are very complex (and
most “FUD cryptor” sellers use one of these). Others are so simple I don’t understand why I’ve never
seen these before. I am pretty sure underground and official virus writers are fully aware about these
methods so I wanted to share these with the public.
are some of the sentence you hear when doing some researches on antivirus security. I asked myself,
hey is it really that simple to bypass AV? After some research I came (like others) to the conclusion that
bypassing Antivirus consists in two big steps:
Hide the code which may be recognized as malicious. This is generally done using encryption.
Code the decryption stub in such a way it is not detected as a virus nor bypassed by
emulation/sandboxing.
In this paper I will mainly focus on the last one, how to fool antivirus emulation/sandboxing systems.
I’ve set myself a challenge to find half a dozen of ways to make a fully undetectable decryption stub (in
fact I found way more than that). Here is a collection of methods. Some of those are very complex (and
most “FUD cryptor” sellers use one of these). Others are so simple I don’t understand why I’ve never
seen these before. I am pretty sure underground and official virus writers are fully aware about these
methods so I wanted to share these with the public.
more here...............http://sevagas.com/IMG/pdf/BypassAVDynamics.pdf