0

One Packer to Rule Them All: Empirical Identification, Comparison and Circumvention of Current Antivirus Detection Techniques

Abstract: Lately, many popular antivirus solutions claim to be the most effective against unknown and obfuscated malware. Most of these solutions are rather vague about how they supposedly achieve this goal, making it hard for end-users to evaluate and compare the effectiveness of the different products on the market. This presentation presents empirically discovered results on the various implementations of these methods per solution, which reveal that some antivirus solutions have more mature methods to detect x86 malware than others, but all of them are lagging behind when it comes to x64 malware. In general, at most three stages were identified in the detection process: Static detection, Code Emulation detection (before execution), and Runtime detection (during execution). New generic evasion techniques are presented for each of these stages. These techniques were implemented by an advanced, dedicated packer, which is an approach commonly taken by malware developers to evade detection of their malicious toolset. Two brand new packing methods were developed for this cause. By combining several evasion techniques, real-world malicious executables with a high detection rate were rendered completely undetected to the prying eyes of antivirus products.

Conferences: Black Hat USA 2014, BruCON 2014, InfoSecurity Belgium 2015

Slides: Black Hat USA 2014 (25min), BruCON 2014 (1h), InfoSecurity Belgium 2015 (45 min)

Videos: Black Hat USA 2014 (25min), BruCON 2014 (1h) 

Paper: PDF

1

ProtoLeaks: A Reliable and Protocol-Independent Network Covert Channel

Abstract: We propose a theoretical framework for a network covert channel based on enumerative combinatorics. It offers protocol independence and avoids detection by using a mimicry defense. Using a network monitoring phase, traffic is analyzed to detect which application-layer protocols are allowed through the firewalls. Using these results, a covert channel is built based on permutations of benign network objects, such as FTP commands and HTTP requests to different web servers. Any protocol that offers reliability guarantees can be plugged into the framework. This includes any protocol that is built on top of the TCP protocol. The framework closely mimics the behavioral statistics of the legitimate traffic, making the covert channel very hard to detect.

Conference: International Conference on Information System Security 2012

Paper: PDF