How I bypass malware detection using Obfuscation
Every day thousands of malware are released online malware wants to stay hidden during infection and operation to prevent removal and analysis, this Malware achieves this using many techniques to bypass detection one of the method is obfuscation this method can be used to cover filename/signature, changing the malware attributes or other methods, it can also be defined as a practice of making something difficult to understand.
Lets Start!
An attacker will typically employ file-less Malware like Shellcode(a piece of binary data that is meant to be executed by a process) to avoid detection but modern Anti-virus engines are much smarter at detecting potential threats, they also respond much quicker. As soon as your code behavior is something too malicious-looking its either blocked or tossed out from your system.
Let’s see an examples of practical obfuscation used in various malware today.
Generating a Payload
shellcode can be generated from the various frameworks.
Step1:- Run Kali Linux os and download OWASP-ZSC, OWASP-ZSC is not built-in Kali Linux so it needs to be downloaded externally from github.com
root@kali:~# git clone https://github.com/zscproject/OWASP-ZSC
Step 2:- Move the terminal to the OWASP-ZSC folder
root@kali: > cd OWASP-ZSC
Step 3:- Now run the following command in the terminal
root@kali:# ./installer.py
Step 4:- The below command allows running the tool easily by typing zsc on the terminal
root@kali:#zsc
Step 5:-Now, let’s generate some shellcode.
zsc> shellcode
zsc/shellcode> generate
OWASP-ZSC uses the TAB key to show options for any command, so now we use the TAB to show the shellcode options.
As you can see below, OWASP_ZSC has three OS shellcode options, linux_x86, osx_x86 and windows_x86. Since most of us use windows operating system
zsc/shellcode/generate>windows_x86
Step 6:- Now to generate shellcode for windows_x86 so we press tab and select shellcode from the option
zsc/shellcode/generate>windows_x86>add_admin
Step 7:-you can also search for various shellcode from the www.shell-storm.org and shell-storm.org to increase the shellcode spectrum
zsc/shellcode/generate/windows_x86/add_admin> username&&password
enter username and password
Step 8:- Now select the type of method you want to chose to encode with random XOR (xor_random). The random encodes produce shellcode that is different each time making it more likely to be undetected by AV.
zsc/shellcode/generate/windows_x86/add_admin/encode_type> xor_random
step 9:- OWASP-ZSC prompts whether you want to output the assembly code and whether I want to output my shellcode to the screen.
Step 10:- The process of obfuscation is an attempt to hide the real purpose of the code and making it hard to read or reverse engineer the file-less malware. (obfuscation)
next, we start the obfuscation process
zsc > obfuscate
javascript, Perl, PHP, python, ruby are the available options
Step 11:- Now to generate an encoded shellcode we select the type of encoding from the options
below you can see the Assembly code generated after the xor_random obfuscation
its time to test our shellcode whether it is detected by any antivirus to test the shellcode you can visit www.virustotal.com and upload the shellcode and scan
Wanna connect:
Linkedin: https://www.linkedin.com/in/akshay-jain-533a79111/
Twitter: https://twitter.com/Akshayjain890
Email: Akshayjain5@protonmail.com
you can also visit my GitHub account: https://github.com/akshay1729
