How I bypass malware detection using Obfuscation
Every day thousands of malware are released online malware wants to stay hidden during infection and operation to prevent removal and analysis, this Malware achieves this using many techniques to bypass detection one of the method is obfuscation this method can be used to cover filename/signature, changing the malware attributes or other methods, it can also be defined as a practice of making something difficult to understand.
An attacker will typically employ file-less Malware like Shellcode(a piece of binary data that is meant to be executed by a process) to avoid detection but modern Anti-virus engines are much smarter at detecting potential threats, they also respond much quicker. As soon as your code behavior is something too malicious-looking its either blocked or tossed out from your system.
Let’s see an examples of practical obfuscation used in various malware today.
Generating a Payload
shellcode can be generated from the various frameworks.
Step1:- Run Kali Linux os and download OWASP-ZSC, OWASP-ZSC is not built-in Kali Linux so it needs to be downloaded externally from github.com
Step 2:- Move the terminal to the OWASP-ZSC folder
root@kali: > cd OWASP-ZSC
Step 3:- Now run the following command in the terminal
Step 4:- The below command allows running the tool easily by typing zsc on the terminal
Step 5:-Now, let’s generate some shellcode.
OWASP-ZSC uses the TAB key to show options for any command, so now we use the TAB to show the shellcode options.
As you can see below, OWASP_ZSC has three OS shellcode options, linux_x86, osx_x86 and windows_x86. Since most of us use windows operating system
Step 6:- Now to generate shellcode for windows_x86 so we press tab and select shellcode from the option
enter username and password
Step 8:- Now select the type of method you want to chose to encode with random XOR (xor_random). The random encodes produce shellcode that is different each time making it more likely to be undetected by AV.
step 9:- OWASP-ZSC prompts whether you want to output the assembly code and whether I want to output my shellcode to the screen.
Step 10:- The process of obfuscation is an attempt to hide the real purpose of the code and making it hard to read or reverse engineer the file-less malware. (obfuscation)
next, we start the obfuscation process
zsc > obfuscate
Step 11:- Now to generate an encoded shellcode we select the type of encoding from the options
below you can see the Assembly code generated after the xor_random obfuscation
its time to test our shellcode whether it is detected by any antivirus to test the shellcode you can visit www.virustotal.com and upload the shellcode and scan
you can also visit my GitHub account: https://github.com/akshay1729