Home Introduction to Antivirus
Post
Cancel

Introduction to Antivirus

Understand how antivirus software works and what detection techniques are used to bypass malicious file checks.

THM Room https://tryhackme.com/room/introtoav

TASK 1 : Introduction

Let’s get started!

No Answer

TASK 2 : Antivirus Software

What was the virus name that infected John McAfee’s PC?

“McAfee Associates, Inc. started the first AV software implementation in 1987. It was called “VirusScan,” and its main goal at that time was to remove a virus named “Brain” that infected John McAfee’s computer. Later, other companies joined in the battle against viruses. AV software was called scanners, and they were command-line software that searched for malicious patterns in files.”

Answer : Brain

Which PC Antivirus vendor implemented the first AV software on the market?

From previous question : McAfee.

Answer : McAfee

Antivirus software is a _____-based security solution.

“What is AV software?

Antivirus (AV) software is an extra layer of security that aims to detect and prevent the execution and spread of malicious files in a target operating system.

It is a host-based application that runs in real-time (in the background) to monitor and check the current and newly downloaded files. The AV software inspects and decides whether files are malicious using different techniques, which will be covered later in this room.”

Answer : Host

TASK 3 : Antivirus Features

Which AV feature analyzes malware in a safe and isolated environment?

“An emulator is an Antivirus feature that does further analysis on suspicious files. Once an emulator receives a request, the emulator runs the suspect (exe, DLL, PDF, etc.) files in a virtualized and controlled environment. It monitors the executable files’ behavior during the execution, including the Windows APIs calls, Registry, and other Windows files. The following are examples of the artifact that the emulator may collect:

API calls Memory dumps Filesystem modifications Log events Running processes Web requests

An emulator stops the execution of a file when enough artifacts are collected to detect malware.”

Answer : Emulator

An ___ feature is a process of restoring or decrypting the compressed executable files to the original.

“PE (Portable Executable) Parsing and Unpackers

Malware hides and packs its malicious code by compressing and encrypting it within a payload. It decompresses and decrypts itself during runtime to make it harder to perform static analysis. Thus, AV software must be able to detect and unpack most of the known packers (UPX, Armadillo, ASPack, etc.) before the runtime for static analysis.

Malware developers use various techniques, such as Packing, to shrink the size and change the malicious file’s structure. Packing compresses the original executable file to make it harder to analyze. Therefore, AV software must have an unpacker feature to unpack protected or compressed executable files into the original code.

Another feature that AV software must have is Windows Portable Executable (PE) header parser. Parsing PE of executable files helps distinguish malicious and legitimate software (.exe files). The PE file format in Windows (32 and 64 bits) contains various information and resources, such as object code, DLLs, icon files, font files, and core dumps.”

Answer : unpacker

Read the above to proceed to the next task, where we discuss the AV detection techniques.

No Answer.

TASK 4 : Deploy the VM

Once you’ve deployed the VM, it will take a few minutes to boot up. Then, progress to the next task!

No Answer.

TASK 5 : AV Static Detection

What is the sigtool tool output to generate an MD5 of the AV-Check.exe binary?

By using “sigtool.exe” in the ClamAV directory, we can find the md5 of the AV-Check.exe sample :

1
2
C:\Users\thm\Desktop\Samples>"C:\Program Files\ClamAV\sigtool.exe" --md5 AV-Check.exe
f4a974b0cf25dca7fbce8701b7ab3a88:6144:AV-Check.exe

Answer : f4a974b0cf25dca7fbce8701b7ab3a88:6144:AV-Check.exe

Use the strings tool to list all human-readable strings of the AV-Check binary. What is the flag?

To answer this question, we can use the “Strings” command to retreive all human-readable strings in a binary. Let’s first check if it’s already installed :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
C:\Users\thm\Desktop\Samples>Strings

Strings v2.54 - Search for ANSI and Unicode strings in binary images.
Copyright (C) 1999-2021 Mark Russinovich
Sysinternals - www.sysinternals.com

usage: Strings [-a] [-f offset] [-b bytes] [-n length] [-o] [-s] [-u] <file or directory>
-a     Ascii-only search (Unicode and Ascii is default)
-b     Bytes of file to scan
-f     File offset at which to start scanning.
-o     Print offset in file string was located
-n     Minimum string length (default is 3)
-s     Recurse subdirectories
-u     Unicode-only search (Unicode and Ascii is default)
-nobanner
       Do not display the startup banner and copyright message.

It’s OK, so we can now specify our binary :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
C:\Users\thm\Desktop\Samples>Strings AV-Check.exe

Strings v2.54 - Search for ANSI and Unicode strings in binary images.
Copyright (C) 1999-2021 Mark Russinovich
Sysinternals - www.sysinternals.com

!This program cannot be run in DOS mode.
.text
`.rsrc
@.reloc
[...]
--AV Found: {0}
--AV software is not found!
THM{Y0uC4nC-5tr16s}
z\V
WrapNonExceptionThrows
AV-Check
Copyright
[...]

We can simplify the search in the result by piping the “findstr” command :

1
2
C:\Users\thm\Desktop\Samples>Strings AV-Check.exe | findstr "THM"
THM{Y0uC4nC-5tr16s}

Answer : THM{Y0uC4nC-5tr16s}

TASK 6 : Other Detection Techniques

Which detection method is used to analyze malicious software inside virtual environments?

“Another method for dynamic detection is Sandboxing. A sandbox is a virtualized environment used to run malicious files separated from the host computer. This is usually done in an isolated environment, and the primary goal is to analyze how the malicious software acts in the system. Once the malicious software is confirmed, a unique signature and rule will be created based on the characteristic of the binary. Finally, a new update will be pushed into the cloud database for future use.”

Answer : Dynamic Detection

TASK 7 : AV Testing and Fingerprinting

For the C# AV fingerprint, try to rewrite the code in a different language, such as Python, and check whether VirusTotal flag it as malicious.

I write an example AV check in python, based on a process listing example https://thispointer.com/python-get-list-of-all-running-processes-and-sort-by-highest-memory-usage/ using “psutil” tool :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import psutil
# Iterate over all running process
AV_Check = { 
    "MsMpEng.exe", "AdAwareService.exe", "afwServ.exe", "avguard.exe", "AVGSvc.exe", 
    "bdagent.exe", "BullGuardCore.exe", "ekrn.exe", "fshoster32.exe", "GDScan.exe", 
    "avp.exe", "K7CrvSvc.exe", "McAPExe.exe", "NortonSecurity.exe", "PavFnSvr.exe", 
    "SavService.exe", "EnterpriseService.exe", "WRSA.exe", "ZAPrivacyService.exe"}
print("[+] Begin scanning for host AV")
for proc in psutil.process_iter():
    try:
        # Get process name & pid from process object.
        processName = proc.name()
        processID = proc.pid
        if processName in AV_Check:
            print("[!] AV FOUND : " + processName , ' ::: ', processID)
            exit("[-] End scanning for host AV")
    except (psutil.NoSuchProcess, psutil.AccessDenied, psutil.ZombieProcess):
        pass

I tested this in a Windows VM running Eset Security :

1
2
3
4
C:\Users\test\Desktop>python3 scan_av.py
[+] Begin scanning for host AV
[!] AV FOUND : ekrn.exe  :::  2208
[-] End scanning for host AV

I submit my python script in VirusTotal https://www.virustotal.com/gui/file/a632c1fe575e8678651756d0f6816fe8c69c01c06da7e9ca81ab749c2e520dfc/details and it doesn’t flag it as malicious :

VirusTotal VirusTotal

VirusTotal VirusTotal

No Answer.

Read the Above!

No Answer.

TASK 8 : Conclusion

Congrats on completing the room, and keep learning!

No Answer.

This post is licensed under CC BY 4.0 by the author.