Open in app

Sign up

Sign in

Write

Sign up

Sign in

TryHackMe — Antivirus

Adithya Thatipalli
InfoSec Write-ups
Published in
10 min readJul 21, 2022

--

Hello All,

Every computer-familiar person from noob to geek hears about antivirus at some point in time. Antivirus is a concept that evolved from the early stages of portable computers. From Windows 95 to Windows 11, Antivirus was part of computer evolution.

An anti-virus is software that protects the machine from various types of malware, virus, and cyberattacks and helps us to keep our machines secure.

Traditional Antivirus solutions like Kaspersky, AVG, Norton to Malware bytes, and Windows Defender, Antivirus serves the exact cause of securing the machine.

But we know very few things about how it works. We are not going to go deep into history but let’s understand how it works.

Antivirus comes as a package consisting of scanners, engines, a database, and a sandbox environment. Each component has its own purpose

Antivirus updates its database with signatures on a real-time basis of the latest malware and scans the files against the signatures to match. Once it identifies it takes the action accordingly.

Let’s dive into different types of scanning and how it works on machines.

There are 3 types of scanning and detection. 1. Static Detections 2. Dynamic Detections 3. Behavioral based Detections

Static Detection:

Static Detection is the simplest and most basic way to detect. It scans the files with the existing database of malware files. It checks the hash value, checksum, and other relevant information which proves the integrity of the file.

In this task, we will scan a file on a machine with an antivirus that has static detection capabilities.

We are provided with a windows 10 machine running with an antivirus named “clamscam” and a bunch of different types of malware samples.

The Malware samples folder contains the following files:

  1. EICAR is a test file containing ASCII strings used to test AV software’s effectiveness instead of real malware that could damage your machine. Any virus scanning software can be tested using this file
  2. Backdoor 1 is a C# program that uses a well-known technique to establish a reverse connection, including creating a process and executing a Metasploit Framework shellcode.
  3. Backdoor 2 is a C# program that uses process injection and encryption to establish a reverse connection, including injecting a Metasploit shellcode into an existing and running process.
  4. AV-Check is a C# program that enumerates AV software in a target machine. Note that this file is not malicious. We will discuss this tool in more detail in task 6.
  5. notes.txt is a text file

I have logged into the machine and using cmd tool I have instructed the AV to scan the samples on the host desktop.

AV scanned the files with their database and shared the results. We got 2 malwares detected. However, it incorrectly identified the backdoor2 as non-malicious while it does.

You can run clamscan.exe — debug <file_to_scan>, and you will see all modules loaded and used during the scanning. For example, it uses the unpacking method to split the files and look for a predefined malicious sequence of bytecode values, and that is how it was able to detect the C# backdoor 1.

If you remember, Backdoor 1 and 2 are same code but backdoor 2 was encrypted. The bytecode value of the Metasploit shellcode used in backdoor 1 was previously identified and added to ClamAV’s database.

However, backdoor 2 uses an encryption technique (XOR) for the Metasploit shellcode, resulting in different sequences of bytecode values that it doesn’t find in the ClamAV database.

While the ClamAV was able to detect the EICAR.COM test file as malicious using the md5 signature-based technique.

Many times AV software cannot able to update their signatures for all the AV’s. Since the hackers always try new methods to create malware, sometimes it requires a manual effort to add signatures to the AV database. Majority of antivirus provides reporting new signatures or adding directly to their database.

In our case, since we were not able to identify the malware sample, now we will add the hash value of Backdoor 2 to our signature database.

Above steps described the way signature was added.The following are the required steps:

  1. Generate an MD5 signature for the file.
  2. Add the generated signature into a database with the extension “.hdb”.
  3. Re-scan the ClamAV against the file using our new database.

Additionally, we can identify the patterns in the different process and create a rule by adding all the parameters in the rule to detect a malware. This can be done by YARA Rule.

Yara is a tool that allows malware engineers to classify and detect malware. Yara uses rule-based detection, so in order to detect new malware, we need to create a new rule.

To write a rule in YARA, we should analyze the file and list all human-readable strings in the binary using the strings tool. As a result, we will see all functions, variables, and nonsense strings.

But, if you look closely, we can use some of the unique strings in our rules to detect this file in the future. The AV-Check uses a program database (.pdb), which contains a type and symbolic debugging information of the program during the compiling.

What is a program database (PDB)?

By default, when /DEBUG is specified, the linker creates a program database (PDB) which holds debugging information. The default file name for the PDB has the base name of the program and the extension .pdb.

We will use the path in the previous command’s output as our unique string example in the Yara rule that we will create. The signature could be Registry keys, commands, etc. The following is Yara’s rule that we will use in our detection:

rule thm_demo_rule {
	meta:
		author = "THM: Intro-to-AV-Room"
		description = "Look at how the Yara rule works with ClamAV"
	strings:
		$a = "C:\\Users\\thm\\source\\repos\\AV-Check\\AV-Check\\obj\\Debug\\AV-Check.pdb"
	condition:
		$a
}

Let’s explain this Yara’s rule a bit more.

  • The name of rule starts with rule thm_demo_rule. ClamAV uses this name if a rule matches.
  • The metadata section, which is general information, contains the author and description.
  • The strings section contains the strings or bytecode that we are looking for. We are using the C# program’s database path in this case which we got in the previous command execution .
  • Notice that we add an extra \ in that path to escape the special character, so it does not break the rule.
  • In the condition section, we specify if the defined string is found in the string section, then flag the file.

Note that Yara rules must store in a .yara extension file for ClamAV to deal with it.

Let’s re-scan the c:\Users\thm\Desktop\Samples folder again using the Yara rule we created. We have saved a copy of the Yara rule on the desktop at c:\Users\thm\Desktop\Files\thm-demo-1.yara.

Output result showed that the text file also flagged as malicious since the file contains the same string which we added in YARA rule.

To avoid the false-positiveness, We will be specifying the file type in our rule. Often, the types of a file can be identified using magic numbers, which are the first two bytes of the binary. For example, executable files (.exe) always start with the ASCII “MZ” value or “4D 5A” in hex.

To confirm this, let’s use the HxD application, which is a freeware Hex Editor, to examine the AV-Check.exe binary and see the first two bytes. Note that the HxD is already available in the provided VM.

let’s include this in our Yara rule to flag only the .exe files that contain our signature string as malicious. The following is the improved Yara rule:


rule thm_demo_rule {
	meta:
		author = "THM: Intro-to-AV-Room"
		description = "Look at how the Yara rule works with ClamAV"
	strings:
		$a = "C:\\Users\\thm\\source\\repos\\AV-Check\\AV-Check\\obj\\Debug\\AV-Check.pdb"
		$b = "MZ"
	condition:
		$b at 0 and $a
}

In the new Yara rule, we defined a unique string ($b) equal to the MZ as an identifier for the .exe file type. We also updated the condition section, which now includes the following conditions:

  1. If the string "MZ" is found at the 0 location, the file's beginning.
  2. If the unique string (the path) occurs within the binary.
  3. In the condition section, we used the AND operator for both definitions in 1 and 2 are found, then we have a match.

You can find the updated rule in Desktop\Files\thm-demo-2.yara. Now that we have our updated Yara rule, now let's try it again.

The output shows we improved our Yara rule to reduce the false-positive results. That was a simple example of how AV software works. Thus, AV software vendors work hard to fight against malware and improve their products and database to enhance the performance and accuracy of results.

The drawback of the signature-based detection is that files will have a different hash value if the binary is modified. Therefore, it is easy for someone to bypass signature-based detection techniques if they know what AV software looks for and how to analyze binaries, as shown in later rooms.

Now comes the task. We have given two questions to complete.

  1. We need to get the hash value of AV-Check.exe using sigtool of ClamAV.

2. We should get a flag by going through the binary of AV-Check.exe using strings command.

Dynamic Detection

In Dynamic Detection, we monitor the behaviour of file in real-time to identify the malicious process.

Dynamic detection is focused more on checking files at runtime using different methods.The following diagram shows the dynamic detection scanning flow:

Windows System files are one of the most exploited tools to execute malware. These AV softwares monitor the API calls of these files to detect malware. Once the process gets executed, they will monitor the Windows hooks

A hook is a mechanism by which an application can intercept events, such as messages, mouse actions, and keystrokes. A function that intercepts a particular type of event is known as a hook procedure. A hook procedure can act on each event it receives, and then modify or discard the event.

Another method for dynamic detection is Sandboxing.

A sandbox is a virtualized environment used to run malicious files separated from the host computer. This is usually done in an isolated environment, and the primary goal is to analyze how the malicious software acts in the system. Once the malicious software is confirmed, a unique signature and rule will be created based on the characteristic of the binary.

Heuristic and Behavioral Detection

Heuristic and behavioral detection have become essential in today’s modern AV products. Modern AV software relies on this type of detection to detect malicious software. The heuristic analysis uses various techniques, including static and dynamic heuristic methods:

  1. Static Heuristic Analysis is a process of extracting the source code of the malicious software. Then, the extracted source code is compared to other well-known virus source codes. These source codes are previously known and predefined in a heuristic database. If a match meets or exceeds a threshold percentage, the code is flagged as malicious.
  2. Dynamic Heuristic Analysis is based on predefined behavioral rules. Security researchers analyzed suspicious software in isolated and secured environments. Based on their findings, they flagged the software as malicious. Then, behavioral rules are created to match the software’s malicious activities within a target machine.

The following are examples of behavioral rules:

  • If a process tries to interact with the LSASS.exe process that contains users’ NTLM hashes, Kerberos tickets, and more
  • If a process opens a listening port and waits to receive commands from a Command and Control (C2) server

Summary of Detections:

In the diagram, you can see a suspicious Foobar.zip file is passed to AV software to scan.

  • AV software recognizes that it is a compressed file (.zip).
  • Software Identify and applies an unzipping feature to extract the files (Foobar.exe).
  • Next, it identifies the file type to know which module to work with and then performs a PE parsing operation to pull the binary’s information and other characteristic features.
  • Next, it checks whether the file is packed; if it is, it unpacks the code.
  • Finally, it passes the collected information and the binary to the AV engine, where it tries to detect if it is malicious and gives us the result.

As a security professional, you need to be updated with the way Antivirus products getting updated with new type of virus attacks.

Thanks for reading :)

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 Github Repos and tools, and 1 job alert for FREE! https://weekly.infosecwriteups.com/

--

--

Adithya Thatipalli
InfoSec Write-ups
Follow

Written by Adithya Thatipalli

115 Followers

Security Engineer by Day, Cloud and Blockchain Learner during Night

Follow

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams