Jump to content

Python Delay Makes Anti Virus Softwares Obsolete


VelocityTek
 Share

Recommended Posts

I had recently (finally) gotten a reply from my favourite Anti Virus software developers ESET on their Twitter Page:

@TOPNOTCHPClol if you haven't already, please post this issue with as much info as you can share via https://forum.eset.com  - Thanks!

 

(I am new here, so I apologize if I did not post in the correct area) I will basically be copying and pasting my original post on the Linus Tech Tips Forum

 

(Before starting a description, this is not exactly news and I am not much of a writer, however I am posting it here including my sources. This issue, as-well as the IPv6 Router Advertisement flood needs to be resolved. This won't be the easiest to read however, anyone with some technical knowledge should be able to get the just of what I am saying)
 
Sam Bowne teaches Ethical Hacking at the City College San Francisco1. Sam Bowne has done many talks at Defcon which can all be found on You Tube2. Most recently Sam Bowne had his students modify & compile malware in Python into Windows executables3, thus making Virus Total.com unable to detect it(Virus Total does not use heuristics, as normal Anti Virus engines would) making the code effective against Anti Virus softwares with Behavioral Analysis options disabled(Which they very rarely are)4 After having published his findings a Twitter follower by the name of Bobby 'Tablessuggested to Sam Bowne that Behavioral Analysis really only watches the process for "a minute or two", suggesting that a simple delay in combination with Sam's original method could make both definitions obsolete by modifying the malicious code, compiling in Python, then switching it over to a Windows executable, leaving heuristics or "behavioral analysis" the only thing left to pick up the malicious code. To get around heuristics Sam simply used a delay after starting the process to in essence wait until the guards pass to do something malicious. 


The delay issue in itself actually worries me a fair bit more than, a slight modification of malicious code in Python. My suggestion for Anti Virus manufacturers is to offer users the flexibility on both how long heuristics will watch certain processes, and maybe even the intervals in which the Anti Virus software re-checks processes. Anti Virus Software such as ESET Nod32/Smart Security is already so light weight and efficient that, I could see myself having it watch processes for about an hour long still with minimal performance hits. If you are interested in watching a video on Sam Bowne demonstrating these concepts the link has been provided in the sources, as-well as a link to a video on IPv6 Router Advertisement Floods. 
 
 
 
 
 
 
Sources: (To see video demonstrations follow this link to my original post please: hxxp://linustechtips.com/main/topic/199011-python-delay-makes-anti-virus-softwares-obsolete/)
1: https://twitter.com/sambowne
 
2: https://www.youtube....am Bowne Defcon

 

3: hxxp://samsclass.inf...roj14/p8-av.htm

 

4: hxxp://samsclass.inf...oj14/norton.htm

5: https://twitter.com/info_dox

 

6: 

 

RA flood Videos:
RA flood hitting fortigate: 

RA flood discussion: 

 

 

 
Link to comment
Share on other sites

  • ESET Moderators

Hello,

Here's the VirusTotal report for the first URL from Prof. Brown's site: www.virustotal.com/en/file/5c5c0e866e583f0c84a5d91e368eb6dba364c8f97f17b6ea9f5fc3d2c0578934/analysis/

As for the second one, without knowing the the build and module versions involved, along with a copy of the file in question, it's rather difficult to know what was detected. The ESET Smart Security 8 beta version might do better with its botnet detection technology, but that's just a guess on my part.

It is generally understood, though, that new malware is created on a daily basis. This is why anti-malware software is frequently updated to detect it. 

Regards,

Aryeh Goretsky

[Copy of your original post below, which I've stripped some of the formatting, in order to make it a little easier to read.  AG]
 

I had recently (finally) gotten a reply from my favourite Anti Virus software developers ESET on their Twitter Page:

ESET‏@ESET 2h

@TOPNOTCHPClol if you haven't already, please post this issue with as much info as you can share via https://forum.eset.com - Thanks!

(I am new here, so I apologize if I did not post in the correct area) I will basically be copying and pasting my original post on the Linus Tech Tips Forum

(Before starting a description, this is not exactly news and I am not much of a writer, however I am posting it here including my sources. This issue, as-well as the IPv6 Router Advertisement flood needs to be resolved. This won't be the easiest to read however, anyone with some technical knowledge should be able to get the just of what I am saying)

Sam Bowne teaches Ethical Hacking at the City College San Francisco1. Sam Bowne has done many talks at Defcon which can all be found on You Tube2. Most recently Sam Bowne had his students modify & compile malware in Python into Windows executables3, thus making Virus Total.com unable to detect it( Virus Total does not use heuristics, as normal Anti Virus engines would) making the code effective against Anti Virus softwares with Behavioral Analysis options disabled(Which they very rarely are)4. After having published his findings a Twitter follower by the name of Bobby 'Tables5 suggested to Sam Bowne that Behavioral Analysis really only watches the process for "a minute or two", suggesting that a simple delay in combination with Sam's original method could make both definitions obsolete by modifying the malicious code, compiling in Python, then switching it over to a Windows executable, leaving heuristics or "behavioral analysis" the only thing left to pick up the malicious code. To get around heuristics Sam simply used a delay after starting the process to in essence wait until the guards pass to do something malicious.

The delay issue in itself actually worries me a fair bit more than, a slight modification of malicious code in Python. My suggestion for Anti Virus manufacturers is to offer users the flexibility on both how long heuristics will watch certain processes, and maybe even the intervals in which the Anti Virus software re-checks processes. Anti Virus Software such as ESET Nod32/Smart Security is already so light weight and efficient that, I could see myself having it watch processes for about an hour long still with minimal performance hits. If you are interested in watching a video on Sam Bowne demonstrating these concepts the link has been provided in the sources, as-well as a link to a video on IPv6 Router Advertisement Floods.

Sources: (To see video demonstrations follow this link to my original post please: hxxp://linustechtips.com/main/topic/199011-python-delay-makes-anti-virus-softwares-obsolete/)
1: https://twitter.com/sambowne

2: www.youtube.com/results?search_query=Sam+Bowne+Defcon

3: samsclass.info/124/proj14/p8-av.htm

4: samsclass.info/124/proj14/norton.htm

5: https://twitter.com/info_dox

6:

RA flood Videos:
RA flood hitting fortigate:
RA flood discussion:

 

 

Link to comment
Share on other sites

  • Administrators

I don't see how Python delays are different from anti-emulation techniques used in executable to prevent emulators from reaching the actual malicious code or other anti-detection techniques in terms of the purpose. If malware writers start to abuse a new technique, antivirus vendors are usually able to adapt reasonably quickly.

Link to comment
Share on other sites

 

Hello,

Here's the VirusTotal report for the first URL from Prof. Brown's site: www.virustotal.com/en/file/5c5c0e866e583f0c84a5d91e368eb6dba364c8f97f17b6ea9f5fc3d2c0578934/analysis/

As for the second one, without knowing the the build and module versions involved, along with a copy of the file in question, it's rather difficult to know what was detected. The ESET Smart Security 8 beta version might do better with its botnet detection technology, but that's just a guess on my part.

It is generally understood, though, that new malware is created on a daily basis. This is why anti-malware software is frequently updated to detect it. 

Regards,

Aryeh Goretsky

[Copy of your original post below, which I've stripped some of the formatting, in order to make it a little easier to read.  AG]

 

I had recently (finally) gotten a reply from my favourite Anti Virus software developers ESET on their Twitter Page:

ESET‏@ESET 2h

@TOPNOTCHPClol if you haven't already, please post this issue with as much info as you can share via https://forum.eset.com - Thanks!

(I am new here, so I apologize if I did not post in the correct area) I will basically be copying and pasting my original post on the Linus Tech Tips Forum

(Before starting a description, this is not exactly news and I am not much of a writer, however I am posting it here including my sources. This issue, as-well as the IPv6 Router Advertisement flood needs to be resolved. This won't be the easiest to read however, anyone with some technical knowledge should be able to get the just of what I am saying)

Sam Bowne teaches Ethical Hacking at the City College San Francisco1. Sam Bowne has done many talks at Defcon which can all be found on You Tube2. Most recently Sam Bowne had his students modify & compile malware in Python into Windows executables3, thus making Virus Total.com unable to detect it( Virus Total does not use heuristics, as normal Anti Virus engines would) making the code effective against Anti Virus softwares with Behavioral Analysis options disabled(Which they very rarely are)4. After having published his findings a Twitter follower by the name of Bobby 'Tables5 suggested to Sam Bowne that Behavioral Analysis really only watches the process for "a minute or two", suggesting that a simple delay in combination with Sam's original method could make both definitions obsolete by modifying the malicious code, compiling in Python, then switching it over to a Windows executable, leaving heuristics or "behavioral analysis" the only thing left to pick up the malicious code. To get around heuristics Sam simply used a delay after starting the process to in essence wait until the guards pass to do something malicious.

The delay issue in itself actually worries me a fair bit more than, a slight modification of malicious code in Python. My suggestion for Anti Virus manufacturers is to offer users the flexibility on both how long heuristics will watch certain processes, and maybe even the intervals in which the Anti Virus software re-checks processes. Anti Virus Software such as ESET Nod32/Smart Security is already so light weight and efficient that, I could see myself having it watch processes for about an hour long still with minimal performance hits. If you are interested in watching a video on Sam Bowne demonstrating these concepts the link has been provided in the sources, as-well as a link to a video on IPv6 Router Advertisement Floods.

Sources: (To see video demonstrations follow this link to my original post please: hxxp://linustechtips.com/main/topic/199011-python-delay-makes-anti-virus-softwares-obsolete/)

1: https://twitter.com/sambowne

2: www.youtube.com/results?search_query=Sam+Bowne+Defcon

3: samsclass.info/124/proj14/p8-av.htm

4: samsclass.info/124/proj14/norton.htm

5: https://twitter.com/info_dox

6:

RA flood Videos:

RA flood hitting fortigate:

RA flood discussion:

 

 

The delay though is more concerning than simply modifying the codebase of different exploits. I guess I am making a feature request, seeing as all I would have to do is increase heuristics scan times for processes. (If that isn't already an option)

 

I don't see how Python delays are different from anti-emulation techniques used in executable to prevent emulators from reaching the actual malicious code or other anti-detection techniques in terms of the purpose. If malware writers start to abuse a new technique, antivirus vendors are usually able to adapt reasonably quickly.

And they haven't adapted quickly whatsoever to the little delay trick that Sam Bowne brought to light. That is the issue. And it can be fixed (relatively, you still have to add it into the program) easily by allowing users to control Heuristics scan times...

Link to comment
Share on other sites

  • Administrators

And they haven't adapted quickly whatsoever to the little delay trick that Sam Bowne brought to light. That is the issue. And it can be fixed (relatively, you still have to add it into the program) easily by allowing users to control Heuristics scan times...

Hm, so there's still undetected malware exploiting this trick? If so, please report it to samples[at]eset.com and we'll definitely look into it.
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...