Malicious Symbolic Links: Part 2 Antivirus Evasion
First of all, as most of you already know there is no algorithm that can perfectly detect all possible threats. Among all the malware detection methods, two of them are the most common to detect malware:
- Signature Based Detection: Examining files without executing them and compare the results against a huge database of signatures of already known malware.
- Behavioral Based Detection: Allowing applications to get executed but keep monitoring for suspicious activity (changing registry keys, adding applications to system start-up, downloading executable files from the internet, etc).
Figure 1 - Components of an antivirus engine
As you can see in figure 2, at the time of this writing (13th October 2015) the malicious symbolic link is detected only by two antivirus products. I suppose that this scan is only signature based, no execution and behavior analysis.
This is not a surprising fact as the antivirus engines haven't got any signatures in their databases for the malicious symbolic link since it hasn't been released for a long time to the public.However, two of them are detecting it, they have some signatures. After some time of trial and error I figured out that one of them was only detecting the icon image and the other one the batch/vbs code the symbolic link contains.
To make the detection process harder, we have to obfuscate the vbs code by converting it to vbe (VBScript encoded). This can be achieved by using a vbs encoder/decoder like VBScriptCoders, it's a GUI application, by simply selecting a vbs file it outputs the encoded vbe file.
It is crucial to enable the Delayed Expansion in the batch code which causes variables to be expanded at execution time rather than at parse time so we don't have to escape all the characters of the encoded vbe file. Also, it is important to split the string in every double quote in order to assign the variables properly. The final result is presented in figure 3.
Figure 3 - Obfuscated symbolic link opened with notepad++
- Change the icon image to another similar one.
- Edit the icon with an icon editor and change one pixel in order to change the icon's hash/check-sum value.
After all the appropriate changes, the results of metascan-online show zero detection (figure 4).
As I said earlier this was just a signature based scan, I'm going to test the symbolic link also using behavioral analysis in the future and update the post. As always, you can download the obfuscated proof of concept to make your own tests if you wish.
There are two versions:
Windows 7, 8, 10: Windows7plus_poc_evasion.zip
MD5: 09c88830b3fe46f40a79692e9b976733
Windows XP: WindowsXP_poc_evasion.zip
MD5: 7d4da825227920520cb0a159c6efb311
Feedback and comments are always welcomed.