The document provides an overview of how anti-virus software works and techniques used to bypass antivirus detection. It discusses how antiviruses use signature-based, heuristic-based, behavioral, and sandboxing techniques to detect malware. It also explains common techniques used to evade detection like packers, splitters, code obfuscation, and injection. The document concludes that while antivirus has improved, virus creators continually develop new methods to bypass protections and that additional security measures are still needed.
This is my presentation in JWC 4th Event Computer and Network Security FOrum at Binus International University. I talk about how to setup your own malware lab for malware analysis purpose.
Malware varies mostly in the visible payloads that they manifest. We can see them infecting files, un-installing antimalware applications, stealing important documents, controlling our computers remotely, and other malicious activities.
What we don’t see is how they are implemented within the malware code. Modern malware uses different techniques to protect themselves from detection, analysis, and eradication. Some malware uses layers to even obfuscate the way they use these protections.Layers in malware are defense mechanisms against deep analysis. Within these layers, different malware tricks are also deployed.
In this presentation, we are going to look into Scieron and Vawtrak. Two different malware that implements layers differently. We will see some video demo on how some of the malware code are executed within the context of a debugger.
Finally, we are going to leverage Volatility, a memory forensic tool, to detect the presence of layers in an infected system.
This is my presentation in JWC 4th Event Computer and Network Security FOrum at Binus International University. I talk about how to setup your own malware lab for malware analysis purpose.
Malware varies mostly in the visible payloads that they manifest. We can see them infecting files, un-installing antimalware applications, stealing important documents, controlling our computers remotely, and other malicious activities.
What we don’t see is how they are implemented within the malware code. Modern malware uses different techniques to protect themselves from detection, analysis, and eradication. Some malware uses layers to even obfuscate the way they use these protections.Layers in malware are defense mechanisms against deep analysis. Within these layers, different malware tricks are also deployed.
In this presentation, we are going to look into Scieron and Vawtrak. Two different malware that implements layers differently. We will see some video demo on how some of the malware code are executed within the context of a debugger.
Finally, we are going to leverage Volatility, a memory forensic tool, to detect the presence of layers in an infected system.
There has been a Ransomware explosion the last 6 years and there have been very little done to stop infections aside from deprecated signature scans and classic malware scanner. Weston will go over a couple proof of concepts that work on even the most current versions of the malware stop from fully infecting the machines that would otherwise be infected with malware that demands 1000s of dollars in some instances. Weston will go over several methods of making your system immune to attacks from ransomware many of them were discovered from actually reverse engineering the malware early this year. Weston will also go over several open source tools to test your environments impact from malware such as Cryptowall and several tools both software and hardware that can protect your systems from malware infecting even methods of abusing the payment gateway system to allow you to get more than one file unlocked for free and Weston will also go into the research about breaking the encryption based on the outputted encrypted files.
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
Watchtowers of the Internet: Analysis of Outbound Malware Communication, Stephan Chenette, Principal Security Researcher, (@StephanChenette) & Armin Buescher, Security Researcher
With advanced malware, targeted attacks, and advanced persistent threats, it’s not IF but WHEN a persistant attacker will penetrate your network and install malware on your company’s network and desktop computers. To get the full picture of the threat landscape created by malware, our malware sandbox lab runs over 30,000 malware samples a day. Network traffic is subsequently analyzed using heuristics and machine learning techniques to statistically score any outbound communication and identify command & control, back-channel, worm-like and other types of traffic used by malware.
Our talk will focus on the setup of the lab, major malware families as well as outlier malware, and the statistics we have generated to give our audience an exposure like never before into the details of malicious outbound communication. We will provide several tips, based on our analysis to help you create a safer and more secure network.
Stephan Chenette is a principal security researcher at Websense Security Labs, specializing in research tools and next generation emerging threats. In this role, he identifies and implements exploit and malcode detection techniques.
Armin Buescher is a Security Researcher and Software Engineer experienced in strategic development of detection/prevention technologies and analysis tools. Graduated as Dipl.-Inf. (MSc) with thesis on Client Honeypot systems. Interested in academic research work and published author of security research papers.
Sans london april sans at night - tearing apart a fileless malware sampleMichel Coene
This presentation was created based on a sample we found. At first sight this looked to be a standard fileless cryptocurrency mining malware, however, when looking a bit further, we noted that this malware had some other tricks up its sleeve.
This presentation starts with an introduction into how fileless malware works and how to detect it, a short introduction into cryptocurrency mining and of course the analysis of the sample itself.
Assessing the security posture of a web application is a common project for a penetration tester and a good skill for developers to know. In this talk, We’ll go over the different stages of a web application pen test, from start to finish. We’ll start with tools used during the discovery phase to utilize OSINT sources such as search engines, sub-domain brute-forcing and other methods to help you get a good idea of targets “footprint”, automated scanners and their use, all the way to manual testing and tools used for fuzzing parameters to find potential SQL injection vulnerabilities. We’ll also discuss pro-tips and tricks that we use while conducting a full application penetration assessment. After this talk, you should have a good understanding of what is needed as well as where to start on your journey to hacking web apps.
Threat actors are increasing their use of fleless
malware for one simple reason: most organizations
aren't prepared to detect it. Education is the frst step in
determining what threat these new attacks pose and what
you can do to detect and stop fileless malware attacks. Learn more at: https://www.bluvector.io
There has been a Ransomware explosion the last 6 years and there have been very little done to stop infections aside from deprecated signature scans and classic malware scanner. Weston will go over a couple proof of concepts that work on even the most current versions of the malware stop from fully infecting the machines that would otherwise be infected with malware that demands 1000s of dollars in some instances. Weston will go over several methods of making your system immune to attacks from ransomware many of them were discovered from actually reverse engineering the malware early this year. Weston will also go over several open source tools to test your environments impact from malware such as Cryptowall and several tools both software and hardware that can protect your systems from malware infecting even methods of abusing the payment gateway system to allow you to get more than one file unlocked for free and Weston will also go into the research about breaking the encryption based on the outputted encrypted files.
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
Watchtowers of the Internet: Analysis of Outbound Malware Communication, Stephan Chenette, Principal Security Researcher, (@StephanChenette) & Armin Buescher, Security Researcher
With advanced malware, targeted attacks, and advanced persistent threats, it’s not IF but WHEN a persistant attacker will penetrate your network and install malware on your company’s network and desktop computers. To get the full picture of the threat landscape created by malware, our malware sandbox lab runs over 30,000 malware samples a day. Network traffic is subsequently analyzed using heuristics and machine learning techniques to statistically score any outbound communication and identify command & control, back-channel, worm-like and other types of traffic used by malware.
Our talk will focus on the setup of the lab, major malware families as well as outlier malware, and the statistics we have generated to give our audience an exposure like never before into the details of malicious outbound communication. We will provide several tips, based on our analysis to help you create a safer and more secure network.
Stephan Chenette is a principal security researcher at Websense Security Labs, specializing in research tools and next generation emerging threats. In this role, he identifies and implements exploit and malcode detection techniques.
Armin Buescher is a Security Researcher and Software Engineer experienced in strategic development of detection/prevention technologies and analysis tools. Graduated as Dipl.-Inf. (MSc) with thesis on Client Honeypot systems. Interested in academic research work and published author of security research papers.
Sans london april sans at night - tearing apart a fileless malware sampleMichel Coene
This presentation was created based on a sample we found. At first sight this looked to be a standard fileless cryptocurrency mining malware, however, when looking a bit further, we noted that this malware had some other tricks up its sleeve.
This presentation starts with an introduction into how fileless malware works and how to detect it, a short introduction into cryptocurrency mining and of course the analysis of the sample itself.
Assessing the security posture of a web application is a common project for a penetration tester and a good skill for developers to know. In this talk, We’ll go over the different stages of a web application pen test, from start to finish. We’ll start with tools used during the discovery phase to utilize OSINT sources such as search engines, sub-domain brute-forcing and other methods to help you get a good idea of targets “footprint”, automated scanners and their use, all the way to manual testing and tools used for fuzzing parameters to find potential SQL injection vulnerabilities. We’ll also discuss pro-tips and tricks that we use while conducting a full application penetration assessment. After this talk, you should have a good understanding of what is needed as well as where to start on your journey to hacking web apps.
Threat actors are increasing their use of fleless
malware for one simple reason: most organizations
aren't prepared to detect it. Education is the frst step in
determining what threat these new attacks pose and what
you can do to detect and stop fileless malware attacks. Learn more at: https://www.bluvector.io
Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las VegasShawn Tuma
This presentation was delivered by Shawn E. Tuma, Cybersecurity and Data Privacy Attorney, to ISACA CSXNA 2016 in Las Vegas on October 18, 2016.
https://www.isaca.org/cyber-conference/index.html
This presentation was significantly updated from past presentations and included a discussion of the groundbreaking New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies.
The main points of this presentation are:
(1) Cybersecurity events create a crisis situation and should be treated as such;
(2) Cybersecurity incidents are as much legal events as they are IT or Business / Public Relations events;
(3) Companies must have a cybersecurity breach response plan in place and tested, in advance;
(4) While consumer class action data breach litigation is a significant threat to companies and their leadership, it is not as great of a threat as regulatory enforcement by agencies such as the FTC and SEC, or the shareholder derivative claims for officer and director liability; and
(5) The odds are that all company will be breached, but preparation and diligence can help minimize the likelihood that such a breach from being a catastrophic event.
This presentation addresses the role of attorneys as the first responders in leading their clients through cybersecurity and data loss crisis events. The discussion begins by looking at the risk business have of being the victim of a cybersecurity or data loss incident and examining the nature of such incidents and the crisis environment they create. Then, because of this crisis environment, the need for leadership in helping keep the parties calm, rational, and making deliberate, calculated decisions.
The discussion then explains why cybersecurity events are legal events and legal counsel is the natural leader that should fulfill this role and how they can do so. It will then discuss the process legal counsel will take, including assembling the key players in such an event, both internally and externally. It discusses the obligations for responding to such an event, the steps that must be taken, those that must be considered, and certain factors that go into the decision-making process. It briefly addresses the costs of such an incident and the liability issues that can arise from such an incident and failing to properly respond to the incident. This section includes a discussion of the cybersecurity lawsuit landscape, cybersecurity regulatory landscape, and the issue of cybersecurity-related officer and director liability stemming from shareholder derivative lawsuits based on cybersecurity incidents.
It concludes with a discussion of the steps that companies can take to prepare for and be in a better position to respond to and mitigate the negative repercussions of such an incident.
These are the slides from a talk "Analysis of mass SQL injection attacks" held at FSec 2012 conference (Croatia / Varazdin 21st September 2012) by Miroslav Stampar
This example laden talk will show how common tools available in today's enterprise environments can be harnessed to enhance and transform an appsec program. This talk will have example attacks and simple config changes that could make all the difference. Devs, infrastructure sec, ciso, come one come all.
PoS Malware and Other Threats to the Retail IndustryInvincea, Inc.
This presentation covers:
- Why today’s Retail POS systems are at risk
- How using relatively simple techniques, cyber criminals get onto retailer networks and POS machines
- How POS malware works in capturing credit card data
- How antiquated security architectures and technology put retailers and customers at risk
- How good security architecture and advanced threat protection tools can defeat these attacks before data is breached.
- How to recognize outdated vulnerable POS endpoints that might expose you to credit card fraud
WatchGuard - Cryptolocker en het gevecht tegen IT 's grootste vijand - Orbid ...Orbid
Cybercriminelen werken steeds gerichter en focussen zich niet meer alleen op de multinationals van deze wereld. Ook uw onderneming kan het doelwit zijn van dataverlies en -diefstal. IT-security klimt dan ook steeds hoger op de prioriteitenlijst van CEO’s en CIO’s. En terecht. Om bedrijven te informeren over de belangrijkste veiligheidsrisico’s en beschermingsmaatregelen organiseerden Orbid, Proximus, Veeam en WatchGuard een gratis lunch & learn: “Cybercrime en de continuïteit van uw onderneming” op 2 juni in de opnamestudio's van RTV in Westerlo.
This webinar is focused on the comparison between traditional and next generation security solutions. And cover following -
• Traditional Antivirus vs. Next-Gen Security Products
• Busting Security Myths
• VirusTotal & Next-Gen AVs
• Comparison of Next-Gen Security Products
From the demise of conventional signature-based endpoint technologies have risen next generation solutions. These technologies have cluttered the marketplace introducing a conundrum for endpoint selection. This session will focus on the key requirements for effective security prevention, detection, and remediation. It will introduce a real-world framework for categorizing endpoint capabilities, and enable selection of solutions matching the unmet needs of security programs. The following topics will be covered:
• What do i actually need?
• Real-world framework to categorize endpoint capabilities
• Map vendors into buckets within the framework
• Housekeeping, what's needed before you even start?
• Cheat sheet of probing questions to ask vendors
• Best practices of deploying best of breed solutions
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...PaloAltoNetworks
Palo Alto Networks Live Community Senior Engineers Tom and Joe present best security practices at the Fuel Spark event in London. For more details, please visit: https://live.paloaltonetworks.com/t5/Community-Blog/Live-Community-team-at-Spark-User-Summit-London/ba-p/153182
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
2. Agenda
+ Introduction
+ Anti-virus: how they actually work?
+ Anti-virus detection techniques
+ PE Portable Executable –simplified
+ !%##$*@@$ where the signatures are stored?
+ Anti-virus Bypassing Techniques
+ Conclusion
3. Introduction
• Anti-virus software has in true sense evolved a
lot since last decade.
• Time has gone where AVs only supported
“string based detection”
6. Introduction
• Even though our AVs detects and eliminates
the newly discovered viruses then why we
see such a great number of viruses
increasing each year ?
• Are the Virus coders so stupid ?
7. Some really smart people (Hackers/Crackers)
already know how to bypass AVs protection
8.
9.
10. Anti-virus: How they actually work
• Now a days AV scans our system on real-time
basis.
• Information is analyzed based on the origin of
the information i.e. source of information.
• Operates differently depending upon source
of information.
11. Anti-virus working from top level view.
If the file is found malicious then the
information will not be copied onto the
destination location. (Here destination in
our case is HD)
12. One of the two possibilities takes place
• When the data is found to be legitimate, the
scanner forwards that data to the destination
location.
• When virus is detected then a warning is sent
to UI for user`s action. Interface may vary.
13. Process flow of working of AV.
AV scanner,
scanning
information on
real time.
14. AV detection techniques(Scan Engines)
• Signature Based detection (also sometimes
called as “string based” detection)
• AV maintains a dictionary of the signatures of
known Viruses, malwares, spywares etc.
• This dictionary is stored at client side and is
usually in binary.
• Next-generation signature based detection
• Disadvantage ?
16. Heuristic based Detection
• Used to detect new, unknown viruses in your
system that has not yet been identified.
• Based on the piece-by-piece examination of a
virus.
• Looks for the sequence of instruction that
differentiate the virus from ‘normal programs’
17. Behavioral based detection
• Just observes how the program executes,
rather than merely emulating its execution.
• Identify malware by looking for suspicious
behavior.
• Works similarly as Behavioral HIDS.
• Disadvantage ?
18. Sandboxing Based detection
• What is “sandbox” ?
• Isolate the files which are to be scanned and
monitors their activity.
19. PE Portable Executable- Simplified
• Do you think that an executable file is one
single file ?
• PE or Portable executable is a file format for
executables, object code, dlls used in 32bit
and 64bit versions of windows operating
system.
21. Where you can find PE?
• When you explore your executable in some
debugger like Olly debug or your executable in
some hex editor then you can view it.
23. Where the signatures are stored?
• When we examine the any executable with
some hex editor or some debugger we can get
the file signature.
• It is not necessary that malicious file signature
are found only in MZ header, it may be
present in any of the sections just explained.
25. Caution!! AV bypassing techniques
This are those
techniques that the
hackers and
crackers already
knew.
These are:
• Binders and packers
• Using splitter
• Code conversion from EXE to
client side script
• Code obfuscation
• Using metasploit framework
• Code or DLL Injection
27. • Packers: Similar to binders but just one
difference.
Popular Binders and Packers are Infector v2, Exe
Maker, Exe Joiner, Elitewrap and UPX etc.
available widely on internet.
Note: These techniques are not effective now a
days..
28. Splitting the File
• These are those programs that split a single
files into no. of small sized files.
29. • One may change some code into some small
chunked file to evade AV detection and again
join it and scan it to check whether AV flags it
malicious or not. A trial and Error method..
• POC
30. Code conversion from exe to client
scripts
One may convert file to client side scripts which
are also executable.
But again needless to say that this technique is
also not full proof.
31. Code Obfuscation
• This simply means transforming the code into
some other form.
• There are many ways for code obfuscation, major
are:
1. Polymorphism
2. Metamorphism etc.
32. Using metasploit framework
• Using metasploit framework also one can
easily bypass AV.
• Here the code is encoded and a decoding
routine is added in code itself. Upon executing
the code is first decoded and then it is run
• Note: Encoding and decoding are different.
33. • Msfencode: It is useful tool that alters the code in
an executable so that it looks different to
antivirus software but will still run the same way.
34.
35. Code or DLL Injection
• What the heck is Code or DLL Injection
• Most stealth method till now for POST
exploitation phase in pentesting.
36. Conclusion
• As mentioned afore AV has really evolved a lot
but at the same time the techniques to bypass
the detection has also evolved.
• Installing AV and thinking that you are safe
would be not more than a stupidity.
• Virus coders will always look for different ways
or means to evade any anti-virus products and
infect the systems.
37. Conclusion
• One may install a real-time port monitor to
identify any malicious virus that may have
bypassed AV detection.
• One may also implement strict policies,
maintaining update routines and look for
existing vulnerabilities in system which may be
exploited.
38. References
1) Real time virus reporting http://bitdefender.com/resourcecenter/real-time-reporting
2) Online malware and spyware scanning portal: virus total http://www.virustotal.com
3) Two ways to prevent viruses entering your computer. http://www.netsecurity.org/article.php?id=485&p=1
4) A whitepaper on Injector Mask or a Tool, 2010 by Amit Malik
5) Signature based scanning. http://blogs.avg.com/business/signature-based-detection/
6) Heuristic based scanning http://techinicalplanet.blogspot.in/2013/02/antivirus-mechanism.html
http://www.pandasecurity.com/usa/homeusers/support/card/?Id=7&idIdioma=2&Ref=TechPortal
7) Sandbox http://searchsecurity.techtarget.com/definition/sandbox
8) PE file format http://win32assembly.programminghorizon.com/pe-tut1.html
9)PE Sections http://www.csn.ul.ie/~caolan/publink/winresdump/winresdump/doc/pefile2.html
10) Olly Debugger (Ollydbg) www.ollydbg.de/version2.html
10:1) White paper on Bypassing Anti-virus Scanners by Internet Security Team
11) UPX: The ultimate packer http://upx.sourceforge.net/
12) Blackhat USA presentation, 0wning Anti-virus by Alex Wheeler and Neel Mehta
13) http://upx.sourceforge.net/
14) Audit Results of famous AVs by Alex Wheeler and Neel Mehta
15) 4 types of vulnerabilities in Anti-viruses: Whitepaper on Attacking Anti-virus by Feng Xue, Technical
Lead, Nevis Labs.