The document outlines various types of malware, including viruses, spyware, adware, ransomware, worms, trojans, and rootkits. It discusses common antivirus detection mechanisms such as signature-based and anomaly-based detection, as well as how the Antimalware Scan Interface (AMSI) functions. Additionally, it provides techniques for bypassing popular antivirus software and suggests alternative approaches for malicious activities.

1. EVADING ANTIVIRUS SOFTWARE
FOR FUN AND PROFIT
Presented by
Mohammed Adam

2. AGENDA
Looking into different type of Viruses
Common AV detection Mechanisms
How AMSI (Antimalware Scan Interface) works
Bypassing some of the popular Antivirus softwares
Better Approach
Q & A Session
References

3. LOOKING INTO DIFFERENT TYPE OF VIRUSES
1) Malware - Malicious activities - It will destroy content in hardware or disabling network capability
2) Spyware - Gather information - To learn victim's behaviour, its a software that aims to gather information about person or
organization
3) Adware - Intrusive advertisements - Without your permission on computer - ads will popup and running - it may give revenue to
hacker
4) Ransomware - Disable use of machine until payment is made - lockout victim system - it will be unlocked after paying monetary
compensation
5) Worms - Self replicating - highly destructive
6) Trojan - Backdoor access - most intrusions requires exploit of vulnerability - initial foothold
7) Rootkits - Kernel level obfuscation - type of software designed to hide the fact that an OS has compromised, root kits allow viruses
and malware to hide in plain sight - necessary false data antivirus software overlooked

4. COMMON AV DETECTION
MECHANISM
Signature based
detection
Anomaly or
Behavioural
based detection

5. SIGNATURE BASED DETECTION
- After the users install the antivirus system, the user will need to
continuously connected to the internet in order to receive updates
from the antivirus vendor this updates are called signatures
- Malware detectors will look for the absolute binary sequence of
the code
- For example, when a user downloads of all the content of the file
in hexadecimal a binary is compared against the list of known
virus signatures
- Once's detected it will be removed or quarantined from the
computer to ensure that computer functions normally.

6. ANOMALY OR BEHAVIOURAL BASED
DETECTION
• It will checks the running program for patterns
of behaviour, so it gathers information about
inspected process to find out behaviour.
• If a user downloads a malicious file instead of
checking file against list of known virus it checks
what does the attachment do to the computer if
the file says
• Automatically deleting operating system files or
any other malicious activity will reflect out and
quarantine.
• All of this techniques result in a yes/no decision
using badness score

7. HOW AMSI WORKS ?
• The antimalware scan interface allows AV vendors to see PowerShell, JavaScript,
VBscript, office macros and few other scripting formats after deobfuscation and
before execution.
• AV then gets to make yes/no decision
• Not all AV vendors supports AMSI
• Which vendors support AMSI - github.com/subat0mik/whoamsi
• If your AV/vendor doesn’t support AMSI, no business from their end

8. BYPASSING SOME OF
THE POPULAR
ANTIVIRUS SOFTWARES
• AVIRA Free Antivirus Software and
Windows Defender Enabled

9. PAYLOADALLTHINGS/POWERSHELL

10. INVOKE-OBFUSCATION

11. AVIRA AV BYPASSED !

12. BYPASSING
SOME OF THE
POPULAR
ANTIVIRUS
SOFTWARE'S
(CONTD.)
Kaspersky total Security

13. MSFVENOM & SHIKATA_GA_NAI

14. KASPERSKY AV BYPASSED !

15. BETTER APPROACH
1) Use of non malicious software in malicious ways
• Instead of Metasploit psexec - use Psexec.exe from Microsoft
• Instead of mimikatz.exe - dump LSASS memory with task manager and extract passwords
Open taskmgr -> rightclick lsass.exe -> create dump file
• Instead of hash dump, save our registry hives and extract hashes
> reg.exe save HKLMSAM C:windowsTempSAM.hive
> reg.exe save HKLMSYSTEM C:windowsTempSYSTEM.hive
• Instead of meterpreter, use rdp, TeamViewer etc

16. BETTER APPROACH(CONTD.)
• Run PowerShell Version 2 which doesn't support AMSI on windows 10
• Unhook API calls so that antivirus doesn't have any visibility
• Encrypt the payload and decrypt at runtime (Hyperion, bypasses, static signatures
and emulation)
• Add extra strings to increase goodness score
• Add extra data to go above certain thresholds
• Allowing only Microsoft signed binaries
• LOLBINS - Living Off the Land Binaries And Scripts
(https://lolbas-project.github.io) - Verified AppLocker bypasses for default rules

17. Q & A Session

18. REFERENCES
• https://www.lmgsecurity.com/common-antivirus-bypass-techniques/
• https://www.blackhillsinfosec.com/bypass-anti-virus-run-mimikatz/
• https://www.hackingarticles.in/a-detailed-guide-on-amsi-bypass/
• https://redsiege.com/tools-techniques/2021/08/bypass-sig-av/

19. Thankyou Team &
Happy Weekend !