i Malware Analysis – Bypass Static Heuristic Antivirus – All things in moderation

Malware Analysis – Bypass Static Heuristic Antivirus

In the previous post, I think you guys have the basic knowledge about two cores of Antivirus: The Disassembler and The Emulator, and how they work. Today, I’m going to show you how to bypass The Static Heuristic of Antivirus.

To be honest, there is not the best way to bypass Heuristic mechanism of Antivirus. Because they have a well-paid engineers who are working all day long to make their Antivirus better and better. So in this post, I will use my knowledge to help you guys see how we could deal with it by my working experience. 🙂

First of all, you guys need to know what is Heuristic mechanism. We have two kind of Heuristic mechanisms. The first one is Static Heuristic. At this point, Antivirus try to anlysis malicious software to find out some static information by disassembling or analyzing each component of the file. Dynamic heuristic helps to detect malicious files based on the behavior of the file or program. For example: by hooking API calls or executing the program under an emulation framework. In this post, I will focus on Static Heuristic.

To illustrate my point, let me take one Antivirus for example. I choose Comodo Internet Security Premium. You guys could download it from here to test: Download Comodo Antivirus. It costs at least $ 49.99.

static heuristic antivirus

Update it to the latest solution. Then do some jobs with me for education purpose. 🙂

static heuristic antivirus

  • Find the Comodo directory in your computer. At C:\Program Files\COMODO\COMODO Internet Security\scanners, I found some interesting files.

static heuristic antivirus

  • I chose pe32.cav for example. Open it with IDA, we could see all of its functions in this DLL.

static heuristic antivirus

  • You could see that I put ValidateImageBase in RED. This function is the orginal thing for us. We check it out.

static heuristic antivirus

For anyone who dont know, “5A4Dh” means “MZ”, and “4550h” means “PE” ( Little Endian ). They are two signs of an PE file. That means they will check a Valid PE by this signature. So we could easy to bypass it if we write a file without MZ. Because the reason a PE binary contains an MZ header is only for backwards compatibility. 🙂

  • Other function that is FindPESection. We could an overview of it here:

static heuristic antivirus

In this function, they take the number of PE sections to r11d variable, and then if it is equal to zero, the function will return 0. With this return value, Comodo Antivirus will think our PE is invalid then move over it. But they are wrong, we could create a file with ZERO section, but it can totally run like usual. 🙂

  • Or we could look at heur.cav file in the same directory, then find out how the Antivirus deal with a file to detect malicious file. Then we could bypass it base on our knowledge.

static heuristic antivirus

Like you see, if we want to bypass the Static Heuristic Antivirus of Antivirus, we must know something like reverse engineering. It is not too hard, believe me, but it will take you a lot of time. In this post, I only show you guys some weakness of an Antivirus ( Kaspersky or Bitdefender and other Antivirus are the same ), without how to deal with it because of some security reasons. But I always ready to reply your mail if you guys have something to ask, just for education purposes. 🙂

Leave a Reply