Description
There is an increasing amount of complex malware emerging. This causes antivirus (AV)
vendors to constantly improve and adapt their systems. Consequently, it is essential
to evaluate how effective these adaptions are to improve them further. To assess the
effectiveness of the defense, we demonstrate multiple evasion techniques against the
defense methods. Each method will be implemented on real-world malware files and
evaluated on 13 AVs for Windows 10. Additionally, we provide possible mitigations
against each evasion technique. For signature-based evasion, we present XOR and ROT
encryption. In addition, we also show packing as a technique to evade signatures.
We want to determine what possibly causes detection and what defense strategies the
antivirus systems implement. Therefore, we also evaluate packing, then XORing and
XORing, then packing. This helps us to determine which AV can break encryption or
unpack files. After the signature evasion techniques, we will present two methods to
evade emulators. The first technique is code stalling, and the second one is evasion
with fingerprints. In the second part of the thesis, we present two evasion methods
against dynamic detection. We first demonstrate to inject a portable executable inside
another process. The second technique we show is executing malware in Windows safe
mode. We will evaluate both methods and present possible mitigations.
|
