Exploit vs. Antivirus: It’s No Contest

In a recent blog, we talked about the recent Java vulnerability and how it was still kicking around.  The flaw has been identified as CVE-2012-0507 in the Common Vulnerabilities and Exposures database.  You might be thinking that you are still safe, as you have antivirus.  Let’s find out how well it protects you.

As of the time of this writing, the information  and patching were rather poor.  So, there is no shortage of potential victims.  It’s also no leap of faith to assume loads of people rely solely on their antivirus. So, let’s pit a Java exploit against McAfee.

For my experiments, I picked an exploit from Metasploit, a penetration tester’s tool.  It lets you deploy a rogue Web site that will push an exploit out to any visiting browser.  If successful, Metasploit will get a notification and gain control of the victim.  Below we see what it looks like when a victim visits the site from the perspective of Metasploit.

Metasploit attacking a client using the Java vulnerability CVE-2012-0507.
The attacker is able to get command prompt and issue a command on the client-victim.

The victim connected, Metasploit fed it the Java exploit, the attacker was able to get a command prompt and then perform the ver[sion] command.  This demonstrates access and control.  OK, that is the baseline.

So, what would happen if we had antivirus to protect us?  To test this, we’ll rely on Virustotal.com.  It is a site where you can submit a file and they give you the scan results using over 40 antivirus products with the latest signatures.

Main page at Virustotal.com.

This particular exploit is based upon a compressed executable, called a jar (Java archive).  The file was submitted to Virustotal.com and showed a positive result.

Virustotal detection showing 20 of 42 vendors detected an exploit

Virustotal scan results for McAfee

In this test, 20 out of 42 AV products detected it (which is not good) and McAfee did flag it.  So, out of the gate, this exploit gets stopped by about half the antivirus products, including McAfee.  Happy days for McAfee users? No, we’re just starting.

Did you ever wonder why virus detection tools have so many signatures? The bad guys update and obfuscate their code. Exploit updates change the code significantly and the result will likely evade the detection with an old signature. As well, an attacker can keep the same functionality, but change or move things around. This is obfuscation and it is done specifically for the purpose of bypassing detection.  Signatures are often very tight. Vendors are terrified of quarantining a good file, so they make the detection very specific. Alter just the right parts of a file and evasion may occur.

Obfuscation can be done in many ways.  Let’s outline some of them:

  1. Rename the file.  Yup, just rename it.  Some detection just looks at the name of a file. This could be effective with Java.  Java applications must retain their original file name, unlike almost almost other executables. But, generally, it does not evade.
  2. Remove comments.  Comments are lines in the code that tell the programmer what it is doing.  It may look like this:
    // This comment is about a really evil exploit, or
    /* This a comment about more evil exploit stuff */
    String evildata  = getParameter( “Bad stuff stored in memory” );

    Well, the fact is some antivirus locks in on this for an easy signature.  You may be able to simply delete the comment lines and evasion occurs.  Sometimes it works.
  3. Rename variables and functions in the source code. Let’s say the code has a line:
    String evildata  = getParameter( “Bad stuff stored in memory” );
    Well, rename it, like this:
    String niceinfo  = getParameter( “Bad stuff stored in memory” );
    You’ll have to do this throughout the whole application.  There may be dozens or hundreds of instances.  But, it’s a very good obfuscation method.
  4. Split values.  Let’s say you suspect that the antivirus is locking in on a value in the code, like the one below.
    String evildata =getParameter( “Bad_stuff_stored_ in_memory” );
    Try splitting it into multiple pieces, as follows.
    String evildata =getParameter( “Bad”+” _stuff stored “+”_in_memory” );
    The value will end up being the same and the program will still function, but the resulting code will be jiggled around a bit.  Perhaps the signature misses it. This technique works well.
  5. Encode values. Non-programmers are used to seeing stuff written in text.  However, real nerds know that there are many ways to write the same thing.  For example, consider the following lines that all have the same meaning:
    Regular text:         I am evil
    Hex encoded:        4920616d206576696c

    Base64 encoded:   SSBhbSBldmls
    A malicious programmer can encode certain values in the written code and have the application decode them back.  The fact is that antivirus will likely identify the text, but miss the hex or Base64 encoding of the same thing.  This is a bit harder to do, but is very effective.

Round 1

The exploit file in Metasploit was called CVE-2012-0507.jar.  I renamed it to blah.jar and sent it to Virustotal.com.  It was detected by McAfee and the same 20 vendors.  No one was fooled by this simple ploy.

Time to make changes to the contents. The jar file is really a ZIP file.  There were several files within.  One that caught my attention was named Exploit.class.  Hmm.  Exploit.class seems a tad suspicious, so I deleted it from the archive and rechecked it at Virustotal.com. Bingo!  No exploit detection.  This told me that McAfee was checking that one file. Hey, wouldn’t you?

Round 2

Let’s rename Exploit.class  to blah.class and put it back in. There was a bit of code jiggling to do, but the file was renamed and submitted to Virustotal.com.  It was detected by McAfee, but someone was fooled. The total detection was down to 19 vendors.

Round 3

There were very few comments in the code. Nothing suspicious. Let’s face it, no antivirus is going to flag // Help. Let’s move on.

Round 4

It’s time to mess with names.  In Exploit.class, every variable and function got a new name.  For example:
String data  = getParameter( “Stuff” );
was changed to
String zzzdata  = getParameter( “Stuff” );
This was done for all variables and functions. But, no luck.  Virustotal.com said McAfee found it.  The force is strong with this one. Some good news: Only 17 vendors detected it this time.

Round 5

OK. Now we’ll split some values. There were about a dozen, but one looked interesting:

String as[] = { “ACED0005757200135B4… “, “6A6563743B90CE589F…”

It looks like a nice unique value, something any antivirus would love. So, let’s cut it up into a bunch of pieces.
String as[] = { “ACED0”, “00575720”, “0135B4… “, “6A6563”, “743B90C”, “E589F…”

It was sent it to Virustotal.com and: No Detection by McAfee. And only 12 of 42 vendors could detect it.  To verify functionality, the altered files were replaced into Metasploit. The attack was run and it worked.

Recommendations for Security

Get patched. Have really good backups. There is no way antivirus is going to keep up with these threats.

If you are interested in this antivirus testing and hacking, the course Penetration Testing: Tools and Techniques includes this topic.

Randy W. Williams

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.