It’s a cat and mouse game
Antivirus software is no panacea to protect against cyber-attacks, but circumventing detection is a game that’s constantly changing for pen testers, according to researcher Daniel Sauder.
That’s one of the reasons why he’s passionate about AVET – an antivirus (AV) evasion tool, which he created in 2017 to predominately target Windows machines. The utility has since been developed to also work on computers running macOS.
“In general, AV evasion works most of the time,” Sauder told The Daily Swig ahead of this year’s Black Hat USA conference, where he demonstrated his multifaceted tool on the Arsenal track.
“What we take as a first engine is Microsoft Defender because, when we can get around Defender, we can get around most other products, too.”
AVET uses multiple AV evasion techniques in order to bypass Microsoft Defender software with executable files.
The tool can get around both signature-based and heuristic detection in order to upload payloads, including shellcode, executable, and dlls (library) files.
“So, basically, three parts are needed,” Sauder explained.
“A shellcode binder, then you have to encode or encrypt the shellcode, and sandbox evasion.”
More importantly, users of the tool can decide which techniques they wish to deploy, whether this involves a data retrieval method or a payload generator from different sources, offering flexibility depending on the type of antivirus an attacker wants to evade.
Sauder said: “The payloads [might] be delivered from the network, and also the key, which the payload is encrypted with, can have the same delivery method.”
Lack of consistency and access to AV data presents ongoing challenges when it comes to building the tool, Sauder said.
“Some of them [AV] are a little bit smarter than a couple of years ago,” he said.
“This means that a technique that works one day, won’t work another, but it’s always this cat and mouse game of attackers versus defenders, and after some time, the antivirus catches up and learns the evasion techniques.”
Sauder has worked with developer Florian Saager over the last year in adding new features to AVET.
The latest version of the tool can be found on GitHub. A second feature, AVET Fabric, provides an easy to use interface for beginners to experiment with their builds.
While it’s difficult to determine the scope of AVET’s use, Sauder says that many samples produced by the tool have been uploaded onto VirusTotal, the Google-owned suspicious file and URL inspection service.