I claimed a few times that Antiviruses (AV) and EDR, while necessary to have, shouldn’t be relied upon because they are ultimately quite easy to bypass, especially AVs.
This might sound like an exaggeration, and as Carl Sagan said: "extraordinary claims require extraordinary proofs". And proof is due.
Antivirus
Let’s start with AV, the easier to deceive.
Antiviruses scan executables before they a run by the users. It’s important to note they also have very limited time to do so in order to avoid disrupting the user experience.
Once a program is started by the user the AV mostly blind, all techniques to deceive the Antivirus rely on this concept.
Modern AVs do have some runtime/behavioral monitoring (ETW/API hooks, etc.), but it’s limited in scope and often tuned to avoid false positives.
Let’s now see the 3 methods AV use to flag files as malware.
Static Analysis
This simply consists in matching a suspected file’s fingerprint against a database of previously known threats. It can use the whole code or just parts of if.
The countermeasure is simple: change the malware’s code by rearranging part of the logic and add some gibberish. Now the fingerprint is new and it won’t be flagged.
Dynamic Analysis
At this stage the Antivirus runs the suspected file inside a sandbox and observes its behavior and effect. A sandbox is a secure and isolated environment that doesn’t affect the real system.
Countermeasure is once again quite easy: detect the sandbox environment and behave well when inside.
There are multiple methods, the most common being:
- Leverage the AV’s time constraint by doing useless calculation, for instance counting to 10 billion, and only put the malicious code after.
- Checking the available resources, who uses only 2GB of RAM nowadays? Sandboxes.
- Detect the presence of processes typical of virtual environments.
- Detect the lack human activity in the machine, sandboxes are hollow.
Heuristic Analysis
This one is a big trickier as it tries to estimate the risk of a suspicious file by trying to infer what it does from the code.
It’s important to understand that all malware use legitimate functions (syscalls) in illegitimate ways: for example the writing to a file (editing) is what ransomware do, just in rapid succession.
Heuristic analysis also tries to weigh safe vs unsafe syscalls. If a program uses 100 safe and 1 unsafe, it’s way less suspicious than one doing 10 safe and 5 unsafe.
The countermeasure here consists in iterating multiple code changes, affecting both the execution flow as well as adding perfectly legitimate code, then testing against the antivirus for feedback. Once it is undetected, it will remain undetected (until fingerprinted) and the malware is ready to use.
It’s important to note that the detection/evasion is an evolving arms race, a race the defenders are yet to win.
Endpoint Detection & Response
EDR are another beast, and arguably harder to deceive.
The fundamental difference is that EDR not only apply the previous analytical methods, but they also continuously monitor and correlate events from every process at runtime.
I won’t dig deeper into how they do it because it gets complex really quickly, however it’s important to understand that EDR run with the highest privilege in the system (root/NT Authority) and can’t be tampered with by process not having the same level of access. And getting that privilege is near impossible when the EDR is monitoring. Or is it?
While there are ways to fly under the radar of EDR (another complex topic) I will try to explain the most reliable, dangerous and widespread countermeasure used by cybercriminals: BYOVD, or Bring Your Own Vulnerable Driver.
Bring Your Own Vulnerable Driver
Let’s take a step back, what is a driver?
A driver is a program that acts as an interface between a device and the Operative System, for example what translates the inputs from your mice to understandable instructions for Windows.
What makes drivers interesting in this scenario is that they also run with the highest privilege, and can therefore tamper with any process on the system, including the EDR itself.
There’s a catch. Windows, rightfully so, only allows signed and authorized drivers to be installed on the system. It’s not possible to simply write a malicious driver, load it, then shut down the EDR.
Here comes the “Bring Your Own” part: attackers pack legitimate, pre-signed and authorized drivers containing known vulnerabilities in the malware.
When the malware is executed, before doing anything nasty, it loads the driver that goes through without issues as it is signed by Microsoft itself. Then the malware exploits the vulnerability in the driver and controls it like a puppet. It now has complete access to the system and can kill the EDR at will.
You might think the EDR will catch the “exploits the vulnerability” part, but it wont as it’s something unpredictable and stealthy by nature. The only event registered is the loading of the new, legitimate driver.
EDR vendors and Microsoft detect and revoke the certificates of drivers with known vulnerabilities, but given there are millions, finding new ones is not a problem for a dedicated individual or group.
Malware As A Service
While these techniques are not hard for a decently skilled Hacker, the cybercrime market has lowered the entry bar to the point where anyone - with no prior coding, evasion and Windows Internal knowledge - can succeed.
There are multiple criminal organizations providing malware that leverages the latest evasion techniques for a reasonable fee or a cut of the profit in the ransoms. They often also handle the crypto payments.
Takeaway
Definitely use AV and EDR, they are important defensive assets and they can prevent threats. They are particularly effective against older malware (the 99.9% they claim to stop) but for no reason rely on them only for your security, especially if you do not have a dedicated SOC constantly monitoring the events.
It’s good to have emergency braking on your car, but it’s not a good reason to stop using your foot.
Nowadays cybersecurity seems to be all about Endpoint Detection. This is not expert driven, it’s sales driven.
Endpoint solutions are software and they are extremely scalable and profitable.
Lastly, if you’re not paying for a full EDR solution (again, you should), avoid paid Antiviruses and stick to Windows Defender, it’s way better than it’s given credit for.