Antivirus and .NET-ception

So I was playing around the other day with a couple of antivirus products for Windows, trying to see if I could figure out ways to evade detection, (it was a slow day.) I feel very ambivalent pretty much hate antivirus software. As an IT guy, I know that it's a necessary evil, and every once in a while it does legitimately catch something that would have infected your system, but:

  • AV software often negatively impacts the performance of the entire system, unless you make so many concessions on what it doesn't scan that it practically defeats the purpose. I mean, yeah, your website probably would perform better if I excluded the entire inetpub folder, but then who's going to slow down that e-mail spam bot that you went and got yourself infected with? 
  • You might as well consider the installation of AV software on your machine a permanent modification. Just try and cleanly uninstall that crap I dare you.
  • False sense of security. Some AV products might be slightly better or worse than others, but none of them are approaching perfect. And none of them are a replacement for bad habits, such as clicking on all the links on that popup window that didn't get blocked by your web browser for some reason when you went to that one website with farm animals on it... I mean... I wouldn't know anything about that.

So the European Institute for Computer Antivirus Research (EICAR) made up this string of ASCII characters that antivirus product vendors and users can use to test their AV products. You can put it in a text file or in an executable file or whatever, and it's supposed to trigger the AV on your machine. Depending on your AV settings, even copying the EICAR string to your clipboard might trigger your antivirus. The "on-access" scanning of antivirus products uses a file system filter driver to intercept all disk I/O, or whenever an IRP_MJ_CREATE is issued for a file, but unless the AV product is also configured to actively scan memory and network activity, then you can evade it as long as your "evil code" stays in memory and doesn't touch the disk.

So I was playing around in Powershell and C#, and I wrote this rather silly bit of script... er, code... or scrode? It's a Powershell script that uses the Add-Type cmdlet to load in a C# class on the fly. That C# class in turn, contains code to compile some more code on the fly, and turn it into an executable. (Finally the Inception reference starts to make sense.) So just for fun I download the EICAR test file from the internet (which triggers some AV products, but not others, depending on how they're configured.) Now that I have the evil EICAR string in memory, I compile my executable, which does not itself contain any malicious code, so it won't trigger AV. Then I run that new process and pass the EICAR data to it as a parameter. In this way, I feel like I was able to get "malicious" data onto the computer and into a process that could then do whatever it wants with it - all without triggering the antivirus on the system because the EICAR data never touched the disk.

$SourceCode = @"
using System;
using System.Collections.Generic;
using System.Linq;
using Microsoft.CSharp;
using System.CodeDom.Compiler;

public class EvilClass
{
    public static void Main(string[] args)
    {
        var csc = new CSharpCodeProvider(new Dictionary<string, string>() { { "CompilerVersion", "v3.5" } });
        var parameters = new CompilerParameters(new[] { "mscorlib.dll", "System.Core.dll" }, Environment.GetEnvironmentVariable("temp") + "\\evil.exe", true);
        parameters.GenerateExecutable = true;
        CompilerResults results = csc.CompileAssemblyFromSource(parameters,
        @"using System;
		  using System.Reflection;
          class AnotherEvilClassInsideAnotherEvilClass 
			{				
				public static void Main(string[] args)
				{					
					string msg = ""Data in evil.exe Main(): "" + args[0];
					System.Console.WriteLine(msg);					
				}
            }");
        results.Errors.Cast<CompilerError>().ToList().ForEach(error => Console.WriteLine(error.ErrorText));		
    }
}
"@

Add-Type -TypeDefinition $SourceCode -Language CSharp

Write-Host "Downloading some evil code from the internet and displaying it in the console..."
ForEach($_ in $(New-Object System.Net.Webclient).DownloadData('http://eicar.org/download/eicar.com'))
{
	$evilString += [char]$_
	Write-Host $([char]$_) -NoNewLine -ForegroundColor Red
}
Write-Host "`nGenerating evil.exe..."
[EvilClass]::Main([String]::Empty)
Write-Host "Executing evil.exe..."
& $Env:TEMP\evil.exe $evilString
Write-Host "Deleting evil.exe..."
Remove-Item $Env:TEMP\evil.exe

And here is the scrode in action:

Powershell power

Comments (3) -

Martin Marcher 10/25/2012 3:04:27 AM

I sincerely hope you do have some kind of proxy and aren't considering filtering the same content over and over again on all clients.

Why would that trigger something, a random string in itself isn't bad, it's only a problem when you try to run it. Have you tried to exec(...) or eval(...) (or whatever the similiar thing in Powershell is) that piece of code, I'd be interested what your virus scanner says.

In the best case (IMHO) Windows should deny running it as it's neither signed nor on a whitelist, and the virus scanner shouldn't even get to it.

In the worst case the virus scanner sees it and let's it thru (well in the worst case you have a typo and it's actually a virus that goes undedected, it will then eat your credit card and get your cat pregnant....)

"I sincerely hope you do have some kind of proxy and aren't considering filtering the same content over and over again on all clients."

I'm not sure what you mean by this.  I don't really plan on doing anything with this - I was just playing around for my own amusement.

"Why would that trigger something, a random string in itself isn't bad"

It's not a random string.  It's the EICAR test string, which will trigger every major AV product as if it were a virus. Maybe you could pretend that instead of that string, the data is actually some wicked executable that was designed to wipe out your MBR.

The viruses that get my cat pregnant are the worst kind!

Thank you for commenting. Smile

Martin Marcher 10/29/2012 4:16:07 PM

It's not a random string.  It's the EICAR test string, which will trigger every major AV product as if it were a virus. Maybe you could pretend that instead of that string, the data is actually some wicked executable that was designed to wipe out your MBR.

IMHO data that isn't executed cannot harm your computer, so why would an anti-virus program trigger on that. That is why I asked you to actually execute it, afaik the NX bit (http://en.wikipedia.org/wiki/NX_bit) is now common to all x86 processors so just storing the data shouldn't trigger it in any way but I'm no expert (and usually do not run stuff with Windows) so I'm happy to be corrected.

The viruses that get my cat pregnant are the worst kind!


Yeah I hate those too... Smile

BTW: The captcha can be cruel for non native english speakers, sometime the word just wouldn't come to me ;)

Comments are closed