Evading code emulation: Writing ridiculously obvious malware that bypasses AV

BSidesLV 2014

Presented by: Kyle Adams
Date: Tuesday August 05, 2014
Time: 11:45 - 13:00
Location: Common Ground

Code emulation, a technology capable of detecting malware for which no signature exists. It’s a powerful step in the right direction for client security, but it’s a long way from mature. This talk will demonstrate how the code emulation engine in Anti-Virus Guard (AVG) can be reverse engineered by progressively testing its features, and ultimately evading detection. The result is a Command-and-Control (C&C) bot, in a non-obfuscated windows shell script, that AVG and many other leading AV engines will not detect. I will propose solutions on how these code emulation environments can be improved, making the detection of zero day malware far more successful going forward. This is not a jab against AVG, as they get enormous credit for including such a powerful tool in a free antivirus client.

Kyle Adams

Chief Software Architect for Junos WebApp Secure, Juniper Networks Kyle Adams has been involved with security since a very early age. Self-taught, he learned the basics of hacking and security defense strategies long before entering the professional world. Early on, much of his professional focus was on web security threats like SQLi, XSS, CSRF, etc…but more recently he started researching and working on products to defend against malware based threats. Kyle helped build and design the first commercial security solution based on deception and misinformation, evolving the concept of honeypot technology from a purely academic endeavor to a realistic intrusion prevention strategy (Junos WebApp Secure, formerly Mykonos). He is now working on introducing similar deception techniques as a detection and prevention methodology into the malware space.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats