Researcher Bypasses Antivirus Code Emulation

A Juniper researcher explains how code emulation could potentially be bypassed with JavaScript.

Antivirus Code Emulation

LAS VEGAS—Antivirus tools have grown in sophistication and capabilities over the years, but there are still areas where they can potentially be bypassed. That's one of the key messages coming from Kyle Adams, chief software architect for Junos WebApp Secure at Juniper Networks. Adams is speaking at the BSides event here today in a session titled " Evading code emulation: Writing ridiculously obvious malware that bypasses AV."

In an interview with eWEEK, Adams explained the bypass mechanism he found and what it means for end-user security. AV vendors no longer rely simply on virus signatures to protect users. Many tools now include heuristics capabilities to try to detect malware that doesn't yet have a signature. One of the heuristics techniques used by AV vendors is code emulation, to run code and see what happens.

"Code emulation is when the AV client tries to emulate the execution of a file before the user has an opportunity to run it," Adams said. "The code emulator will profile all the actions the file takes."

Specifically, Adams looked at the code emulation technology in the AVG platform and found that he was able to exploit it. Adams told eWEEK that he contacted AVG and did not receive a response. eWEEK received an email from an AVG spokesperson that indicated that they were not aware of the talk.

Overall, Adams gives AVG high marks. Adams said that multiple AV vendors also have code emulation, though in his analysis AVG has the best implementation.

"This is not necessarily a vulnerability in the AVG product," Adams said. "This is just how their code emulator works."

From a technical perspective, Adams wrote his own malware from scratch to bypass the AVG code emulator. The reason why he wrote his own malware is because he didn't want it to look like an existing malware family, which might possibly trigger an existing AV signature.

With his own custom malware, the source code of the malware is effectively hidden from the AVG scanner, and Adams said he could do whatever he wanted. Since the scanner didn't know about the malware, it couldn't log it either.

"Pretty much the way any AV works is it looks at the file before you run it," Adams said. "They are trying to judge whether the file itself is going to be malicious."

Adams added that by getting AVG to not classify a file as malware when it is first downloaded, the malware can do what it wants once it is run. That said, Adams noted that if the malware rewrites system registry keys and does other malicious system actions, it could get logged inside of Windows.

Although Adams is showing the techniques he used to bypass AVG, he stressed that he is not actually releasing any malware source code. He explained that he didn't use any exotic tools to build his malware either, and only used the free Microsoft utilities that come with Windows. The actual malware itself is written in JavaScript.

"Writing a virus in JavaScript is pretty trivial. It's a powerful technique and it can get through AV," he said. "I don't anticipate that there will be a new rush of JavaScript worms, but it's important for AV vendors to bolster up their technology."

Adams said that the main goal that he wants to achieve is to make security researchers and vendors aware of the risks and possible techniques of code emulation evasion.

"It's better that we all know how this is happening so we can start to think of new ways to address the problem," he said.

For end users, Adams suggests that regular Internet best practices are a solid defense. Those best practices include not clicking on suspicious or unknown links, particularly those in email attachments.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.