BSides Las Vegas

Evading code emulation: Writing ridiculously obvious malware that bypasses AV (2014x8)

Data de estreia: Ago 05, 2014

Code emulation, a technology capable of detecting malware for which no signature exists. It’s a powerful step in the right direction for client security, but it’s a long way from mature. This talk will demonstrate how the code emulation engine in Anti-Virus Guard (AVG) can be reverse engineered by progressively testing its features, and ultimately evading detection. The result is a Command-and-Control (C&C) bot, in a non-obfuscated windows shell script, that AVG and many other leading AV engines will not detect. I will propose solutions on how these code emulation environments can be improved, making the detection of zero day malware far more successful going forward. This is not a jab against AVG, as they get enormous credit for including such a powerful tool in a free antivirus client.