[Question] - Anti-Antivirus Checks?

[recvfrom]

Does it make sense to expand al-khaser to detect the presence of known anti-virus programs as well, since some malware will check for these and not run because of it? For example, checking for known service names, running processes, uninstaller registry keys, file paths, etc.?

Right now, some of the 'DLL Exports and Loaded DLLs' check for artifacts related to AV products, but otherwise it doesn't look like this is something al-khaser has tried to tackle.

[ayoubfaouzi]

Hello @recvfrom

I have seen many times the WMI one which looks for AntiVirusProduct. I really dunno if this fits here. @gsuberland @hfiref0x what do you think ?

[hfiref0x]

You mean simple check if there any AV installed or detect what exactly installed? IMO it useless as it will be always at least 1 installed on Windows 10 (WD).

[recvfrom]

I was thinking it'd be useful to replicate specific antivirus checks that malware performs so that someone could use al-khaser to determine whether their analysis environment is susceptible to any of these checks (in the same way they'd use al-khaser to know whether their environment is susceptible to known VM/debugger/sandbox detection techniques). This provides a concrete way for people to identify issues with their analysis environments and be able to take corrective action.

For example:

• Banload [1] checks for known file paths of certain AV products:

C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportAegle64.sys
C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys
C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportHades64.sys
C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportKE64.sys
C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys
C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Trusteer\Rapport\bin\RapportAegle.sys
C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys
C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\AVAST Software\Avast\AvLaunch.exe
C:\Program Files\AVAST Software\Avast\AvEmUpdate.exe
C:\Program Files\AVG\Antivirus\AvEmUpdate.exe
C:\Program Files\AVG\Antivirus\AVGUI.exe
C:\Program Files\AVG\Antivirus\AvLaunch.exe

• Autumn Aperture [2] looks for running processes and service names of certain AV products:

Processes:
Mbam.exe
Mbamservice.exe
Mcshield.exe

Services:
Mbam
Mbamservice
Windefend
Mcshield

• This [3] malware loader seems to use window name checks to look for Emsisoft anti-malware software
• Some versions of Ursnif [4] check the registry to determine if Phishwall is installed
• Some malware checks for loaded modules associated with certain AV products [5] (there's currently a al-khaser check for the VM / sandbox related ones in that list)

[1] https://www.sentinelone.com/blog/cybercrime-banload-banking-malware-fraud
[2] https://blog.prevailion.com/2019/09/autumn-aperture-report.html
[3] https://twitter.com/VK_Intel/status/1123867031709863937/photo/2
[4] https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features
[5] http://www.hexacorn.com/blog/2016/07/01/enter-sandbox-part-12-the-library-of-naughty-libraries/

[hfiref0x]

@recvfrom If you can provide comprehensive list of these artifacts per each AV this can be done.

[recvfrom]

Awesome, I'll start putting these lists together

[gsuberland]

I'm mostly ok with us checking for the existence of anti-malware products, but I'd like to suggest right now that we should never use checks that could interfere with the functionality of those products. Part of the ongoing plan for al-khaser is to make it fit into a CI pipeline environment (I'm working on some of this at the moment) and it'd be bad idea for us to go messing with objects/files that are part of AV in case they mess up production systems.