Malware Detection

Since the invention of the computer, there have been viruses. And since the invention of viruses, there has been the need for antivirus software: your trusty friend who protects your computer. But how does antivirus software actually detect virus files?

VirutsTotal is an anti malware website that analyzes files that are suspicious. It lets you see whether a file is marked as malware by your anti-virus software on your computer is actually that.

But why would someone upload a malicious file from your computer? Wouldn’t that be dangerous?

No it is actually completely safe. In fact VirusTotal doesn’t store actual malware files (that would be a bad idea), but instead stores the hashes of malware files. That allows users to check if their file is a virus by comparing its hash with those in the database. In the future, if you download something you’re uncertain of, consider using VirusTotal to check it out!

DIY Malware

I have always wondered how hackers created viruses. In this lab, I explored the process of crafting viruses using the powerful MSFVenom tool in Kali Linux. By the end of this project, I gained insight into creating single and multi-payload viruses, as well as experimenting with encrypted payloads for evading anti-virus detection

Step 0: Checking MSFVenom Installation

Before diving into the world of virus creation, I had ti ensure that MSFVenom was installed on my Kali Virtual Machine. Opening a terminal, I ran the following command:
$ msfvenom

I saw the MSFVenom interface, so I was good to go!

Step 1: Creating a Simple Single-Payload Virus

To create a virus, I used MSFVenom's syntax, which includes various parameters.

msfvenom -a ARCHITECTURE --platform PLATFORM -p PAYLOAD [ARGS] -f FORMAT -o OUTPUTFILE

I started by crafting a basic virus that displays a message box in a Windows environment.

```bash
msfvenom -a x86 --platform windows -p windows/messagebox TEXT="Virus Executed" -f exe -o messageVirus.exe
```

This command breaks down as follows:
`-a`: Specifies the architecture (x86 in this case).
`--platform`: Chooses the target platform (windows).
`-p`: Defines the payload (windows/messagebox in this case).
`-f`: Specifies the output format (exe in this case).
`-o`: Sets the output file name (messageVirus.exe).

Now I have a single virus file, messageVirus.exe on my Kali Machine.

Step 2: Creating a Virus with Multiple Payloads

In this step, I learned how to bundle multiple payloads together. I first created a payload and then combined it with another payload using the `-c` flag.

```bash
msfvenom -a x86 --platform windows -p windows/messagebox TEXT="Virus Executed" -f raw > messageBox
```

```msfvenom -c messageBox -a x86 --platform windows -p windows/speak_pwned -f exe -o pwnedVirus.exe
```

The process involves generating a raw payload file, followed by crafting a virus that includes the previously generated payload.

The payload windows/speak_pwned causes the target computer to say “You Got Pawned!” via the Windows Speech API.

Now I have a second virus file, pwnedVirus.exe on my Kali Machine.

Step 3: Creating an Encrypted Payload Virus

In this advanced step, I created a virus with an encrypted payload, aiming to bypass anti-virus detection. The following syntax command will create and encrypt it:

-e ENCODER -i NUM_EXECUTIONS

I then wrapped the payload in a Python file and encrypted it.

```bash
msfvenom -a x86 --platform Windows -p windows/messagebox TEXT="Encrypted Virus" -e x86/shikata_ga_nai -i 3 -f python -o messageEncrypted


``msfvenom -c messageEncrypted -a x86 --platform windows -p windows/speak_pwned -f exe -o pyVirus.exe
```

This approach involves encryption techniques like shikata_ga_nai and multiple executions for added complexity.

Now I have a third virus file, pyVirus.exe on my Kali Machine.

Checking pyVirus.exe in VirusTotal

For a deeper dive, I used the VirusTotal website to check if the created virus files are detected by antivirus software. The file I was most curious about being the pyVirus.exe file. I uploaded the files to VirusTotal, while staying within the Kali environment for safety.

Analysis

VirusTotal was able to detect my pyVirus.exe file as malicious. However, it went undetected by several analytic resources. I believe this occurred based on the behavior of my file and its polymorphic encryption. The encryption made the file become more complex, evading antivirus software because of the sophisticated encryption. As a result it went undetected by some vendors and sandboxes.