Disclaimer: VirusTotal detections are weird, strings isn’t a next-gen AV, and I’m not normally a person who codes VBScript. I personally don’t expect this to work against all these engines in a lab setting, but we’ll see how that goes in Part 2.
VBScript has held a special place in my heart for years now. It was one of the first languages I learned as a kid, and I did so for the sole purpose of causing trouble on my school’s network. My mischief making was actually what originally taught me about group policy and Active Directory, so it’s funny that we’re back here again after all these years.
All that aside, I was curious about how detections around VBScript were built out. I know that sometimes the most trivial changes to code can dumbfound AV and EDR products, so I thought I’d try it out for myself.
Finding Dumb, Loud, Patient Zero
I wasn’t feeling particularly picky, so I went ahead and picked the first thing on the list with a fun name: Backdoor.VBS.Sheller.b. Upon further inspection, it’s loud enough (Shell.Run “netsh firewall add allowedprogram” etc.) and it’s dumb enough for our purposes.
Score: 30/57 detections
Changing the Hash: The Lowest Hanging Fruit
So how far can the absolute bare minimum take us? Pretty far. You’re not quite an APT yet, but you’re getting close. Seems like there’s at least a few people who took the extra step to incorporate string-based detections here.
Score: 8/57 Detections
Base64 Seems Like a Good Idea
When I think about the most base level of hiding something, I think about ROT13. But my very next thought is always Base64. From the look of it, I’m FAR from the only person who thought this was a good idea though.
Even when I try to decode just a begin strings, I get 11 detections. It appears that plenty of products decided that it’s just never a good idea to allow Base64 encoding/decoding, and that makes sense from a string-based detection standpoint.
Results: 13/57
The First Google Result for VBS Obfuscator
In my continued search on way to evade detections as quickly and easily as possible, I decided to see what I could find on the first page of Google. Once again, it appears that I’m late to the party and detections have been written out for the “hide every character of your stupid script” method.
Score: 7/57 detections
What is the Dumbest Workaround I Could Think of?
The dumbest thing I could think about was the letter ‘Z’ about one hundred times, followed by a string replace function. In longer scripts where ‘Z’ does appear, you could simply replace it with anything from unique two letter strings to emojis. A Python script can be made to generate this noise at random and create unique strings and hashes for every file created.
Much to my surprise, this actually worked extremely well on the detections side of things. This is especially embarrassing because ‘Execute’ is quite literally being passed the exact string that was detected by the other 29 engines.
Score: 1/57 detections
The Final Boss Battle
So now it’s just us versus Qihoo 360. The nice part about malware you don’t have to compile is how quick and easy it is to fuzz engines on VirusTotal.
I first split my script into a top and a bottom half, figuring I could best fight string or behavior detections by splitting the text into ever smaller chunks until I found what was causing Qihoo to flag this script. After a bit of fooling around, I learned that it wasn’t flagging any text, but rather the behavior of appending to the same string more than 10 times in a row.
Score: 0/57 detections
Conclusion
It’s safe to say that it’s not very hard to rework a known-bad sample to fool all the AV engines as they exist on VirusTotal.
In the next part of this series, we’ll create a Python script to obfuscate scripts for us (because it’s really annoying to do manually.) We’ll also write some malicious, obfuscated, free-range, bespoke, vegan VBScripts from scratch and see how they fare against some of the same products when they’re running in a less restricted lab environment.
