Malicious executable files encoded into Base64 format bypass Antivirus

[Sripathi Srinivasan]

When I was studying about the certutil tool, a thought struck me. What if I encode malicious EXEs, for example a detectable Trojan, into a base64 format (.b64). And I was successfully able to bypass the antivirus. Not just the antivirus software in my system, but also 55 other antivirus softwares according to the result by virustotal website.

But when I decode the base64 file back to its EXE form using the same certutil tool, the file was detected even by the windows defender.

Ain't this a loophole/vulnerability? Anyone has any idea why no antivirus software detects base64 files?

[Abhay Yadav]

You cannot execute the base64 encode file directly so AV don't care about it.

--
_______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[singh sapna]

Yes, you need to convert base64 again to exe to execute it even if you are able to bypass AV.

[webDEViL]

Hahaha. Best thread in a while.

On 27 Nov 2014 22:45, "Sripathi Srinivasan" <srip...@gmail.com> wrote:

--

[Sripathi Srinivasan]

Ya I agree the fact that base64 files are not executable unless they converted to an executable format. But there are few cases where they have proven to be threats as mentioned in the following links:

https://wordpress.org/support/topic/exploit-scanner-plug-in-base64-message-of-pluging-file

http://stackoverflow.com/questions/16587341/eval-base64-virus-wordpress

http://www.sans.org/reading-room/whitepapers/auditing/base64-pwned-33759

[Abhay Yadav]

Hello,
They are using exploit and eval function is called to decoding the base64 data. If you use same technique AV will detect they will also use eval fun to decode and understand what is present in the file. If you directly send base64 encode exe it will of no use its just junk. You are thinking in wrong way.

--

[Rishi Narang]

Dear Sripathi,

You can send ‘base64’ lander bypassing the AV (lets assume), but there has to be a mothership in the victim’s system that can decode your lander and execute it. How will that mothership reach the victim?

Step 1 - Infect your victim with your decoder mothership who understands you (and have read your links).

Step 2 - Send as much base64 encoded data you want “bypassing” AV.

Step 3 - Let mothership decode, and execute the data. (not sure if AV will be a silent spouse as soon as it feels cheated) 

Excuse me, I am on overdose of Interstellar and Rosetta. And, married !!

Be kind,

Rishi Narang

http://wtfuzz.com | http://iosec.in 

[Sripathi Srinivasan]

Hmm that's a valid point. Thanks for the explanation :)

[Sripathi Srinivasan]

I too thought about this. And I made a self-extracting archive with the following script

%windir%\system32\cmd.exe /C "copy xyz.pdf as1.b64 & exit"

%windir%\system32\cmd.exe /C "certutil -decode as1.b64 %windir%\as.exe & del as1.b64 & "%windir%\as.exe" & del %windir%\as.exe & exit"

The pdf file xyz.pdf that you see in the first command is actually obtained by merging the binaries of the base64 encoded exe file and a pdf file named sample.pdf by using the following commands:

certutil -encode abc.exe abc.b64

copy /b sample.pdf+abc.b64 xyz.pdf

This could help with deploying the exe but it can't make a fool of antivirus as you said. That's where this fails. :D

[Muhammed Shameem]

Indeed the best thread LOL.

there is no point in making any app undetectable if you cannot use it. this conversion is very similar to binding and crypting which makes one app go FUD for transfers but not for the execution.

One has to write its own custom code to make execution  undetectable. it is not a vulnerability , it is the way everything is designed.

but thats a great insight.


Thanks
Shameem