Mutating malware is the process of changing existing malicious software without significantly altering its functionality. This is often performed to change that piece of malware’s hash (also known as the message digest). Mutation allows malware to evade signature-based antivirus (AV) solutions as these often rely heavily upon a collection of hashes in order to identify threats.
As a security professional, learning to mutate malware will allow you to better vet endpoint protection solutions as you can create unique malware – from a hash and signature perspective – for your tests.
A number of techniques and software tools can be used to mutate files to evade AV detection, from the most basic scripts to advanced commercial offerings. In your static and on-execution tests, try mutating the malware to see what impact it has on the rate of detection.
Remember that amending a PE file will change its hash which will break any integrity checking/signing. It can also stop the PE from executing so make sure you test your mutation tools work as expected. You don’t want to break the PE, only make it evade AV detection.
Basic Hash Changing
Some AV scans are based on comparing the PE’s hash value to a list of known bad files. By modifying the file’s contents slightly the hash will change and evade this detection technique. Crucially, since the main functions of the PE haven’t changed, all non-hash based detection techniques will still continue to work.
Hash Modifier (Powershell Script) – Cycles through the executables in a directory, adds a null byte to the file, calculates a new sha256 hash and then renames the file to its new hash value.
Medium Strength Packers
Packers recraft the contents of the PE using various techniques. This makes the PE appear unique and of course changes the hash, which will evade some detection techniques. Reading the contents and behaviour of the malware becomes more difficult for scanners. The result is a simple technique to bypass many traditional AV scanners. The large majority of malware in-the-wild is packed in some way to evade AV.
Mpress – free, high-performance executable packer for PE32 / PE32+ /.NET / MAC-DARWIN executable formats.
High Strength Packers / Crypters
More complex packers and crypters offer a stronger level of AV detection through more advanced techniques such as removing decryption keys and brute forcing their recreation on execution. These tools can be more complex to use and may be a commercial offering. More advanced packing is seen more commonly in targeted attacks.
VMProtect Pro – [COMMERCIAL PRODUCT] Protects code by executing it on a virtual machine with non-standard architecture that makes it extremely difficult to analyse and crack the software. Note: The free trial version of the software utilises a much more easily detectable packer than the paid product.
Hyperion v1.2 – As an innovative AV evasion technique, this crypter creates a weak key that isn’t saved, then brute forces it at runtime. To compile on Windows install MinGW, then choose the GNU C++ compiler package. Note: you’ll need to run the compiled crypter from the root of the Hyperion directory in order for dependencies to load correctly.