Evaluating Antivirus Evasion Tools Against Bitdefender Antivirus

Faisal A. Garba1, Faruk Umar Abdullahi2, Abubakar Abba3, Faruk Umar Yarima4, Zahra’u Ahmad
Zakari5, Aliyu Lawan Musa6, Kabiru Ibrahim Kunya7, Abdulrazaq Ahmed Bello8.

Department of Computer Science Education,

Sa’adatu Rimi College of Education, Kano, Nigeria1,4,5,7.

Department of ICT and Computer Science,

Kano State College of Education and Preliminary Studies (KASCEPS),
Kano, Nigeria2

Department of Computer Science,

Federal College of Education, Zaria,
Kaduna State, Nigeria3

Department of Computer Engineering, School of Technology, Kano State Polytechnic

Kano, Nigeria6

Department of Computer Science,

Federal Polytechnic, Bauchi,
Bauchi State, Nigeria8

1
 Abstract
According to International Business Machine (IBM), the average cost of data breach as of the year 2021 is $4.24
million, a 6.7% increase over 2019. Over 90% of breaches were financially motivated and organized crime groups were
responsible for 80% of them. Antivirus is one of the deployed end point security solutions to prevent hackers from
getting access to computer systems. The hackers however, have come up with techniques to bypass these antivirus
products and gain access to these highly secured computer systems. These techniques are employed in antivirus evasion
tools that are readily available as open source tools, that a novice/script kiddy hacker can easily obtain and conveniently
run to compromise a computer system with antivirus running on it. There is a need to investigate the effectiveness of
this antivirus evasion tools against antivirus products. In this paper, we evaluate the effectiveness of open source
antivirus evasion tools: Veil Framework, TheFatRat, Shellter, Unicorn, Venom, Phantom-Evasion, Onelinepy and
MsfMania against Bitdefender antivirus product. Bitdefender was not picked at random. Antivirus solutions that
emerged the best in an online review were selected and using voting system that is based on frequency and rating,
Bitdefender emerged the best antivirus product. We set up a lab using Oracle VirtualBox on Pop OS Linux computer as
the host operating system. The lab consists of Kali Linux 2021.3 as the attacking machine on which the antivirus
evasion tools are installed and Windows 10 machine as the victim machine. The two machines are connected via Bridge
networking option on the Oracle VirtualBox. The malicious payloads are generated with Kali Linux attacking machine
and made available to the Windows 10 machine to download via Apache Server. Metasploit exploitation tool on the Kali
Linux was run and we attempted getting a remote connection with the use of the deployed malicious payload.
Bitdefender free version has been installed on the Windows 10 victim machine and all the default Windows 10 Security
features have been turned off. Research results have revealed that Phantom Evasion, Onelinepy and PayGen have the
best antivirus evasion score of 50% each. Shellter and Unicorn have the least antivirus evasion score of 0% each. This
implies that antivirus evasion tools rises and falls. It is a cat and mouse game. As antivirus evasion tool becomes popular
and successful and its user base increases, there is every tendency that it will go on the decline since its malware
signatures will be exposed to antivirus companies who will develop a technique to combat the malwares generated by
that antivirus software. The continuous success of antivirus evasion tool therefore depends on a small user base and
continuous maintenance and update of the tool.

2
 Outline
• Abstract
• Introduction
• Problem Statement
• Review of Related Works
• Method
• Results
• Discussions
• Conclusion and Future Work
• References

3
 Introduction
• Let’s get to know what a malware is!

• What is msfvenom?

• Antivirus came to our rescue!

• Till Antivirus Evasion tools entered the scene.

• It is a cat and mouse game after all.

 Introduction (cont.)
• What is the aim of this research?
 Problem Statement
• Average cost of data breach as of 2021 is $4.24 million [29].

• 6.7% increase over 2019 [31].

• Over 90% of breaches were financially motivated [31];

• These systems have one or more security measure in place

• Antivirus is evaded using ...

 Review of Related Works
• Evaluation of four antivirus evasion tools was
carried out by [3]: AVET, peCloak.py, Shellter
and Veil 3.0.
• These were evaluated against five anti-virus
products: Avast, Bitdefender Internet Security
2018, ESET Internet Security, McAfee Total
Protection and Avira Antivirus Pro.
• AVET and Veil Evasion had the best
performance.

7
 Review of Related Works (cont.)
• Another researcher [1] evaluated antivirus evasion tools
against Bitdefender (free), Kaspersky (commercial), Avast
(free), AVG (free) and Avira (commercial).
• These anti-viruses were tested against TheFatRat, Phantom
Evasion, Hercules, Side Step and Veil Framework (version
3.1.14).
• Phantom-Evasion had the best evasion score of 65%.
• According to [1] Phantom-Evasion success could be based
on two things: it is actively developed and updated, and it
is not as famous and commonly used as Veil 3.1.14.

8
 Review of Related Works (cont.)
• The effectiveness of antivirus evasion tools
was evaluated by [16].
• The evasion tools tested were: Avet, Veil 3.0,
PeCloak.py, Shellter and TheFatRat.
• Avet and PeCloak.py proved to be the best
antivirus evasion tools.

9
 Review of Related Works (cont.)
• A comparison of pyRAT and Phantom antivirus
software evasion tools on Windows platform
was conducted by [17].
• The study proved that pyRAT has the best
antivirus evasion capability at a rate of 67%
while Phantom has a rate of 50% antivirus
evasion.
• The antivirus softwares tested against are: Avira,
Bitdefender, Avast, Kaspersky, AVG and Panda.

10
 Review of Related Works (cont.)

• The type of malware used for the tests in the

literature …
• The core functionality of a RAT malware is to
…
• However, all the literatures reviewed only
consider the antivirus evasion capability of
the enhanced RAT that has been enhanced
with antivirus evasion tool.

11
 Method

Figure 1: Virtual Lab Set for the Experiments

12
 Results: Veil Framework vs Bitdefender
S/N Payload Category Result of test Meterpreter Evasion Score
with Session
Bitdefender
1. autoit/shellcode_inject/ Autoit Detected NA 0
flat.py
2. c/meterpreter/rev_tcp C Detected NA 0

3. cs/meterpreter/rev_tcp C# Not Detected No 1

4. go/shellcode_inject/virtual Go Detected NA 0

5. lua/shellcode_inject/flat Lua Detected NA 0

6. powershell/meterpreter/ Powershell Detected NA 0

rev_tcp
7. ruby/meterpreter/rev_tcp Ruby Not Detected No 1

Total Evasion 2/14

Score

Table 1: Results for Veil Framework vs Bitdefender

13
 Results: TheFatRat vs Bitdefender
S/N Module Payload Detection Meterpreter Evasion Score
Session
1. Not Detected No 1
Create a bat file + Powershell windows/shell/

(100% FUD) reverse_tcp

2. windows/ Not Detected No 1
Create a bat file + Powershell meterpreter/
reverse_tcp
(100% FUD)
3. Create a bat file + Powershell windows/ Detected NA 0
(100% FUD) meterpreter/
reverse_http
4. Create exe file with C# + windows/shell/ Detected NA 0
Powershell (FUD 100%) reverse_tcp
5. Create exe file with C# + windows/ Detected NA 0
Powershell (FUD 100%) meterpreter/
reverse_tcp
6. Create Backdoor with C / windows/ Detected NA 0
Meteperter_reverse_tcp (FUD meterpreter/
97%) reverse_tcp
Total Evasion 2/12

Table 2: Results for TheFatat vs Bitdefender

14
 Results: Shellter vs Bitdefender
S/N Payload Detection Meterpreter Evasion Score
Session
1. windows/meterpreter/ Detected NA 0
reverse_tcp
Total Evasion Score 0

Table 3: Results for Shellter vs Bitdefender

15
 Results: Unicorn vs Bitdefender
S/ Payload Detection Meterpreter Evasion Score
N Session
1. windows/meterpreter/reverse_tcp Detected NA 0

Total Evasion Score 0

Table 4: Results for Unicorn vs Bitdefender

16
 Results: Venom vs Bitdefender
S/N Platform Agent Nos. Payload Detection Meterpreter Evasion Score
Session
1. Windows 1 windows/shell/ Not Detected No 1
reverse_tcp
2. Windows 1 windows/ Not Detected No 1
meterpreter/
reverse_tcp_dns
3. Windows 3 windows/shell/ Not Detected No 1
reverse_tcp
4. Windows 4 windows/ Detected NA 0
meterpreter/
reverse_tcp
5. Windows 5 windows/ Detected NA 0
meterpreter/
reverse_http
6. Windows 8 windows/x64/ Detected NA 0
meterpreter/
reverse_tcp
7. Windows 9 windows/x64/ Not Detected No 1
meterpreter/
reverse_tcp
8. AMSI 2 Reverse OpenSSL Detected NA 0
Powershell Shell
9. AMSI 1 Reverse TCP Detected NA 0
Powershell Shell
Total Evasion 4/18
Score

Table 5: Results for Venom vs Bitdefender 17

Results: Phantom-Evasion vs Bitdefender
S/N Module Payload Detection Meterpreter Evasion Score
Session
1. Windows Shellcode windows/ Not Detected No 1
Injection meterpreter/
reverse_tcp
2. Windows Reverse Tcp windows/ Not Detected Yes 2
Stager meterpreter/
reverse_tcp
3. Windows Reverse Http windows/ Detected NA 0
Stager meterpreter/
reverse_http
4. Windows Reverse Https windows/ Not Detected No 1
Stager meterpreter/
reverse_https
Total Evasion 4/8
Score

Table 6: Results for Phantom-Evasion vs Bitdefender

18
 Results: Onelinepy vs Bitdefender
S/ Payload Detection Meterpreter Evasion Score
N Season
python/meterpreter/reverse_http Not Detected No 1

Total Evasion Score 1/2

Table 7: Results for Onelinepy vs Bitdefender

19
 Results: MSFMania vs Bitdefender
S/N Payload Injection Insert junk UPX Packer Detection Meterpret Evasion
type code er Session Score
everywher
e
1. Local Yes No Yes NA 0
windows/

meterpreter/

reverse_tcp
2. Remote Yes Yes No No 1
windows/

meterpreter/

reverse_http
3. Hijack Yes Yes Yes NA 0
windows/

meterpreter/

reverse_https
Total 1/6
Evasion
Table 8: Results for MSFMania vs BitdefenderScore

20
 Results: PayGen vs Bitdefender
S/N Language Payload Detected Meterpreter Evasion
Session Score
1. Python windows/ No Yes 2
meterpreter
/reverse_tcp
2. C# windows/ Yes NA 0`
meterpreter
/reverse_tcp
Total 2/4
Evasion
Score

Table 9: Results for PayGen vs Bitdefender

21
 Results: Percentage Evasion Score of Selected Antivirus Evasion
Tools Against Bitdefender
S/N Antivirus Evasion Tool Percentage Evasion Score
1. Veil-Framework 14.28%
2. TheFatRat 16.67%
3. Shellter 0%
4. Unicorn 0%
5. Venom 22.22%
6. Phantom Evasion 50%
7. Onelinepy 50%
8. MsfMania 16.67%
9. PayGen 50%

Table 10: Percentage Evasion Score of Selected Antivirus Evasion Tools Against Bitdefender

22
Results: Percentage Evasion Score of Selected Antivirus
Evasion Tools against Bitdefender
Percentage Evasion Score
60

50

40

30
Percentage Evasion Score

20

10

0
k t er rn n y ia en
or Ra llt co no
m
sio ep an
ew at e i a n yG
m eF Sh Un Ve
Ev neli SF
M Pa
ra Th om O M
ie l F ant
V Ph

Figure 2: Percentage Evasion Score of Selected Antivirus Evasion Tools Against

Bitdefender
23
 Discussion
• … have the highest percentage evasion score
of 50%

• The antivirus evasion tools with the least

evasion score ...

• Our research results agrees with the work of

[1] and [17].

24
 Discussion (cont.)
• In [16] and our work, Shellter has the same
evasion scores of 0%.
• In [16], Veil Framework has a percentage
evasion score of 0% while in this study an
evasion score of 14.28%, even though …
• This is not surprising because [16] used 3.0
version while version 3.1.14 was used for this
study.

25
 Discussion (cont.)
• This agrees with the claim of [1] that regular
maintenance and update contributes to the
success factor of antivirus evasion tools.

26
 Conclusion and Future Work
• Antivirus evasion tools rises and falls. It is a cat and mouse
game.
• As antivirus evasion tool becomes popular and successful …
• The continuous success of antivirus evasion tool therefore
depends on …
• As a future work, we would be testing the effectiveness of
Windows Security features against antivirus evasion tools …
• What is the state of antivirus and antivirus evasion on
Linux, Mac and Android?

27
 References
• [1] Panagopoulos, I. (2020). Antivirus Evasion
Methods. Piraeus
• [3] Kalogranis, C. (2018). AntiVirus Software
Evasion: An Evaluation of The AV Evasion.
University of Piraeus.
• [16] Adam, A. S., Sufyanu, Z., Sani, T., & Idris, A.
(2020). Evaluating the Effectiveness of Antivirus
Evasion Tools against Windows Platform.
FUDMA Journal of Sciences, 89 – 92.
28
 References (cont.)
• [17] Adam, A. S., & Sufyanu, Z. (2021). Performance
Comparison of PyRAT and Phantom Antivirus Software.
Sule Lamido University Journal of Science and Technology ,
65-72.
• [29] IBM, How much does a data breach cost? 2021.
Accessed: Oct. 7, 2021.
https://www.ibm.com/security/data-breach
• [31] Packetlabs, Cybersecurity Statistics for 2021, Aug.3,
2021. Accessed: Oct. 7, 2021.
https://www.packetlabs.net/cybersecurity-statistics-2021/ 

29
30