Implementasi dan Pengujian Polimorfisme pada Malware Menggunakan Dasar Payload Metasploit Framework

TL;DR

This paper explores implementing and testing polymorphism techniques on malware using the Metasploit Framework, evaluating detection methods like VT-notify, CTPH, and antivirus scanning for effectiveness.

Contribution

It introduces a method to incorporate polymorphic techniques into malware using Metasploit and evaluates detection effectiveness of various methods.

Findings

VT-notify detected no issues in the polymorphic malware

CTPH achieved an average value of 52.31% with mixed techniques

Antivirus detection varies, with behavioral detection showing potential

Abstract

Malware change day by day and become sophisticated. Not only the complexity of the algorithm that generating malware, but also the camouflage methods. Camouflage, formerly, only need a simple encryption. Now, camouflage are able to change the pattern of code automatically. This term called Polymorphism. This property is usually used to create a metamorphic and a polymorphic malware. Although it has been around since 1990 still quite tricky to detect. In general, there are three obfuscation techniques to create the nature of polymorphism. That techniques are dead code insertion, register substitution, and instruction replacement. This technique can be added to the Metasploit Framework via Ghost Writing Assembly to get ASM files. The detection methods that be used are VT-notify, Context Triggered Piecewise Hash (CTPH), and direct scanning with an antivirus that has been selected. VTnotify show nothing wrong with the files. The best CTPH value is generated by a mixture of technique (average: 52.3125%), while if it is compared to the number of changes made, instruction replacement have the best comparative value (0.0256). The result of using antivirus scanning produces a variety of different results. Antivirus with behavioural-based detection has a possibility to detect this polymorphism.