Hello, welcome to the Thursday, June 10th, 2021 edition of the Sands and at Storms anders Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

Jan in today's diary looked again at different simple evasion techniques for malware.

In the last diary he wrote, he compared 64-bit and 32-bit software and how differently it was

detected.

Now he looked at two different compilers, the TDM GCC compiler as well as Microsoft's own

compiler. Now he compiled three different files, a benign file,

the ACAR file, which of course just a standard pattern that should always be detected. And then,

of course, interpreter as sort of very common and not all that difficult to detect a piece of malicious code.

Turned out that actually Metterpreter was detected far more often than the ACAR pattern.

That sort of surprised me a little bit, but yes, it certainly depends on what compiler you're

using in the first test TDMGZ compiled binaries were detected much more

frequently usually than Visual C. But the two compilers were somewhat close and making some changes

to the code can easily sort of flip that balance or make it more similar.

The root of this particular behavior is likely that different compilers are optimizing

code differently. So if you're starting out with the same source code, you may end up with

different binaries. And of course, the antivirus tools, they will include signatures for very specific binaries

compiled with very specific compilers.

And then hacker by just changing some optimization settings or using a little bit an odd

compiler may be able to evade many of these signatures.

And then we got yet another interesting attack

...