I was reading a thread (http://www.ethicalhacker.net/component/option,com_smf/Itemid,49/topic,925.msg2815/) on this site asking about the best anti-virus, anti-spam, anti-spyware (anti-x) software to use for learning the fundamentals of these programs.  Someone in the post made the comment that signature based anti-virus was easily defeated and that security experts should turn to behavior or heuristic based anti-virus where appropriate.  That inspired me to try and find out if I could defeat some signature based anti-virus software.

Here is the setup.  I'm using a laptop computer running Ubuntu 6.10 fully patched and with a lot of additional software.  For this example, the only software that I'll be using that isn't "out of the box" is called hexedit.  If you're using ubuntu you can update /etc/apt/sources.list to include universe repositories and execute sudo apt-get hexedit if you don't have this already installed.  I'll also be using a fully patched Windows XP desktop running Symantec Anti-virus version 10.1.0.396 using virus definitions from 12/22/2006 (revision 9).  Since I don't want to play around with actual virus files, I've decided that I'm going to use the Windows version of Netcat, which Symantec labels as a hack tool and will not allow on your filesystem.  Netcat for windows is available here: http://www.vulnwatch.org/netcat/

I started this experiment by downloading the Windows version of Netcat, and extracting nc.exe into a folder on the linux laptop.  I then ran md5sum against the file to get a hash value of the file.  Here is the output of that command.

We need to create two folders, one of the original file and one of the file that we will modify.  Put a copy of nc.exe in each folder. Now I'm going to open the file to be modified using my hex editor.  The command is very simple, hexedit nc.exe.  The command will bring up the file in hexadecimal mode.  Off to the right side you'll see any strings that are in the executable.  The following link is a screenshot of the file on my laptop. http://mavdisk.mnsu.edu/kevin/antiv/nc-before.jpg

You'll notice on the third line in the ascii column that there is a line of text, "am cannot be run in DOS mode".  I'm going to try changing that to something else.  The rationale being that by changing this line of text I will change the hash of the file without possibly destroying some function within the program.  Scroll down to line three and type new hex characters over the old ones.  In this case I incremented each hex character by one.  Thus I have changed the third line to read
Here is a screenshot of the hexeditor after my changes. http://mavdisk.mnsu.edu/kevin/antiv/nc-after.jpg

Now I'll type CTRL+w to save the changes to the file and then CTRL-c to exit hex edit.  Run md5sum against the modified file and the result is:

As you can see the hash value of the file is now radically different.  I'm also going to change the name of the file just in case that is one of the measures that is used to identify this "hack" tool.  OK, first the control test.  I'm going to attempt to copy the original unedited nc.exe to my Windows machine.  As expected Symantec has blocked the file.  A screenshot of the error is available here.  http://mavdisk.mnsu.edu/kevin/antiv/nc-reject.jpg

Now I'll move the modified and renamed version of the file over to my machine.  The renamed version is kevin.exe.  Argh, the bitter taste of failure!  Here is a screenshot to prove that my experiment has not worked. http://mavdisk.mnsu.edu/kevin/antiv/kevin-reject.jpg

So what was the point of all of this?  Well for starters, I wanted to learn how to do this, and hopefully someone here has an answer for me.  Second, if someone else wants to know how to modify a file to get around the anti-virus signatures they can read this and know that they have to find another way.  This gives other people the ability to follow my work.  Finally, it's important for everyone to know that failure is a part of learning...don't let it get you down.

I just posted this to my blog - http://blog.cutawaysecurity.com.  I hope this helps.

Recently I noticed an entry by Kevin Thompson (mn_kthompson) on the Ethical Hacker Network (EHN).  The author talked about Bypassing Signature based anti-virus software (http://www.ethicalhacker.net/component/option,com_smf/Itemid,49/topic,940.msg2845/#new).  Although Kevin is not a malware analysis expert he outlines a few initial steps that somebody might take to accomplish anti-virus evasion.  The EHN user Kev responded (http://www.ethicalhacker.net/component/option,com_smf/Itemid,49/topic,940.msg2845#msg2845) that another method to avoid detection is to use a program Packer or Crypter to modify the program.

Well, as I am also not a malware expert I decided to follow Kevin and Kev's lead and do a little modification of my own.  I followed Kevin's original thought process and downloaded netcat for Windows (http://www.vulnwatch.org/netcat/).  Next I downloaded a hexeditor for Windows (http://www.catch22.net/software/hexedit.asp) and the UPX program packer (http://upx.sourceforge.net/).  I know that the UPX packer is very common and therefore probably very predictable but I did not want to look for a unique packer that might contain some malware itself.  Lastly I needed a Windows hashing program.  Luckily I already have one install called Karen's Hasher which I found through Karenware (http://www.karenware.com/powertools/pthasher.asp). 

To get started I modified the nc.exe program by using the hexeditor to change the word "program" to "PROGRAM".  I saved this file as nc_PROGRAM.exe.  Next I used the UPX packer to pack the nc.exe program and the nc_PROGRAM.exe.  I used the following commands to convert these files. 
   - upx.exe --brute -o nc_orig_upx.exe nc.exe
   - upx.exe --brute -o nc_PROGRAM_upx.exe nc_PROGRAM.exe
   
Once the programs were packed I got the MD5 hash for each.  Here are the results:

   - nc.exe   AB41B1E2DB77CEBD9E2779110EE3915D   
   - nc_orig_upx.exe   C94BDE8E5590B4E6987FA43BDACB83DC   
   - nc_PROGRAM.exe   23575179C749575323868E5ADDCFE94C   
   - nc_PROGRAM_upx.exe   BB7F9D5453F25158C5850CFBE5F01274   

Of course, how could I be sure that all of these programs would still work properly?  I figured that as all of these programs are executables if one thing does not work then the whole thing will not work.  So, to check functionality I decided to simply ask for the help output.  I ran each program with the help (-h) options.  Each one gave me the same output so I am going to assume that each one is as functional as the other.

As I am running AVG Free on my system I do not have a good way to determine whether I would get the same results as Kevin did with Symantec's Norton Antivirus.  What I have found in my readings of forums and other documentation is the existence of a website that will analyze an uploaded file using a plethora of antivirus software.  Although I think that they included Symantec's product at one point it currently does not seem to provide this vendor.  The service I am talking about is provided by VirusTotal (http://www.virustotal.com).  The list of antivirus programs they use can be found through their "VirusTotal" (http://www.virustotal.com/en/virustotalx.html) link but this list is outdated and should not be used for reference.  One thing I should definately point out here is the fact that even by using this service to analyze a file you should be wary of the results.  VirusTotal puts it best by stating:
   
   "VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware."

The following is the output they provide when run against each file.

nc.exe -
Antivirus   Version   Update   Result
AntiVir   7.3.0.21   12.24.2006   no virus found
Authentium   4.93.8   12.22.2006   no virus found
Avast   4.7.892.0   12.21.2006   no virus found
AVG   386   12.24.2006   no virus found
BitDefender   7.2   12.24.2006   no virus found
CAT-QuickHeal   8   12.23.2006   no virus found
ClamAV   devel-20060426   12.24.2006   no virus found
DrWeb   4.33   12.24.2006   no virus found
eSafe   7.0.14.0   12.24.2006   Win32.HackTool
eTrust-InoculateIT   23.73.97   12.23.2006   no virus found
eTrust-Vet   30.3.3271   12.23.2006   no virus found
Ewido   4   12.24.2006   Not-A-Virus.RemoteAdmin.Win32.NetCat
Fortinet   2.82.0.0   12.24.2006   HackerTool/Nt110
F-Prot   3.16f   12.22.2006   no virus found
F-Prot4   4.2.1.29   12.22.2006   no virus found
Ikarus   T3.1.0.27   12.24.2006   not-a-virus:RemoteAdmin.Win32.NetCat
Kaspersky   4.0.2.24   12.24.2006   not-a-virus:RemoteAdmin.Win32.NetCat
McAfee   4925   12.22.2006   no virus found
Microsoft   1.1904   12.24.2006   no virus found
NOD32v2   1937   12.24.2006   Win32/RemoteAdmin.NetCat
Norman   5.80.02   12.22.2006   no virus found
Panda   9.0.0.4   12.24.2006   HackTool/NetCat.A
Prevx1   V2   12.24.2006   no virus found
Sophos   4.12.0   12.24.2006   NetCat
Sunbelt   2.2.907.0   12.18.2006   no virus found
TheHacker   6.0.3.136   12.24.2006   Aplicacion/NetCat
UNA   1.83   12.22.2006   Backdoor.Delf.86C0
VBA32   3.11.1   12.24.2006   Backdoor.Win32.Rbot.bdu
VirusBuster   4.3.19:9   12.23.2006   Backdoor.NetCat32.C

         
Aditional Information         
File size: 61440 bytes         
MD5: ab41b1e2db77cebd9e2779110ee3915d         
SHA1: 4122cf816aaa01e63cfb76cd151f2851bc055481         

nc_PROGRAM.exe -
Antivirus   Version   Update   Result
AntiVir   7.3.0.21   12.24.2006   no virus found
Authentium   4.93.8   12.22.2006   no virus found
Avast   4.7.892.0   12.21.2006   no virus found
AVG   386   12.24.2006   no virus found
BitDefender   7.2   12.24.2006   no virus found
CAT-QuickHeal   8   12.23.2006   no virus found
ClamAV   devel-20060426   12.24.2006   no virus found
DrWeb   4.33   12.24.2006   no virus found
eSafe   7.0.14.0   12.24.2006   no virus found
eTrust-InoculateIT   23.73.97   12.23.2006   no virus found
eTrust-Vet   30.3.3271   12.23.2006   no virus found
Ewido   4   12.24.2006   Not-A-Virus.RemoteAdmin.Win32.NetCat
Fortinet   2.82.0.0   12.24.2006   no virus found
F-Prot   3.16f   12.22.2006   no virus found
F-Prot4   4.2.1.29   12.22.2006   no virus found
Ikarus   T3.1.0.27   12.24.2006   not-a-virus:RemoteAdmin.Win32.NetCat
Kaspersky   4.0.2.24   12.24.2006   not-a-virus:RemoteAdmin.Win32.NetCat
McAfee   4925   12.22.2006   no virus found
Microsoft   1.1904   12.24.2006   no virus found
NOD32v2   1937   12.24.2006   Win32/RemoteAdmin.NetCat
Norman   5.80.02   12.22.2006   no virus found
Panda   9.0.0.4   12.24.2006   HackTool/NetCat.A
Prevx1   V2   12.24.2006   no virus found
Sophos   4.12.0   12.24.2006   NetCat
Sunbelt   2.2.907.0   12.18.2006   no virus found
TheHacker   6.0.3.136   12.24.2006   Aplicacion/NetCat
UNA   1.83   12.22.2006   Backdoor.Delf.86C0
VBA32   3.11.1   12.24.2006   Backdoor.Win32.Rbot.bdu
VirusBuster   4.3.19:9   12.23.2006   Backdoor.NetCat32.C
         
Aditional Information         
File size: 61440 bytes         
MD5: 23575179c749575323868e5addcfe94c         
SHA1: b8a93e394d7079cea568102ce96ddf69f0032d74         


nc_orig_upx.exe -
Antivirus   Version   Update   Result
AntiVir   7.3.0.21   12.24.2006   no virus found
Authentium   4.93.8   12.22.2006   no virus found
Avast   4.7.892.0   12.21.2006   no virus found
AVG   386   12.24.2006   no virus found
BitDefender   7.2   12.24.2006   no virus found
CAT-QuickHeal   8   12.23.2006   no virus found
ClamAV   devel-20060426   12.24.2006   no virus found
DrWeb   4.33   12.24.2006   no virus found
eSafe   7.0.14.0   12.24.2006   suspicious Trojan/Worm
eTrust-InoculateIT   23.73.97   12.23.2006   no virus found
eTrust-Vet   30.3.3271   12.23.2006   no virus found
Ewido   4   12.24.2006   Not-A-Virus.RemoteAdmin.Win32.NetCat
Fortinet   2.82.0.0   12.24.2006   HackerTool/Netcat
F-Prot   3.16f   12.22.2006   no virus found
F-Prot4   4.2.1.29   12.22.2006   no virus found
Ikarus   T3.1.0.27   12.24.2006   not-a-virus:RemoteAdmin.Win32.NetCat
Kaspersky   4.0.2.24   12.24.2006   not-a-virus:RemoteAdmin.Win32.NetCat
McAfee   4925   12.22.2006   no virus found
Microsoft   1.1904   12.24.2006   no virus found
NOD32v2   1937   12.24.2006   Win32/RemoteAdmin.NetCat
Norman   5.80.02   12.22.2006   no virus found
Panda   9.0.0.4   12.24.2006   HackTool/NetCat.A
Prevx1   V2   12.24.2006   no virus found
Sophos   4.12.0   12.24.2006   NetCat
Sunbelt   2.2.907.0   12.18.2006   no virus found
TheHacker   6.0.3.136   12.24.2006   no virus found
UNA   1.83   12.22.2006   Backdoor.Delf.86C0
VBA32   3.11.1   12.24.2006   Backdoor.Win32.Rbot.bdu
VirusBuster   4.3.19:9   12.23.2006   Backdoor.NetCat32.C
         
Aditional Information         
File size: 30720 bytes         
MD5: c94bde8e5590b4e6987fa43bdacb83dc         
SHA1: 34e0985479f2fbd9f723d3863917e0d4e1b7fe4e         
packers: UPX         
packers: UPX         
packers: UPX         


nc_PROGRAM_upx.exe -
Antivirus   Version   Update   Result
AntiVir   7.3.0.21   12.24.2006   no virus found
Authentium   4.93.8   12.22.2006   no virus found
Avast   4.7.892.0   12.21.2006   no virus found
AVG   386   12.24.2006   no virus found
BitDefender   7.2   12.24.2006   no virus found
CAT-QuickHeal   8   12.23.2006   no virus found
ClamAV   devel-20060426   12.24.2006   no virus found
DrWeb   4.33   12.24.2006   no virus found
eSafe   7.0.14.0   12.24.2006   suspicious Trojan/Worm
eTrust-InoculateIT   23.73.97   12.23.2006   no virus found
eTrust-Vet   30.3.3271   12.23.2006   no virus found
Ewido   4   12.24.2006   Not-A-Virus.RemoteAdmin.Win32.NetCat
Fortinet   2.82.0.0   12.24.2006   suspicious
F-Prot   3.16f   12.22.2006   no virus found
F-Prot4   4.2.1.29   12.22.2006   no virus found
Ikarus   T3.1.0.27   12.24.2006   not-a-virus:RemoteAdmin.Win32.NetCat
Kaspersky   4.0.2.24   12.24.2006   not-a-virus:RemoteAdmin.Win32.NetCat
McAfee   4925   12.22.2006   no virus found
Microsoft   1.1904   12.24.2006   no virus found
NOD32v2   1937   12.24.2006   Win32/RemoteAdmin.NetCat
Norman   5.80.02   12.22.2006   no virus found
Panda   9.0.0.4   12.24.2006   HackTool/NetCat.A
Prevx1   V2   12.24.2006   no virus found
Sophos   4.12.0   12.24.2006   NetCat
Sunbelt   2.2.907.0   12.18.2006   no virus found
TheHacker   6.0.3.136   12.24.2006   no virus found
UNA   1.83   12.22.2006   Backdoor.Delf.86C0
VBA32   3.11.1   12.24.2006   Backdoor.Win32.Rbot.bdu
VirusBuster   4.3.19:9   12.23.2006   Backdoor.NetCat32.C
         
Aditional Information         
File size: 30720 bytes         
MD5: bb7f9d5453f25158c5850cfbe5f01274         
SHA1: c841e46de25d5adfffe4c41e074c62b2e86c0faf         
packers: UPX         
packers: UPX         
packers: UPX         

So, what are the real differences here?  Not much really.  The majority of the antivirus vendors do not consider nc.exe as a malicious program.  Of the vendors that do only “eSafe” and “Fortinet” were fooled by simply modifying a few bits in the executable.  This probably means that these vendors are identifying the program by its hash signature.  Packing the original program did apparently bypass checks by “TheHacker” although it did cause “eSafe” to reclassify the program from “Win32.HackTool” to “suspicious Trojan/Worm.”  I am not sure what this actually means other than “eSafe” is identifying the fact that the program is packed and therefore labeling it as malicious.  Finally, the packet version of the modified Netcat file only changes the response of the vendor “Fortinet” which now labels the program as “suspicious.”

So, what are my conclusions from all of this?  Well, first, simple modification and packing does not seem to affect the conclusions made by the majority of antivirus vendors.  Second, it seems that the vendors “eSafe,” “Fortinet,” and “TheHacker” are not very consistent with their analysis of programs and therefore their results should be questioned or at least confirmed.  Third, the next step is to do this with a virus in a controlled environment (which I do not have so I will not be pursuing this step) to test the conclusion of the other vendors under similar circumstances.  Lastly, Kevin and Kev’s steps for initially delving into the malware field are interesting and worth recreating.  Keep up the good work.  Y’all might not have found a way to slip flagged programs by antivirus systems yet, but y’all are definitely on the right track.

Go forth and do good things,
Cutaway

Excellent post and well presented research, Cutaway.  Remember that the key to using a crypter is that it has to be a private one. If it’s a packer or crypter that the AV vender is aware of it will not defeat it. Although I was surprised that I was able to pass a Trojan through Norton’s with a crypter that is readily available on the net. Makes me wonder what they charge all the money for?  AVG free caught it , lol!  Of course you could just write a new virus that has its own unique signature that doesn’t come close to matching any known virus.  That would be the ultimate way to pass through most anti-virus programs.  But its much easier to write a unique crypter. You don’t need a lot of programming skill to do that and that’s why its attractive to underground groups.

Cutaway, your post was awesome!  I was planning to do the same work that you did after Christmas, thanks for saving me some steps and for posting such a detailed analysis of your methods and findings. 

I haven't stopped working on this yet.  I've tried a few more tricks and I've been surprised at what has worked and what hasn't.  I'd like to pass on my findings in case anyone is curious.

Today I've been messing around with appending random garbage onto netcat for windows to see if I could slip that past my antivirus software.  First, I copied nc.exe over to my linux machine, and I created a garbage file:
Then I appended the garbage file to the end of nc.exe

The resulting file, nc2.exe, runs just fine on a Windows XP machine that is not running anti-virus.  Then I copied it to my machine that is running Symantec antivirus, and surprisingly it worked!  However, just like my experiments from yesterday it only worked one time.  Soon after the program ran Symantec identified it as netcat and quarantined it.  From that point on I couldn't duplicate my results, even using new or larger garbage files.  Incidently, this trick of appending garbage to the end of the file did fool two of the programs on virustotal.com, namely esafe and fortinet.  I also tried taking my modified nc.exe and packing it with upx, but that didn't fool Symantec on my machine.  Packing the executable with garbage on the end actually made the file more recognizable by virustotal.  Every program that cutaway listed as catching his packed netcat also caught the packed netcat with garbage appended. 

From a file copy perspective, one thing that has worked consistently is to append the garbage to the front of the executable rather than the back.  Symantec has let me copy the resulting file to my machine every time.  The problem is, of course, that the executable wont run because there is nothing but gibberish for the first 512 bytes.  This is another place where a stub would be handy.  I'd like to see something that results in a valid PE (portable executable) header that instructs the operating system to skip the next 512 bytes and pick up from there.  Then I could append the garbage to the end of that and nc.exe to the end of that.  I'm not a great programmer though, and I haven't been able to find much on the web to point me in the right direction. 

I responded to a comment posted to my blog.  Here is the comment and my response.


I thought about using Eicar but I decided against it.  As I am not a malware expert, and want to focus on other things, there is really no point in moving forward with this test as I have accomplished my goal and I think I will gain more from reading the results of other more experienced malware experts (at least at this point).  Kev from Ethical Hacker has actually already done this anyway (http://www.ethicalhacker.net/component/option,com_smf/Itemid,49/topic,821.0/) I just didn't see it until after my post.  It is obvious that most antivirus vendors use more information for their signatures than simple hashes and that the most common packerts/crypters will be included in their efforts.

I think the primary goal of this experiment (at least for me) was start thinking about ways to hide programs that might be uploaded for penetration testing.  What I get out of this is that simple modification is not enough.  I will either need to write my own programs to function in the same manner as tools like Netcat, or I will have to find an exploit (remote or local) that I can then use to have Metasploit or Core Impact subvert a process for me.  I like this better because uploads and new processes will probably be logged and then there is more work to hide it all.  If I cannot get a subverted process then I will try and use as many local programs as possible before uploading any program that I know is detected by antivirus software.  I will then also probably considers some of the other aspect of anti-virus evasion methods as described in the Ethical Hacker discussion (http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,940.0/) before doing such uploads.

Thanks for your comments.
Go forth and do good things,
Cutaway