.

Please help

<<

rok

Newbie
Newbie

Posts: 39

Joined: Sun Apr 27, 2008 2:18 am

Post Sun Apr 27, 2008 2:31 am

Please help

I want to know how to make any programme undetecteble from avs??Please help me!!As from this question you can guess that I am a noob and gathering  knowledge about these things!!But I am totally ethical,I don't believe on hacking things without permission as like black hats!!And if you still thinking that I am lieing  then you can ban me rite away!I have asked it for my interest and knowledge!!Please help!!

Thanx in advance!!
I ebg your pardon for bad English!!! :)
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Sun Apr 27, 2008 3:47 am

Re: Please help

Rok,

Muts over at Offensive Security has released a video of a presentation at Shmoo-con where he demos exactly this practice. Taking a well known piece of malware and in a matter of minutes (scared the bejesus out of me when I saw it) created something with the exact same functionalilty that AV missed.

http://www.offensive-security.com/cons/ ... shmoo.html

Hopefully this will answer your questions and give you plenty more to go exploring from there. Happy Hunting :D
<<

rok

Newbie
Newbie

Posts: 39

Joined: Sun Apr 27, 2008 2:18 am

Post Sun Apr 27, 2008 6:21 am

Re: Please help

Can't I have a tutorial for it,as it's taking loads of time to load!! :(
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Sun Apr 27, 2008 9:59 am

Re: Please help

Basically he is encrypting part of the code of the malware in order to hide it from the AV. He uses a decoding stub to reference the source that needs to be encoded so it can function under the radar. This is similar to the way a packer/crypter works. He does it manually, which is a better way but more tedious.  Crypters will do it for you automatically, but you will have less control. The better known crypters will be spotted by many AVs, but the more obscure ones still can fool a number of them. Usually small hacker groups have their own specially written crypter that is passed among its members, that is if they happen to have a decent coder in their ranks. This way of defeating AV is well known amongst hackers but really only works against simple AVs.  I wrote something about this on this forum a while back when I playing around with them in my lab:
http://www.ethicalhacker.net/component/ ... pic,821.0/
<<

rok

Newbie
Newbie

Posts: 39

Joined: Sun Apr 27, 2008 2:18 am

Post Mon Apr 28, 2008 1:03 am

Re: Please help

Thank you very much and I promise you next time I will use search option first!!!

And is there any good crypters out there which can fool avs!!I have tried many in my lab,but each and every has been detected by avs or blocked by firewalls!!
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Mon Apr 28, 2008 8:56 am

Re: Please help

The best solution is to write your own and its not hard. If you cant then find someone that can do it for you.
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Mon Apr 28, 2008 10:24 am

Re: Please help

Kev,

I've just read the link you posted (nice work). One aspect that you picked up on was AV's inability to 'find' a uniquely packed packed virus.

As your initial post is now over a year old, from your experience is this still the case or is coverage just as poor as it was previously?
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Mon Apr 28, 2008 10:50 am

Re: Please help

Thanks RoleReversal. Its getting harder to fool an enterprise level AV with a cyrpter, but simple home versions are still easy target. Email AVs that are used by Yahoo,etc are  the easiest to slip through. They are almost a joke so please no one reading this rely on them. When I refer to home versions, I am referring to AVs like AVG free,etc... Enterprise level requires writing a complete new signature that is nothing at all like what might be found in the AV's signature base, so you better be on top of your programming skills or have a friend that is. If it is even slightly  similar, it will trigger the AV and thats why we are seeing more and more false positives popping up today. This is due to their so called "heuristic" function, which can work well on some versions and very poorly on others.  Attacking an enterprise level AV with a simple encoding stub is a waste of time, at least thats my humble experience.
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Mon Apr 28, 2008 11:49 am

Re: Please help

Thanks Kev,

exactly the 'on-the-ground' view point I was looking for. Especially after Muts' presentation frightened me so much. Much appreciated
<<

rok

Newbie
Newbie

Posts: 39

Joined: Sun Apr 27, 2008 2:18 am

Post Wed Apr 30, 2008 9:53 am

Re: Please help

I have seen all the posts but I want little help to build crypters and another thing cryptovirology that technique  can't help in this case?

Return to Tutorials

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software