.

Bypassing Signature based anti-virus software

<<

mn_kthompson

User avatar

Jr. Member
Jr. Member

Posts: 58

Joined: Tue Sep 19, 2006 1:59 pm

Location: Mankato, MN

Post Fri Dec 22, 2006 5:16 pm

Bypassing Signature based anti-virus software

I was reading a thread (http://www.ethicalhacker.net/component/option,com_smf/Itemid,49/topic,925.msg2815/) on this site asking about the best anti-virus, anti-spam, anti-spyware (anti-x) software to use for learning the fundamentals of these programs.  Someone in the post made the comment that signature based anti-virus was easily defeated and that security experts should turn to behavior or heuristic based anti-virus where appropriate.  That inspired me to try and find out if I could defeat some signature based anti-virus software.

Here is the setup.  I'm using a laptop computer running Ubuntu 6.10 fully patched and with a lot of additional software.  For this example, the only software that I'll be using that isn't "out of the box" is called hexedit.  If you're using ubuntu you can update /etc/apt/sources.list to include universe repositories and execute sudo apt-get hexedit if you don't have this already installed.  I'll also be using a fully patched Windows XP desktop running Symantec Anti-virus version 10.1.0.396 using virus definitions from 12/22/2006 (revision 9).  Since I don't want to play around with actual virus files, I've decided that I'm going to use the Windows version of Netcat, which Symantec labels as a hack tool and will not allow on your filesystem.  Netcat for windows is available here: http://www.vulnwatch.org/netcat/

I started this experiment by downloading the Windows version of Netcat, and extracting nc.exe into a folder on the linux laptop.  I then ran md5sum against the file to get a hash value of the file.  Here is the output of that command.
  Code:
kevin@kevin-laptop:~$ md5sum nc.exe
ab41b1e2db77cebd9e2779110ee3915d  nc.exe
kevin@kevin-laptop:~$


We need to create two folders, one of the original file and one of the file that we will modify.  Put a copy of nc.exe in each folder. Now I'm going to open the file to be modified using my hex editor.  The command is very simple, hexedit nc.exe.  The command will bring up the file in hexadecimal mode.  Off to the right side you'll see any strings that are in the executable.  The following link is a screenshot of the file on my laptop. http://mavdisk.mnsu.edu/kevin/antiv/nc-before.jpg

You'll notice on the third line in the ascii column that there is a line of text, "am cannot be run in DOS mode".  I'm going to try changing that to something else.  The rationale being that by changing this line of text I will change the hash of the file without possibly destroying some function within the program.  Scroll down to line three and type new hex characters over the old ones.  In this case I incremented each hex character by one.  Thus I have changed the third line to read
  Code:
62 6E 20 64  62 6F 6F 70  75 20 63 66  20 73 76 6F  20 6A 6F 20  45 50 54 20  6E 70 65 66

Here is a screenshot of the hexeditor after my changes. http://mavdisk.mnsu.edu/kevin/antiv/nc-after.jpg

Now I'll type CTRL+w to save the changes to the file and then CTRL-c to exit hex edit.  Run md5sum against the modified file and the result is:
  Code:
kevin@kevin-laptop:~$ md5sum nc.exe
84fd027be431b9b2109feeb23252e180  nc.exe
kevin@kevin-laptop:~$


As you can see the hash value of the file is now radically different.  I'm also going to change the name of the file just in case that is one of the measures that is used to identify this "hack" tool.  OK, first the control test.  I'm going to attempt to copy the original unedited nc.exe to my Windows machine.  As expected Symantec has blocked the file.  A screenshot of the error is available here.  http://mavdisk.mnsu.edu/kevin/antiv/nc-reject.jpg

Now I'll move the modified and renamed version of the file over to my machine.  The renamed version is kevin.exe.  Argh, the bitter taste of failure!  Here is a screenshot to prove that my experiment has not worked. http://mavdisk.mnsu.edu/kevin/antiv/kevin-reject.jpg

So what was the point of all of this?  Well for starters, I wanted to learn how to do this, and hopefully someone here has an answer for me.  Second, if someone else wants to know how to modify a file to get around the anti-virus signatures they can read this and know that they have to find another way.  This gives other people the ability to follow my work.  Finally, it's important for everyone to know that failure is a part of learning...don't let it get you down.
<<

Kev

Post Fri Dec 22, 2006 7:43 pm

Re: Bypassing Signature based anti-virus software

Good post and its important to always try stuff out on your lab. Actually, I made a post concerning defeating anti-virus using my lab also:
http://www.ethicalhacker.net/component/ ... pic,821.0/

For me, changing hex values is not nearly as fruitful as using packer / crypter.  If it’s a crypter you have written yourself, or pay someone to, you will defeat virtually every anti-virus out there.  Unfortunately, "heuristic" scanning is just the Anti-virus making alerts on what it sees as a near or possible match to the signature.  This really is not much better and can be a pain when it gives false positives. The best method would be to run a real memory scan and determine what a particular executable's behavior is. No major anti-virus vendor does that at this point in time.
<<

Cutaway

User avatar

Jr. Member
Jr. Member

Posts: 96

Joined: Mon Nov 20, 2006 5:02 pm

Post Sun Dec 24, 2006 3:07 pm

Re: Bypassing Signature based anti-virus software

I just posted this to my blog - http://blog.cutawaysecurity.com.&nbsp; I hope this helps.

Recently I noticed an entry by Kevin Thompson (mn_kthompson) on the Ethical Hacker Network (EHN).  The author talked about Bypassing Signature based anti-virus software (http://www.ethicalhacker.net/component/ ... g2845/#new).  Although Kevin is not a malware analysis expert he outlines a few initial steps that somebody might take to accomplish anti-virus evasion.  The EHN user Kev responded (http://www.ethicalhacker.net/component/ ... 45#msg2845) that another method to avoid detection is to use a program Packer or Crypter to modify the program.

Well, as I am also not a malware expert I decided to follow Kevin and Kev's lead and do a little modification of my own.  I followed Kevin's original thought process and downloaded netcat for Windows (http://www.vulnwatch.org/netcat/).  Next I downloaded a hexeditor for Windows (http://www.catch22.net/software/hexedit.asp) and the UPX program packer (http://upx.sourceforge.net/).  I know that the UPX packer is very common and therefore probably very predictable but I did not want to look for a unique packer that might contain some malware itself.  Lastly I needed a Windows hashing program.  Luckily I already have one install called Karen's Hasher which I found through Karenware (http://www.karenware.com/powertools/pthasher.asp). 

To get started I modified the nc.exe program by using the hexeditor to change the word "program" to "PROGRAM".  I saved this file as nc_PROGRAM.exe.  Next I used the UPX packer to pack the nc.exe program and the nc_PROGRAM.exe.  I used the following commands to convert these files. 
  - upx.exe --brute -o nc_orig_upx.exe nc.exe
  - upx.exe --brute -o nc_PROGRAM_upx.exe nc_PROGRAM.exe
 
Once the programs were packed I got the MD5 hash for each.  Here are the results:

  - nc.exe AB41B1E2DB77CEBD9E2779110EE3915D
  - nc_orig_upx.exe C94BDE8E5590B4E6987FA43BDACB83DC
  - nc_PROGRAM.exe 23575179C749575323868E5ADDCFE94C
  - nc_PROGRAM_upx.exe BB7F9D5453F25158C5850CFBE5F01274

Of course, how could I be sure that all of these programs would still work properly?  I figured that as all of these programs are executables if one thing does not work then the whole thing will not work.  So, to check functionality I decided to simply ask for the help output.  I ran each program with the help (-h) options.  Each one gave me the same output so I am going to assume that each one is as functional as the other.

As I am running AVG Free on my system I do not have a good way to determine whether I would get the same results as Kevin did with Symantec's Norton Antivirus.  What I have found in my readings of forums and other documentation is the existence of a website that will analyze an uploaded file using a plethora of antivirus software.  Although I think that they included Symantec's product at one point it currently does not seem to provide this vendor.  The service I am talking about is provided by VirusTotal (http://www.virustotal.com).  The list of antivirus programs they use can be found through their "VirusTotal" (http://www.virustotal.com/en/virustotalx.html) link but this list is outdated and should not be used for reference.  One thing I should definately point out here is the fact that even by using this service to analyze a file you should be wary of the results.  VirusTotal puts it best by stating:
 
  "VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware."

The following is the output they provide when run against each file.

nc.exe -
Antivirus Version Update Result
AntiVir 7.3.0.21 12.24.2006 no virus found
Authentium 4.93.8 12.22.2006 no virus found
Avast 4.7.892.0 12.21.2006 no virus found
AVG 386 12.24.2006 no virus found
BitDefender 7.2 12.24.2006 no virus found
CAT-QuickHeal 8 12.23.2006 no virus found
ClamAV devel-20060426 12.24.2006 no virus found
DrWeb 4.33 12.24.2006 no virus found
eSafe 7.0.14.0 12.24.2006 Win32.HackTool
eTrust-InoculateIT 23.73.97 12.23.2006 no virus found
eTrust-Vet 30.3.3271 12.23.2006 no virus found
Ewido 4 12.24.2006 Not-A-Virus.RemoteAdmin.Win32.NetCat
Fortinet 2.82.0.0 12.24.2006 HackerTool/Nt110
F-Prot 3.16f 12.22.2006 no virus found
F-Prot4 4.2.1.29 12.22.2006 no virus found
Ikarus T3.1.0.27 12.24.2006 not-a-virus:RemoteAdmin.Win32.NetCat
Kaspersky 4.0.2.24 12.24.2006 not-a-virus:RemoteAdmin.Win32.NetCat
McAfee 4925 12.22.2006 no virus found
Microsoft 1.1904 12.24.2006 no virus found
NOD32v2 1937 12.24.2006 Win32/RemoteAdmin.NetCat
Norman 5.80.02 12.22.2006 no virus found
Panda 9.0.0.4 12.24.2006 HackTool/NetCat.A
Prevx1 V2 12.24.2006 no virus found
Sophos 4.12.0 12.24.2006 NetCat
Sunbelt 2.2.907.0 12.18.2006 no virus found
TheHacker 6.0.3.136 12.24.2006 Aplicacion/NetCat
UNA 1.83 12.22.2006 Backdoor.Delf.86C0
VBA32 3.11.1 12.24.2006 Backdoor.Win32.Rbot.bdu
VirusBuster 4.3.19:9 12.23.2006 Backdoor.NetCat32.C


Aditional Information
File size: 61440 bytes
MD5: ab41b1e2db77cebd9e2779110ee3915d
SHA1: 4122cf816aaa01e63cfb76cd151f2851bc055481

nc_PROGRAM.exe -
Antivirus Version Update Result
AntiVir 7.3.0.21 12.24.2006 no virus found
Authentium 4.93.8 12.22.2006 no virus found
Avast 4.7.892.0 12.21.2006 no virus found
AVG 386 12.24.2006 no virus found
BitDefender 7.2 12.24.2006 no virus found
CAT-QuickHeal 8 12.23.2006 no virus found
ClamAV devel-20060426 12.24.2006 no virus found
DrWeb 4.33 12.24.2006 no virus found
eSafe 7.0.14.0 12.24.2006 no virus found
eTrust-InoculateIT 23.73.97 12.23.2006 no virus found
eTrust-Vet 30.3.3271 12.23.2006 no virus found
Ewido 4 12.24.2006 Not-A-Virus.RemoteAdmin.Win32.NetCat
Fortinet 2.82.0.0 12.24.2006 no virus found
F-Prot 3.16f 12.22.2006 no virus found
F-Prot4 4.2.1.29 12.22.2006 no virus found
Ikarus T3.1.0.27 12.24.2006 not-a-virus:RemoteAdmin.Win32.NetCat
Kaspersky 4.0.2.24 12.24.2006 not-a-virus:RemoteAdmin.Win32.NetCat
McAfee 4925 12.22.2006 no virus found
Microsoft 1.1904 12.24.2006 no virus found
NOD32v2 1937 12.24.2006 Win32/RemoteAdmin.NetCat
Norman 5.80.02 12.22.2006 no virus found
Panda 9.0.0.4 12.24.2006 HackTool/NetCat.A
Prevx1 V2 12.24.2006 no virus found
Sophos 4.12.0 12.24.2006 NetCat
Sunbelt 2.2.907.0 12.18.2006 no virus found
TheHacker 6.0.3.136 12.24.2006 Aplicacion/NetCat
UNA 1.83 12.22.2006 Backdoor.Delf.86C0
VBA32 3.11.1 12.24.2006 Backdoor.Win32.Rbot.bdu
VirusBuster 4.3.19:9 12.23.2006 Backdoor.NetCat32.C

Aditional Information
File size: 61440 bytes
MD5: 23575179c749575323868e5addcfe94c
SHA1: b8a93e394d7079cea568102ce96ddf69f0032d74


nc_orig_upx.exe -
Antivirus Version Update Result
AntiVir 7.3.0.21 12.24.2006 no virus found
Authentium 4.93.8 12.22.2006 no virus found
Avast 4.7.892.0 12.21.2006 no virus found
AVG 386 12.24.2006 no virus found
BitDefender 7.2 12.24.2006 no virus found
CAT-QuickHeal 8 12.23.2006 no virus found
ClamAV devel-20060426 12.24.2006 no virus found
DrWeb 4.33 12.24.2006 no virus found
eSafe 7.0.14.0 12.24.2006 suspicious Trojan/Worm
eTrust-InoculateIT 23.73.97 12.23.2006 no virus found
eTrust-Vet 30.3.3271 12.23.2006 no virus found
Ewido 4 12.24.2006 Not-A-Virus.RemoteAdmin.Win32.NetCat
Fortinet 2.82.0.0 12.24.2006 HackerTool/Netcat
F-Prot 3.16f 12.22.2006 no virus found
F-Prot4 4.2.1.29 12.22.2006 no virus found
Ikarus T3.1.0.27 12.24.2006 not-a-virus:RemoteAdmin.Win32.NetCat
Kaspersky 4.0.2.24 12.24.2006 not-a-virus:RemoteAdmin.Win32.NetCat
McAfee 4925 12.22.2006 no virus found
Microsoft 1.1904 12.24.2006 no virus found
NOD32v2 1937 12.24.2006 Win32/RemoteAdmin.NetCat
Norman 5.80.02 12.22.2006 no virus found
Panda 9.0.0.4 12.24.2006 HackTool/NetCat.A
Prevx1 V2 12.24.2006 no virus found
Sophos 4.12.0 12.24.2006 NetCat
Sunbelt 2.2.907.0 12.18.2006 no virus found
TheHacker 6.0.3.136 12.24.2006 no virus found
UNA 1.83 12.22.2006 Backdoor.Delf.86C0
VBA32 3.11.1 12.24.2006 Backdoor.Win32.Rbot.bdu
VirusBuster 4.3.19:9 12.23.2006 Backdoor.NetCat32.C

Aditional Information
File size: 30720 bytes
MD5: c94bde8e5590b4e6987fa43bdacb83dc
SHA1: 34e0985479f2fbd9f723d3863917e0d4e1b7fe4e
packers: UPX
packers: UPX
packers: UPX


nc_PROGRAM_upx.exe -
Antivirus Version Update Result
AntiVir 7.3.0.21 12.24.2006 no virus found
Authentium 4.93.8 12.22.2006 no virus found
Avast 4.7.892.0 12.21.2006 no virus found
AVG 386 12.24.2006 no virus found
BitDefender 7.2 12.24.2006 no virus found
CAT-QuickHeal 8 12.23.2006 no virus found
ClamAV devel-20060426 12.24.2006 no virus found
DrWeb 4.33 12.24.2006 no virus found
eSafe 7.0.14.0 12.24.2006 suspicious Trojan/Worm
eTrust-InoculateIT 23.73.97 12.23.2006 no virus found
eTrust-Vet 30.3.3271 12.23.2006 no virus found
Ewido 4 12.24.2006 Not-A-Virus.RemoteAdmin.Win32.NetCat
Fortinet 2.82.0.0 12.24.2006 suspicious
F-Prot 3.16f 12.22.2006 no virus found
F-Prot4 4.2.1.29 12.22.2006 no virus found
Ikarus T3.1.0.27 12.24.2006 not-a-virus:RemoteAdmin.Win32.NetCat
Kaspersky 4.0.2.24 12.24.2006 not-a-virus:RemoteAdmin.Win32.NetCat
McAfee 4925 12.22.2006 no virus found
Microsoft 1.1904 12.24.2006 no virus found
NOD32v2 1937 12.24.2006 Win32/RemoteAdmin.NetCat
Norman 5.80.02 12.22.2006 no virus found
Panda 9.0.0.4 12.24.2006 HackTool/NetCat.A
Prevx1 V2 12.24.2006 no virus found
Sophos 4.12.0 12.24.2006 NetCat
Sunbelt 2.2.907.0 12.18.2006 no virus found
TheHacker 6.0.3.136 12.24.2006 no virus found
UNA 1.83 12.22.2006 Backdoor.Delf.86C0
VBA32 3.11.1 12.24.2006 Backdoor.Win32.Rbot.bdu
VirusBuster 4.3.19:9 12.23.2006 Backdoor.NetCat32.C

Aditional Information
File size: 30720 bytes
MD5: bb7f9d5453f25158c5850cfbe5f01274
SHA1: c841e46de25d5adfffe4c41e074c62b2e86c0faf
packers: UPX
packers: UPX
packers: UPX

So, what are the real differences here?  Not much really.  The majority of the antivirus vendors do not consider nc.exe as a malicious program.  Of the vendors that do only “eSafe” and “Fortinet” were fooled by simply modifying a few bits in the executable.  This probably means that these vendors are identifying the program by its hash signature.  Packing the original program did apparently bypass checks by “TheHacker” although it did cause “eSafe” to reclassify the program from “Win32.HackTool” to “suspicious Trojan/Worm.”  I am not sure what this actually means other than “eSafe” is identifying the fact that the program is packed and therefore labeling it as malicious.  Finally, the packet version of the modified Netcat file only changes the response of the vendor “Fortinet” which now labels the program as “suspicious.”

So, what are my conclusions from all of this?  Well, first, simple modification and packing does not seem to affect the conclusions made by the majority of antivirus vendors.  Second, it seems that the vendors “eSafe,” “Fortinet,” and “TheHacker” are not very consistent with their analysis of programs and therefore their results should be questioned or at least confirmed.  Third, the next step is to do this with a virus in a controlled environment (which I do not have so I will not be pursuing this step) to test the conclusion of the other vendors under similar circumstances.  Lastly, Kevin and Kev’s steps for initially delving into the malware field are interesting and worth recreating.  Keep up the good work.  Y’all might not have found a way to slip flagged programs by antivirus systems yet, but y’all are definitely on the right track.

Go forth and do good things,
Cutaway
Go forth and do good things,
Cutaway
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Sun Dec 24, 2006 3:49 pm

Re: Bypassing Signature based anti-virus software

Thought this discussion was worth submitting to digg:

http://www.digg.com/security/Bypassing_ ... s_Software

Don
CISSP, MCSE, CSTA, Security+ SME
<<

Kev

Post Sun Dec 24, 2006 6:15 pm

Re: Bypassing Signature based anti-virus software

Excellent post and well presented research, Cutaway.  Remember that the key to using a crypter is that it has to be a private one. If it’s a packer or crypter that the AV vender is aware of it will not defeat it. Although I was surprised that I was able to pass a Trojan through Norton’s with a crypter that is readily available on the net. Makes me wonder what they charge all the money for?  AVG free caught it , lol!  Of course you could just write a new virus that has its own unique signature that doesn’t come close to matching any known virus.  That would be the ultimate way to pass through most anti-virus programs.  But its much easier to write a unique crypter. You don’t need a lot of programming skill to do that and that’s why its attractive to underground groups.
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Tue Dec 26, 2006 12:03 pm

Re: Bypassing Signature based anti-virus software

As a side note, anybody familiar with McAfee's EPO? Well with that, it essentially creates a nice  low tech way to bypass McAfee's AV. I ran into this feature when I loaded the corporate version of the software and it went ahead and deleted and/or quarantined a bunch of "security" tools that I use like Cain and LC. I noticed that even if I created a folder and told McAfee not to scan it, the EPO over wrote it. Well when browsing I found the Service folder that keeps sanctioned corporate tools like pskill that would normally be removed by McAfee. So I loaded a bunch of tools into the directory and voila they weren't removed by full scans or the on demand scanner. Whats even more interesting is that even malware that I've copied over from other machines seems to make it through the scans. I think this same method probably would work with all the top AV vendors in a corporate environment. Assuming the machine was already compromised, an attacker could pull info out the registry automatically and tell them where the AV was instructed not to scan. It would require a little more coding effort to find out where all this info is stored for the most popular AV products, but how difficult would it be to handle something like this. If the EPO admin, wanted to clean the malware from the directory, they would risk removing all the legitimate tools stored there as well.
<<

mn_kthompson

User avatar

Jr. Member
Jr. Member

Posts: 58

Joined: Tue Sep 19, 2006 1:59 pm

Location: Mankato, MN

Post Wed Dec 27, 2006 8:54 am

Re: Bypassing Signature based anti-virus software

Cutaway, your post was awesome!  I was planning to do the same work that you did after Christmas, thanks for saving me some steps and for posting such a detailed analysis of your methods and findings. 
<<

mn_kthompson

User avatar

Jr. Member
Jr. Member

Posts: 58

Joined: Tue Sep 19, 2006 1:59 pm

Location: Mankato, MN

Post Wed Dec 27, 2006 5:30 pm

Re: Bypassing Signature based anti-virus software

You know what would be awesome?  It would be awesome if this were easier to do.  I mean, awesome from the perspective of the person trying to slip malware under the anti-virus software's radar.  From the perspective of being the security guy for a University, it would be un-awesome.

Anyway, I have had moderate success sneaking netcat past my Symantec Anti-virus by using brute force packing and encrypting.  By Brute Force, I mean running the executable through multiple packers/encrypters, and by moderate success I mean that it worked one time, and I wasn't able to duplicate the results.  Here is how I got the moderate success:  I edited the hex like I described above, and then I packed it with upx the way cutaway described.  Then I used morphine v2.7 to crypt the file that was packed with upx.  One time I was able to copy the resulting file to my PC and run it.  Strangely, though, even though the file ran properly, when I exited netcat and tried to delete the crypted file, THEN Symantec came up and detected it as being bad.  From that point on, the same technique hasn't worked on my machine.

Anyway, as Kev was saying, using any of the commonly available packers/crypters will probably not sneak something past the AV software because the AV software looks for those packers.  You'll probably have to write your own stuff.  However, for those of you that are noobish like me and aren't very experienced programmers, you'll find that the source code that is available can be tough to follow, and so we run into that wall the separates the people who are 1337 from the noobz.  I'll keep researching ways to slip past the AV, but I'm not very confident in what I'm going to find.
<<

mn_kthompson

User avatar

Jr. Member
Jr. Member

Posts: 58

Joined: Tue Sep 19, 2006 1:59 pm

Location: Mankato, MN

Post Thu Dec 28, 2006 3:52 pm

Re: Bypassing Signature based anti-virus software

I haven't stopped working on this yet.  I've tried a few more tricks and I've been surprised at what has worked and what hasn't.  I'd like to pass on my findings in case anyone is curious.

Today I've been messing around with appending random garbage onto netcat for windows to see if I could slip that past my antivirus software.  First, I copied nc.exe over to my linux machine, and I created a garbage file:
  Code:
dd if=/dev/urandom of=garbage bs=1 count=512

Then I appended the garbage file to the end of nc.exe
  Code:
cat nc.exe garbage > nc2.exe


The resulting file, nc2.exe, runs just fine on a Windows XP machine that is not running anti-virus.  Then I copied it to my machine that is running Symantec antivirus, and surprisingly it worked!  However, just like my experiments from yesterday it only worked one time.  Soon after the program ran Symantec identified it as netcat and quarantined it.  From that point on I couldn't duplicate my results, even using new or larger garbage files.  Incidently, this trick of appending garbage to the end of the file did fool two of the programs on virustotal.com, namely esafe and fortinet.  I also tried taking my modified nc.exe and packing it with upx, but that didn't fool Symantec on my machine.  Packing the executable with garbage on the end actually made the file more recognizable by virustotal.  Every program that cutaway listed as catching his packed netcat also caught the packed netcat with garbage appended. 

From a file copy perspective, one thing that has worked consistently is to append the garbage to the front of the executable rather than the back.  Symantec has let me copy the resulting file to my machine every time.  The problem is, of course, that the executable wont run because there is nothing but gibberish for the first 512 bytes.  This is another place where a stub would be handy.  I'd like to see something that results in a valid PE (portable executable) header that instructs the operating system to skip the next 512 bytes and pick up from there.  Then I could append the garbage to the end of that and nc.exe to the end of that.  I'm not a great programmer though, and I haven't been able to find much on the web to point me in the right direction. 
<<

Kev

Post Fri Dec 29, 2006 2:30 pm

Re: Bypassing Signature based anti-virus software

I noticed you used the crypter morphine. Fortunately or unfortunately, depending on your point of view, is now picked up by most anti-virus venders.  The interesting thing about it was how it beat most anti-virus software for many months before venders decided to include it in their detection.  What’s really amazing is, if I remember correctly, that it was  publicly available on the net for most of that time!
<<

Cutaway

User avatar

Jr. Member
Jr. Member

Posts: 96

Joined: Mon Nov 20, 2006 5:02 pm

Post Sun Jan 07, 2007 11:47 am

Re: Bypassing Signature based anti-virus software

I responded to a comment posted to my blog.  Here is the comment and my response.

kurt wismer
Comment @ 01/07/07 at 7:19 am

instead of using a virus (which you do not have) to continue experimenting with, why not use the eicar standard anti-virus test file? after all, if you’re just testing how well you can hide an arbitrary program from an anti-virus scanner all that should really matter is that you use something the scanner would normally detect - and just about everything detects the eicar standard anti-virus test file…


I thought about using Eicar but I decided against it.  As I am not a malware expert, and want to focus on other things, there is really no point in moving forward with this test as I have accomplished my goal and I think I will gain more from reading the results of other more experienced malware experts (at least at this point).  Kev from Ethical Hacker has actually already done this anyway (http://www.ethicalhacker.net/component/ ... pic,821.0/) I just didn't see it until after my post.  It is obvious that most antivirus vendors use more information for their signatures than simple hashes and that the most common packerts/crypters will be included in their efforts.

I think the primary goal of this experiment (at least for me) was start thinking about ways to hide programs that might be uploaded for penetration testing.  What I get out of this is that simple modification is not enough.  I will either need to write my own programs to function in the same manner as tools like Netcat, or I will have to find an exploit (remote or local) that I can then use to have Metasploit or Core Impact subvert a process for me.  I like this better because uploads and new processes will probably be logged and then there is more work to hide it all.  If I cannot get a subverted process then I will try and use as many local programs as possible before uploading any program that I know is detected by antivirus software.  I will then also probably considers some of the other aspect of anti-virus evasion methods as described in the Ethical Hacker discussion (http://www.ethicalhacker.net/component/ ... pic,940.0/) before doing such uploads.

Thanks for your comments.
Go forth and do good things,
Cutaway
Go forth and do good things,
Cutaway

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software