All hackers worth anything know how easy it is to defeat anti-virus. What worries me is the amount of security professionals I encounter that are not aware and put too much trust in it as a major part of their line of defense. Now don’t get me wrong, I do believe you should be running it, but I feel its foolish to think just because a file passed a simple AV scan, all is ok.
To understand how to defeat anti-virus programs, you first need to understand how they work. AV scanners work by recognizing malware through a digital signature of their code. Its much more efficient to simply check each file on the hard drive against a piece of binary code “signature” in the AV’s data base. If there is a match, then the AV scanner will see it as malware. If not, it lets the file go on its merry way.
In order to broaden the scope of the scan, many scanners also do what they term as "heuristic" scanning. Unfortunately, all this means is the AV will also make alerts on what they see as a near or possible match to the signature. This can be more of nuisance than a help sometimes when the AV miss identifies a security program as a Trojan.
So all we need to do to defeat Anti-virus is to create malware that is free of any bytes of code that can be matched to any known virus,etc…
There are two very popular methods for this in the hacker community:
1. Write your own malware.
2. Use a "packer / crypter"
Writing your own malware is the best choice but many hackers are weak in coding so they often rely on using a crypter instead. Crypters are programs that take all the code from the program and apply an encryption algorithm to it. This will confuse the AV scan because it will not be able to match the code against its database of signatures. The interesting thing about a file encrypted in this manner is that it will still function fully because the new encrypted file will include what is called a “stub”. The “stub” is a piece of code that can decrypt and cause the original file to run dynamically.
There are a few packer / crypter programs available on the internet that can be downloaded. However, I have found that many AVs have checked these out and now include a decryption algorithm in their scanners that can see through the encryption if you use one of the better known crypters.
The problem is, most hacker groups have at least one person that can do some basic coding and it’s very easy to code a crypter. It’s actually easier to code a crypter than write a Trojan from scratch. If you code your own private crypter, no anti-virus will catch your malware!
Anti-virus companies have been very slow in responding to this. It is well know that it took over a year for them to respond to morphine. Morphine was a crypter released on www.hxdef.org and made just about any Trojan slip right through AV scanners.
What about now? Well as a simple test I decided to download some very readily available programs on the internet. One program was a “make your own Trojan” program, presumably for someone that wanted to make a Trojan but had no coding skills. The second program was a program that is supposed to make your Trojan “stealth”. While this program had some out dated things like a “byte packer”, it did have a packer/ cyrpter.
Ok, so I created the Trojan and named it trojan.exe. Heck, no one will expect anything that obvious, Ha Ha ? I then bound it to a small legitimate exe. I had it set so once you downloaded it and click on it, all you would see is a message stating that “You have been Hacked!”. Ok, not very original but I was rushing through this to get to the end result.
First test was to try and upload it to my Yahoo mail. I received the following message:
The following file has not been attached:
trojan.exe (284k)
File infected. This file can not be cleaned. Please run a virus scan on your computer.
Ok thats great. Yahoo’s anti-virus saved the day. Now lets take that same Trojan and pack and scramble it. This time when we try to email it we get the following message:
The following file has been attached:
trojan.exe (284k) [Remove] No virus threat detected
Attach More Files
I go ahead and email it to myself and download it to one of my boxes and guess what? It runs just fine! How can this be? These 2 programs are readily available on the net if you know where to find them.
Lets check the scrambled Trojan with http://www.virustotal.com/en/indexf.html. This is a great free site that will run multiple AV scan engines against malware. We get this out put:
Complete scanning result of "trojan.exe", received in VirusTotal at 11.10.2006, 19:20:46 (CET).
Antivirus Version Update Result
AntiVir 7.2.0.39 11.10.2006 BDS/CyberSpy.85.Srv
Authentium 4.93.8 11.10.2006 no virus found
Avast 4.7.892.0 11.09.2006 Win32:Cyberspy
AVG 386 11.10.2006 BackDoor.CyberSpy.I
BitDefender7.2 11.10.2006 GenPack:Generic.Malware.SFMBkbg.270B876F
CAT-QuickHeal8.00 11.10.2006 Backdoor.CyberSpy.85
ClamAVdevel-2006042611.10.2006 no virus found
DrWeb 4.33 11.10.2006 BackDoor.Generic.103
eTrust-InoculateIT23.73.5111.10.2006 no virus found
eTrust-Vet30.3.3186 11.10.2006 no virus found
Ewido 4.0 11.10.2006 no virus found
Fortinet 2.82.0.0 11.10.2006 suspicious
F-Prot 3.16f 11.10.2006 no virus found
F-Prot 44.2.1.29 11.10.2006 no virus found
Ikarus 0.2.65.0 11.10.2006 Backdoor.Win32.CyberSpy.85
Kaspersky 4.0.2.24 11.10.2006 Backdoor.Win32.CyberSpy.85
McAfee 4893 11.10.2006 BackDoor-NT
Microsoft 1.1609 11.10.2006 Backdoor:Win32/CyberSpy.E
NOD3221861 11.10.2006 Win32/CyberSpy.85
Norman 5.80.02 11.10.2006 no virus found
Panda 9.0.0.4 11.10.2006 no virus found
Sophos 4.11.0 11.07.2006no virus found
TheHacker 6.0.1.116 11.09.2006 Trojan/Hami
UNA 1.83 11.10.2006 .CyberSpy.85.2790
VBA 323.11.1 11.09.2006 Backdoor.Win32.CyberSpy.85
VirusBuster4.3.15:9 11.10.2006 no virus found
Remember that these tools have been available for a while on the internet so I am surprised how many AVs didn’t find it at all.
Ok, now lets scramble the code with a private cyrpter and see what happens when I scan it at this site. We get the following read out:
Complete scanning result of "trojan.exe", received in VirusTotal at 11.10.2006, 19:28:46 (CET).
Antivirus Version Update Result
AntiVir 7.2.0.39 11.10.2006 no virus found
Authentium 4.93.8 11.10.2006 no virus found
Avast 4.7.892.0 11.09.2006 no virus found
AVG 386 11.10.2006 no virus found
BitDefender 7.2 11.10.2006 no virus found
CAT-QuickHeal 8.00 11.10.2006 no virus found
ClamAVdevel -20060426 11.10.2006 no virus found
DrWeb4 .33 11.10.2006 no virus found
eTrust-InoculateIT 23.73.51 1 1.10.2006 no virus found
eTrust-Vet 30.3.3186 11.10.2006 no virus found
Ewido 4.0 11.10.2006 no virus found
Fortinet 2.82.0.0 11.10.2006 no virus found
F-Prot 3.16f 11.10.2006 no virus found
F-Prot 44.2.1.29 11.10.2006 no virus found
Ikarus0 .2.65.0 11.10.2006 no virus found
Kaspersky4.0.2.24 11.10.2006 no virus found
McAfee4893 11.10.2006 no virus found
Microsoft1.1609 11.10.2006 no virus found
NOD32v21861 11.10.2006 no virus found
Norman5.80.02 11.10.2006 no virus found
Panda 9.0.0.4 1.10.2006 no virus found
Sophos4.11.0 11.07.2006 no virus found
TheHacker6.0.1.116 11.09.2006 no virus found
UNA1.83 11.10.2006 no virus found
VBA 323.11.1 11.09.2006 no virus found
VirusBuster4.3.15:9 11.10.2006 no virus found
Well, that’s kind of scary! Remember that encrypting it in this method in no way inhibits that Trojan from working.
Again, I want to stress that I am not saying that AV scanners are useless and to not bother with them. I am just trying to point out that they are not the total solution to your network security.
If you have to download something that you are not sure of, the best practice is to first download to a computer on your network that is not critical. Open the program and then port scan that box from another computer on the network. If you find a port opening up on something you thought was just supposed to be a birthday card from a friend, well you might want to be a little concerned!!!!
To understand how to defeat anti-virus programs, you first need to understand how they work. AV scanners work by recognizing malware through a digital signature of their code. Its much more efficient to simply check each file on the hard drive against a piece of binary code “signature” in the AV’s data base. If there is a match, then the AV scanner will see it as malware. If not, it lets the file go on its merry way.
In order to broaden the scope of the scan, many scanners also do what they term as "heuristic" scanning. Unfortunately, all this means is the AV will also make alerts on what they see as a near or possible match to the signature. This can be more of nuisance than a help sometimes when the AV miss identifies a security program as a Trojan.
So all we need to do to defeat Anti-virus is to create malware that is free of any bytes of code that can be matched to any known virus,etc…
There are two very popular methods for this in the hacker community:
1. Write your own malware.
2. Use a "packer / crypter"
Writing your own malware is the best choice but many hackers are weak in coding so they often rely on using a crypter instead. Crypters are programs that take all the code from the program and apply an encryption algorithm to it. This will confuse the AV scan because it will not be able to match the code against its database of signatures. The interesting thing about a file encrypted in this manner is that it will still function fully because the new encrypted file will include what is called a “stub”. The “stub” is a piece of code that can decrypt and cause the original file to run dynamically.
There are a few packer / crypter programs available on the internet that can be downloaded. However, I have found that many AVs have checked these out and now include a decryption algorithm in their scanners that can see through the encryption if you use one of the better known crypters.
The problem is, most hacker groups have at least one person that can do some basic coding and it’s very easy to code a crypter. It’s actually easier to code a crypter than write a Trojan from scratch. If you code your own private crypter, no anti-virus will catch your malware!
Anti-virus companies have been very slow in responding to this. It is well know that it took over a year for them to respond to morphine. Morphine was a crypter released on www.hxdef.org and made just about any Trojan slip right through AV scanners.
What about now? Well as a simple test I decided to download some very readily available programs on the internet. One program was a “make your own Trojan” program, presumably for someone that wanted to make a Trojan but had no coding skills. The second program was a program that is supposed to make your Trojan “stealth”. While this program had some out dated things like a “byte packer”, it did have a packer/ cyrpter.
Ok, so I created the Trojan and named it trojan.exe. Heck, no one will expect anything that obvious, Ha Ha ? I then bound it to a small legitimate exe. I had it set so once you downloaded it and click on it, all you would see is a message stating that “You have been Hacked!”. Ok, not very original but I was rushing through this to get to the end result.
First test was to try and upload it to my Yahoo mail. I received the following message:
The following file has not been attached:
trojan.exe (284k)
File infected. This file can not be cleaned. Please run a virus scan on your computer.
Ok thats great. Yahoo’s anti-virus saved the day. Now lets take that same Trojan and pack and scramble it. This time when we try to email it we get the following message:
The following file has been attached:
trojan.exe (284k) [Remove] No virus threat detected
Attach More Files
I go ahead and email it to myself and download it to one of my boxes and guess what? It runs just fine! How can this be? These 2 programs are readily available on the net if you know where to find them.
Lets check the scrambled Trojan with http://www.virustotal.com/en/indexf.html. This is a great free site that will run multiple AV scan engines against malware. We get this out put:
Complete scanning result of "trojan.exe", received in VirusTotal at 11.10.2006, 19:20:46 (CET).
Antivirus Version Update Result
AntiVir 7.2.0.39 11.10.2006 BDS/CyberSpy.85.Srv
Authentium 4.93.8 11.10.2006 no virus found
Avast 4.7.892.0 11.09.2006 Win32:Cyberspy
AVG 386 11.10.2006 BackDoor.CyberSpy.I
BitDefender7.2 11.10.2006 GenPack:Generic.Malware.SFMBkbg.270B876F
CAT-QuickHeal8.00 11.10.2006 Backdoor.CyberSpy.85
ClamAVdevel-2006042611.10.2006 no virus found
DrWeb 4.33 11.10.2006 BackDoor.Generic.103
eTrust-InoculateIT23.73.5111.10.2006 no virus found
eTrust-Vet30.3.3186 11.10.2006 no virus found
Ewido 4.0 11.10.2006 no virus found
Fortinet 2.82.0.0 11.10.2006 suspicious
F-Prot 3.16f 11.10.2006 no virus found
F-Prot 44.2.1.29 11.10.2006 no virus found
Ikarus 0.2.65.0 11.10.2006 Backdoor.Win32.CyberSpy.85
Kaspersky 4.0.2.24 11.10.2006 Backdoor.Win32.CyberSpy.85
McAfee 4893 11.10.2006 BackDoor-NT
Microsoft 1.1609 11.10.2006 Backdoor:Win32/CyberSpy.E
NOD3221861 11.10.2006 Win32/CyberSpy.85
Norman 5.80.02 11.10.2006 no virus found
Panda 9.0.0.4 11.10.2006 no virus found
Sophos 4.11.0 11.07.2006no virus found
TheHacker 6.0.1.116 11.09.2006 Trojan/Hami
UNA 1.83 11.10.2006 .CyberSpy.85.2790
VBA 323.11.1 11.09.2006 Backdoor.Win32.CyberSpy.85
VirusBuster4.3.15:9 11.10.2006 no virus found
Remember that these tools have been available for a while on the internet so I am surprised how many AVs didn’t find it at all.
Ok, now lets scramble the code with a private cyrpter and see what happens when I scan it at this site. We get the following read out:
Complete scanning result of "trojan.exe", received in VirusTotal at 11.10.2006, 19:28:46 (CET).
Antivirus Version Update Result
AntiVir 7.2.0.39 11.10.2006 no virus found
Authentium 4.93.8 11.10.2006 no virus found
Avast 4.7.892.0 11.09.2006 no virus found
AVG 386 11.10.2006 no virus found
BitDefender 7.2 11.10.2006 no virus found
CAT-QuickHeal 8.00 11.10.2006 no virus found
ClamAVdevel -20060426 11.10.2006 no virus found
DrWeb4 .33 11.10.2006 no virus found
eTrust-InoculateIT 23.73.51 1 1.10.2006 no virus found
eTrust-Vet 30.3.3186 11.10.2006 no virus found
Ewido 4.0 11.10.2006 no virus found
Fortinet 2.82.0.0 11.10.2006 no virus found
F-Prot 3.16f 11.10.2006 no virus found
F-Prot 44.2.1.29 11.10.2006 no virus found
Ikarus0 .2.65.0 11.10.2006 no virus found
Kaspersky4.0.2.24 11.10.2006 no virus found
McAfee4893 11.10.2006 no virus found
Microsoft1.1609 11.10.2006 no virus found
NOD32v21861 11.10.2006 no virus found
Norman5.80.02 11.10.2006 no virus found
Panda 9.0.0.4 1.10.2006 no virus found
Sophos4.11.0 11.07.2006 no virus found
TheHacker6.0.1.116 11.09.2006 no virus found
UNA1.83 11.10.2006 no virus found
VBA 323.11.1 11.09.2006 no virus found
VirusBuster4.3.15:9 11.10.2006 no virus found
Well, that’s kind of scary! Remember that encrypting it in this method in no way inhibits that Trojan from working.
Again, I want to stress that I am not saying that AV scanners are useless and to not bother with them. I am just trying to point out that they are not the total solution to your network security.
If you have to download something that you are not sure of, the best practice is to first download to a computer on your network that is not critical. Open the program and then port scan that box from another computer on the network. If you find a port opening up on something you thought was just supposed to be a birthday card from a friend, well you might want to be a little concerned!!!!
扫一扫
2万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
