How to bypass Anti-Virus systems...

well , as i saw there r so many newbie hackers there ,donnow
how to UNDETECT their BAD-THINGS , i decided to tell them
how to do that ?


As u know , AV systems or alike softwares ( Not those works/watch network status...)
detect viruses, trojans ,etc. with some methods such as
file size , file-name , and the most important one : File Header

so ?

when we have a detected file ( imagine trojan-server.exe ) . our AV detect it as
a "backdoor/Trojan xxx "

but how it does the detection ?

the most proces it do is checking the file header .and here we have a EXE file.
and how AV detect thatit`s a dangerous header ? it simply compare the file header with
those ,it have in it`s included virus-defenition database . so the only thing we have
to do , it to CHANGE THE FILE HEADER . if we do well , the AV would face to a new
header , wich is NOT avalable in it`s DB ! so it won`t detect it anymore . cus it see
something different than those ,exist in virus-defenition file of AV .


How to change a Executeable file header ?

There so many ways to do ! but most of these methos needs u to be a
good programer , or a pro. ... . but still there is a simple and
really easy methos FOR U

Do u know any about "ZIP " ?
I mean the most common method/extencion of file comprestion...
the role is that our compressor , take a look at our file , review it
and replace it`s entire data , with something else ( but same ) ....
here i won`t explain how a file goes compressed ! learn it urself
the thing i wanna mention is that ,after all of compressing proces
the files header would change ! <~~

some of stupied ppl may think like this :
OK ! I got . i`ll zip the file and send/copy it .
it may works , BUT till we only try to send/copy it .
what about the execution time ????
AV eat ur file as soon as u think :-x

so we`re goeing to compress the EXE-File !
we wont chane the extension to .zip or anything else...
we just compress the file`s entire data ...
and after that , we have a new header wich have SOME different parametrs
.


we begin with introducing a cute tool : UPX



Ultimate Packer for eXecutables
Copyright © 1996, 1997, 1998, 1999, 2000, 2001, 2002
UPX 1.24w Markus F.X.J. Oberhumer & Laszlo Molnar Nov 7th 2002

Usage: upx [-123456789dlthVL] [-qvfk] [-o file] file..

Commands:
-1 compress faster -9 compress better
-d decompress -l list compressed file
-t test compressed file -V display version number
-h give more help -L display software license
Options:
-q be quiet -v be verbose
-oFILE write output to `FILE'
-f force compression of suspicious files
-k keep backup files
file.. executables to (de)compress

This version supports: dos/exe, dos/com, dos/sys, djgpp2/coff, watcom/le,
win32/pe, rtm32/pe, tmt/adam, atari/tos, linux/386

UPX comes with ABSOLUTELY NO WARRANTY; for details type `upx -L'.


==========================


as u can see , it`s a "Packer for eXecutables " files . the exact thing we need
I know how much lasy u r ! so i`ll go to explain how to use it ...


Assume we have a back-door wich AV detect it .

Directory of C:\

11/07/2002 02:13 PM 94,208 UPX.EXE
12/15/2003 11:50 PM 190,464 bd.exe

we`re gonna pack this file ( some way we zip the data INSIDE the file ).
we type:



What happened ?

C:\>upx -9 bd.exe
Ultimate Packer for eXecutables
Copyright © 1996, 1997, 1998, 1999, 2000, 2001, 2002
UPX 1.24w Markus F.X.J. Oberhumer & Laszlo Molnar Nov 7th 2002

File size Ratio Format Name
-------------------- ------ ----------- -----------
190464 -> 67072 35.21% win32/pe bd.exe

Packed 1 file.

If u try to learn how the stuff works , u`ll see that the parametr i used ( -5 )
is the comprestion rate . there r 9 rates avalable for u to use .
UPX packed my file .
and as u can see , the file size have been changed !
and hopefully the header too
we still have our BD.exe wich works 100% same as the orginal BD.exe
but with a different size and a changed header .
so up to now , u`ve tricked AV 2 times :
1-AV may detect BD.exe by it`s size wich u changed it.
2-AV may detect BD.exe by it`s executeable header ,and u changed it too !

40% of the times ur done here .

hey man ! only 40% ??????????
don`t worry . i`ll increase our chance to 75% .... just be patient...

Now i`ll give u some useful tricks about files too....

1-=) Some files may still tay detected after this method !
How2 prevent this ?
as u see we used the maximum rate ( -9 ) for this file ,
but AV still warn us ! why ?
Cus AV know both , the orginal header and the compressed header.
BUT , if u pay attention u`ll see that most of the times AV`s
have only the orginal header , not the compressed one ,and after all
if they included the compressed header , they usually include the
Max.rate compressed header ... !;) yeah...not ALL possible rates...
so we found a way to escape
in such cases ,we try different rates of UPX againts out file ( BD.exe ).
let`s try...

C:\>upx -5 bd.exe
Ultimate Packer for eXecutables
Copyright © 1996, 1997, 1998, 1999, 2000, 2001, 2002
UPX 1.24w Markus F.X.J. Oberhumer & Laszlo Molnar Nov 7th 2002

File size Ratio Format Name
-------------------- ------ ----------- -----------
190464 -> 71680 37.63% win32/pe bd.exe

Packed 1 file.

Now ,usually our AV won`t detect it . u should try other rates if it didn`t worked.
don`t worry , we have 9 rates here . one would works for ur file



2-=)Second trick maybe have more importance !
ans it`s when u get this error ,when u try to UPX ur file.
look :

C:\>upx -5 bd.exe
Ultimate Packer for eXecutables
Copyright © 1996, 1997, 1998, 1999, 2000, 2001, 2002
UPX 1.24w Markus F.X.J. Oberhumer & Laszlo Molnar Nov 7th 2002

File size Ratio Format Name
-------------------- ------ ----------- -----------
upx: bd.exe: AlreadyPackedException

Packed 1 file: 0 ok, 1 error.

Damn !.....
hey...i told u be patient
nothing bad happened . UPX is just telling that the file ur trying to
compress is already packed ::: upx: bd.exe: AlreadyPackedException :::
in this case ( executeable files ) we can`t re-compress a file ,
but in normal caces ( .zip .rar ... ) we haven`t such problem.
so what should we do ???? :|
and as i`m again sure wich ur lasy and didn`t read the HELP of UPX
carefully , i`ll tell u what to do ....

We have a " -d " switch in UPX .
The job it do is Decompress , already compressed file . like the one we have.
Found what to do ? i don`t think so !!!
ok
Fisrt u decompress ur file with -d :

C:\>upx -d bd.exe
Ultimate Packer for eXecutables
Copyright © 1996, 1997, 1998, 1999, 2000, 2001, 2002
UPX 1.24w Markus F.X.J. Oberhumer & Laszlo Molnar Nov 7th 2002

File size Ratio Format Name
-------------------- ------ ----------- -----------
190464 <- 71680 37.63% win32/pe bd.exe

Unpacked 1 file.

As u see , u changed the file a lot
size/header changed again . it may be enough to trick the AV itself.
but if AV warned again , try to compress the file with different rates...
Don`t forget we have 9 rates ....so try the one ,trick ur av

Now u have a 75% chance to make ur file UNDETECTED !

where can it be usefull ?
The time u wanna install a backdoor ans specuially a rootkit
on a compromised system

The only thing i forgot to mention is that we have same thing on
Unix/Linux too !
and sorry about my bad english wich sucks,,,



Happy packing

--Elite--

Great stuff!

Lovely to know that people are still willing to take the time to write nice long informative posts.

Though I'm not sure as I quite understand the need to post three of them...

-ed.

Here is the link to get the latest version of explained utility : UPX

UPX Home-page

yea, use upx! undetectable for detectable trojan

thanks mate. this is a good tutorial

great information indeed! cheers

Nice info, another good util for this is morphine. It worked perfectly = ).

Thank you, finally someone took the time to write out step by step what should be tried to make a file undetectable. Very useful, should help a lot of new people to the scene.

UPX GUI

http://www.balpoint.com/files/apps/blpnt.c...y.darklordz.exe

thx for the info elite , didn't know bout upx

This was a great explaination.. All thou, I knew quite much of it... Well thank you anyways!

upx is good but i have seen some trojan even with upx they where detected...

aphex had made a loot that is the best i know fcp 1.0

the nice thing about it (it's olso the bad thing) it ad's a random byte's in it . and then pack it..

but you can be 101%sure it is undectedet..

Thanks a lot very usefull tut!

Sir NFS

Thank's For the info m8
nice work
i need it

nice tut m8!!
upx is a great tool
nice info

Nice tutorial :=
Theres another fine packer called Cexe

This tutorial is kinda pointless now, Every major AV has got UPX tagged.

FSG is a good packer, but its very buggy...
i recommend the UPX/morphine combo, it worx every time...
here it is for yall...
http://www.websamba.com/ghostcow/Morphine12.rar

there are more and better ways to do the job. hexediting and stuff ...

great tuorial. thanks a lot for it

Kaspersky detects all these methods. If you add 200 bytes pack it, scramble it, bind it, use aphex fcp it still detects it

I've tried to Patch with upx hxdef0.8.4...It not work..

Som1 can tell me about patch of this rootkit??

Great Tutorial

Thanks man!

What a load of cack if u ask me, but then thats my opinion. Dont mind me folks i just watch , yes i'm another one of those pesky watchers.

for KAV undetected must use the...

- EOP (change entrypoint)
- NOP (put asm code 90= no operation,4time after the entrypoint from file)

... method and have fun

that fcp loox good!

edit: no, it sucks... f*cked up my pe...

I've had luck with hexediting / scrambling (when possible). UPX is pretty well known aye.

thx 4 nice trick

very useful !
thanks

Some other packers that are just as easy to use are
fsg
morphine
cexe
aspack -i think?
Google em they are easy to find and they are in another post some where. You can use a combination of these programs. Upx and morphine together are unstopable. COntact me if you can find them and ill try to help ya.

Thanks for the Tutorial ...

Much appreciated

Could somebody tell where i can download morphine, i can't find it anywhere. Thanx in advance

Thank you for this nice tutorial, but it pretty obsolete, as every modern AV detects UPX packing, as well Aphex FCP. The only packer that did the job was Morphine, but it can corrupt some files.

Well it works fine with the server of the well most knowed trojan....netb*s!it's undected for norton.not tested in mcafee

lol, ur english is (filtered) bad

THX. but McAffee found it on every way I compress it...

But I found a way U may like...

1. compress the .exe
2. use Morphine.exe and make it stealth

testet with McAffee/ kaspersky/ Norton

Have a nice day !!

C'ya
Steven

THX 4 this.

sysadmin

--Elite-- great thread thanks for starting it and thanks for taking the time to write the how-to

thx u

nice work guys, some good info there!! thx

Big thx it's a great tutorial

Thanks a lot 4 it

I was looking 4 something like this

a) Avp Offset Finder ( a Program By Senna Spy) www.sennaspy.cjb.net
a Good Hex editor (Hex Workshop is Propably the best) .
c) Stealth tools : yes ! , We still have a use for this
d) a Testing machine ( Be it an Extra Computer u own , or some totally unaware Person u have permenant Access to.
e) an unpacked Version of your Trojan Server , Before editing or anything .

Procedure ;-

1-Disable KAV monitor .
2-copy Avpoffset.exe along with your unpacked trojan to The Avpbases folder Usually C:\Program Files\Common Files\AVP Shared Files\Bases
3- Open a command prompt, Browse to that Folder & type Avpoffset servername.exe & hit enter .
4- Watch as the Program Extracts the Stored Signatures from AVC files (this Can Take a long time with large files ,depending on your CPU speed & Available memory).
5-I will takea vetdevil 1.4 Server as an Example for this, it has now turned to be a Very notorious Trojan among Antivirus companies & Kav especially chooses very specific Signatures which will identify about any type of Netdevil 1.4 Servers

Server.exe infected: Backdoor.NetDevil.14

Signature 1 found:
Offset: 511854 ( 7CF6Eh)
Length: 7 ( 7h)
Checksum: (2FCC5587h)

Signature 2 found:
Offset: 515903 ( 7DF3Fh)
Length: 255 ( FFh)
Checksum: (5574DDD9h)
--------------------------------------------
6- After Opening Netdevil Server for editing with hex Workshop , We search for both offsets 511854 & 515903
,Picture it as Jumping to line 511854 in the Program Code ,press CTRL + G & type the offset number dec value of Course , We need to Modify a Single byte , highlight the first two characters after your mouse cursor ,thats it , in the Lower left pane of Hex workshop you will see various info about that section of the file , Thats where u need to play with , we will notice Kav Signatures are in most cases very Important Sections of the trojan , Basic Functions , Etc..., thats Because those Guys arent Kidding , this leads us to the fact that Overhexing this Single byte Could Result in a corrupted Server , so take it easy , I found that modifying the Msdos date or msdos time of that byte can do the job without destroying the Server , ,Just play around , But make sure the modifications Are made to that very Single byte alone , or at least Try to , heh .

7- Save your modified trojan , test it on yourself or on your other test machine , see if it will Work , Try to Connect to yourself ,Damn , The Server wont Work , Even though the registry Entry was Written , now thats a bitch Coz we will have to Delete that File & restore the backup Created by hex workshop ,Restart the whole thing again , Try to change Both Offsets seperately ,untill your scan results are negative ,it is a good idea while you are hex editing the Trojan , search for The notify message For icq , try looking for the text string UIN http , Etc... Change the Values with Custom text if u want , This helps with the notify Problem over Icq , But make sure u have replaced the Text with Exactly the same number of characters , not one byte less or more .

8-, now save your Work , Edit your Trojan as usual , test it Again , hopefully it Works ! , If not Try this , Get a properly Configured Netdevil Server or whatever Trojan u want to use & Use Stealth Tools 2.00 to Patch your New Server With The older one , Make sure both are unpacked & exactly the same Size , hopefully this Will make the server run ok .

9-Use your Hex Editor To Add Null Bytes ( 00 ) as Much as you Like , Or use Stealth tools to Add Those bytes if u Dont feel Comfortable Using a Hex editor

10- normally proceed , Pack your file Using upx + Scramble , Aspack , Fsg is Very Good for small Servers ,Telock has some Anti debugger / Encryption options , U might want to experiment with it too , As with some Effort u can make very stealthy Servers using telock as your packer .

Notes
- what applies to KAV will in most cases Apply to mcaffee & Tds-3 , Just pack your Trojan & see if its Detected or not
-Some backdoors Couldnt possibly pass Antivirus , Something like a 1 kb webdownloader that only has two Functions , 3 at most Doesnt have much To Edit , Also dont waste your time with Older Trojans Like Netbus or subseven , or you will be wasting lots of time , these trojans are VERY hard to make undetected without having the source code,by Liquid.

ok i agree that the morphine / packer approach is working 100% at moment, but it does corrupt some progs - e.g. iroffer.

Except for hexing it (which is a nightmare if u want to beat all AV's, since each uses different sig - although u can beat norton and the other weak ones just with a post hex pack), what other packers are there, which will work with iroffer???

also, i'd like to write my own packer, anyone got a link to an article explaining the principles? (im good in c++ and vb).

thx a lot for this tuto man
it work nice