ive been looking at different AV and seeing if i can find packers to beat them all. So far Kaspersky seems unbeatable (norton and mcafee are a joke to make files undetectable to).

Apart from hexing, which is tiresome, has anyone found a packer which does beat KAV? Or does KAV use a more clever method of scanning (e.g. unpacks it in memory?).

looooool

You can't beat KAV - there isn't a (public) packer that KAV isn't aware of.
You know what's the worst of it? There are more AV such as F-Sec and at least one other that I've forgotten name of - just as tough as Kaspersky guys.

Only way would be to get those packers / encryptions sources and modify them substantially. I've seem service on the net guys promise to make your tools 100% undetectable with any AVs by doing this trick. As much as I know about programming and stealth I haven't been able to figure out how to do that - may be someone else is geekier than I

well in that case the only way, is to hex the unpacked version of trojan or whatever u want to hide (tip divide and conquer - i.e. split and split until u find the detected bit of code). once you beat KAV on unpacked version, pack heavily to beat weaker AV like norton and mcafee.

of course this wont help if the vic uses RAV etc...

and doing a hex to beat multiple AV aint easy at all...

does anyone have info on how to write a packer? its a project i would like to have a go at.

Seriously, HEXing is futile attempt and great waste of time. It takes lots of time and definitions are often updated and changed depending on versions out. Not to mention that, as you stated, most of AVs have different definition strings. What I do is settle for packer / morph combo. I've done little research on various AV and their detection - I won't list exact version numbers and tests but as little as 1/6 AV detect good combination, if you consider how unpopular KAV and FSEC are - it's really worth it.

In those rare occasions you have to deal with those two nasty ones you can always resort to legal tools. If you're after backdoor use tweaked VNC, if console, there are batch files that allow you to service and put passwords on them. If want stealth, look into legitimate service names and remember console extension tricks. If you are talking about hacking in purposes of installed Serv-U or something like that, you can always use original package that isn't detected.

In other words - think outside of the box, everything is possible.

P.S. You don't make packers, unless you're really geeky - but then again, if you were, I'd make small wager that you wouldn't be here to begin with. UPX (I know it's crap, don't waste any of your breath telling me) is open source, which means that it's practically ready for you to use, except that you'd have to substantially modify it (like I said previously) if you're really want to fool anything. Compression methods / signature would be good place to start. But ask me this "Do I think it's worth the time and hassle?" and then guess what my answer would be.

There are tons of things you can do to hide from AV.

The best possible way to hide is to just create your own trojans using Free Basic Scripting Language or other extremely simple programming languages that make network and socket coding a breeze. I've linked to it several times on here, but I guess that isn't enough.

Another good way to hide is to use a really old version of UPX with a new trojan.

KAV is in such a funny situation, it's extremely good, extremely processor intensive (although ultimately better than the others), and no one uses it but hackers. Isn't it horrible that the best possible antivirus software is probably one of the least used except by those that make the trojans/virii?

I am actually working on the development team for a trojan in vb.net, but that's not really the point.

If we want to get problems like iroffer, serv-u etc to work with KAV knowing about it, I think it will be a tough job.

The only way I can see is hexing the programs against KAV and then packing / scrambling to beat the others.

I guess I must be pretty geeky, as I want to develop a packer. Can anyone suggest some links to get some ideas of where to start?

Search people!

I know I know

and god created delphi & c.

Try UPX on your trojan and then Morphine v1.2, KAV doesn't recognize this packer.

you could also just try coding your own software, or heavily editing others src code.. that always seems to work for me =)

upxredir
http://www.nuclearwinter.mirrorz.com/

the best way of making a server undetected is to hex it. your can use sennaspy avp offset finder to find out the viral signature.

It seems that avp offset finder dont work with the last .avc files :/

maybe, it's been a while since i last used it...

Guys i'm searching for someone who wants to make a trojan, i know it's a hard work, and i don't want do do it alone. We could create a Clan, I know VB and i'm learning Delphi... So who wants to join me?

"Dont tell me dude.
If you make a trojan in VB.NET then it will requier the 12.3 mb .NET Framework.
I wonder you might reconsider coding in VB.NET.
Regards
~Faceless Master "

This is a longer term project. Remember .net framework comes as standard in longhorn, and win api will be emulated in the future, with .net taking a front seat.

Move with the times, or get left behind...

any encryptor will do the job. try Morphine.
http://hxdef.czweb.org/tools/Morphine12.zip

techgenius, no it won't. you should try something before posting that it will. kaspersky detects morphine 1.2 encrypted code since like a week after holyfather released it. :/

by the way, don't spend too much time on whatever solution you pursue, because the first time any of your code is caught, some user will forward it to an antivirus company - i had that happen with something and kaspersky had a signature pushed out within 24hours and my undetectables suddendly were.

kaspersky unpacks hundreds of packer formats. if you read about some packer on the web, you're too late - what you are reading, they already read and incorporated into their scanner. your only hope is to change the code, or for non-resident av, write a packer that you do not share or leak ever. av that scan memory or process images are going to bust that though.

my mistake...

try not to pack it, but to encrypt it... use a non widely used number thatll help!

Encryption doesn't work too..

The only solution is to use avp offset with olds .avc whiches recognize ur trojan/virii/hacktool and then hex modify it.

A tutorial for hex edit with avpoffset has already been posted here,

good luck

try this

it changes the upx stub, so kav cannot detect that it is upx packed and it don't unpack it.

it is a beta release with a lot of bugs but it works at the moment and it is undetected.

I think personally that the concept is flawed. You are trying to find a way to pack a program that has already been caught. Hex editing it won't do you much good, be it a trojan or a virii.

Err go, the answer is something simple. Either:

A) Create your own Trojan or virus and use that.(currently my preference)

or

Create your won encryption algorithim.

To add on to be, I would just as well create a polymorphic engine with it to boot, create the trojan to accept plugin-s too.

Anyways,

My 2 cents.

L_S

packer can only make the trojan undetecked for file scan

when excute it ,av will detecte it

so the best way is code own trojan

Hex editing has no effect... also morphine, better not use it, some scanners detect morphined viles as viruses, just because they are encrypted wiht morphine. Make your own, or use sources and modify them a lot...

you know how many people actually use KAV? like a few thousand top. and they are all hackers and various other tech geek flavors anyhow. beat norton and mcafee and youre good to go for 85% of the sytems you will come across. toss in fsecure, sophos and trend and thats like 95%. thats not to say 95% of all machines use those but people that use the best av probably arent gonna let you on their box anyhow.

But where do i get this tool UPXredir ?

i haven't got KAV so a can't try, but i often use pe-crypt 4 win, have u tried it?
it is free and it works 4 me with most avs like nav and mca. let me know!
Pe-crypt

Try UPX on your trojan and then Morphine v1.2, KAV doesn't recognize this packer.

avp can unpack PElock 1.06 files, thus detecting the og file.

In my opinion it is much easier coding a backdoor on your own.

And mostly you don't need much more then a remote cmd-line.
So it's not too hard making own code if you reduce to the essential needs (remote shell)

I'm using my own code only and i'm happy with it.

and in the end u will learn many things by investing time in making ya own code.
it really worth!

KAV, well actually none of the AV detect my NWCC. Its semi-private crypter that I didn't post on boards. It supports most apps linked with LINK that dont use exotic features (aka No Delphi Trojans or VB). I got it to work with my applications in VC++.

Grab it @ my site: http://archphase.united.net.kg
http://nuclearwinter.mantissecurity.net

When summer comes im gonna prolly do a complete re-write and turn it into full packer that'll support just about everything and try to write good poly engine.

There is one:

Armadillo

http://www.siliconrealms.com/armadillo.shtml

There are AV researchers that swear that the methods used by Digital River, Inc. cannot be cracked, which means that if you have a full version of the Armadillo software, then you can pack/encrypt executables and be pretty damn certain that the AV vendors aren't going to catch them.

After all, Morphine was the same way, AV vendors were lazy and didn't bother learning how to get around it and just labeled the packer itself as a virus. They can't do that with legitimate software like Armadillo.

Keep that in mind when you create your trojans/virii.

Hex editing has no effect... also morphine, better not use it, some scanners detect morphined viles as viruses, just because they are encrypted wiht morphine. Make your own, or use sources and modify them a lot...