Sign In
Register
Help
Posted 23 December 2003 - 04:49 PM
How to bypass Anti-Virus systems...
well , as i saw there r so many newbie hackers there ,donnow
how to UNDETECT their BAD-THINGS ;) , i decided to tell them
how to do that ?
As u know , AV systems or alike softwares ( Not those works/watch network status...)
detect viruses, trojans ,etc. with some methods such as
file size , file-name , and the most important one : File Header
so ?
when we have a detected file ( imagine trojan-server.exe ) . our AV detect it as
a "backdoor/Trojan xxx "
but how it does the detection ?
the most proces it do is checking the file header .and here we have a EXE file.
and how AV detect thatit`s a dangerous header ? it simply compare the file header with
those ,it have in it`s included virus-defenition database . so the only thing we have
to do , it to CHANGE THE FILE HEADER . if we do well , the AV would face to a new
header , wich is NOT avalable in it`s DB ! so it won`t detect it anymore . cus it see
something different than those ,exist in virus-defenition file of AV .
How to change a Executeable file header ?
There so many ways to do ! but most of these methos needs u to be a
good programer , or a pro. ... . but still there is a simple and
really easy methos FOR U ;)
Do u know any about "ZIP " ?
I mean the most common method/extencion of file comprestion...
the role is that our compressor , take a look at our file , review it
and replace it`s entire data , with something else ( but same ) ....
here i won`t explain how a file goes compressed ! learn it urself ;)
the thing i wanna mention is that ,after all of compressing proces
the files header would change ! <~~
some of stupied ppl may think like this :
OK ! I got . i`ll zip the file and send/copy it .
it may works , BUT till we only try to send/copy it .
what about the execution time ????
AV eat ur file as soon as u think :-x
so we`re goeing to compress the EXE-File !
we wont chane the extension to .zip or anything else...
we just compress the file`s entire data ...
and after that , we have a new header wich have SOME different parametrs
.
we begin with introducing a cute tool : UPX
Ultimate Packer for eXecutables
Copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002
UPX 1.24w Markus F.X.J. Oberhumer & Laszlo Molnar Nov 7th 2002
Usage: upx [-123456789dlthVL] [-qvfk] [-o file] file..
Commands:
-1 compress faster -9 compress better
-d decompress -l list compressed file
-t test compressed file -V display version number
-h give more help -L display software license
Options:
-q be quiet -v be verbose
-oFILE write output to `FILE'
-f force compression of suspicious files
-k keep backup files
file.. executables to (de)compress
This version supports: dos/exe, dos/com, dos/sys, djgpp2/coff, watcom/le,
win32/pe, rtm32/pe, tmt/adam, atari/tos, linux/386
UPX comes with ABSOLUTELY NO WARRANTY; for details type `upx -L'.
==========================
as u can see , it`s a "Packer for eXecutables " files . the exact thing we need ;)
I know how much lasy u r ! so i`ll go to explain how to use it ...
Assume we have a back-door wich AV detect it .
Directory of C:\
11/07/2002 02:13 PM 94,208 UPX.EXE
12/15/2003 11:50 PM 190,464 bd.exe
we`re gonna pack this file ( some way we zip the data INSIDE the file ).
we type:
What happened ?
C:\>upx -9 bd.exe
Ultimate Packer for eXecutables
Copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002
UPX 1.24w Markus F.X.J. Oberhumer & Laszlo Molnar Nov 7th 2002
File size Ratio Format Name
-------------------- ------ ----------- -----------
190464 -> 67072 35.21% win32/pe bd.exe
Packed 1 file.
If u try to learn how the stuff works , u`ll see that the parametr i used ( -5 )
is the comprestion rate . there r 9 rates avalable for u to use .
UPX packed my file .
and as u can see , the file size have been changed !
and hopefully the header too ;)
we still have our BD.exe wich works 100% same as the orginal BD.exe
but with a different size and a changed header .
so up to now , u`ve tricked AV 2 times :
1-AV may detect BD.exe by it`s size wich u changed it.
2-AV may detect BD.exe by it`s executeable header ,and u changed it too !
40% of the times ur done here .
hey man ! only 40% ??????????
don`t worry . i`ll increase our chance to 75% .... ;) just be patient...
Now i`ll give u some useful tricks about files too....
1-=) Some files may still tay detected after this method ! :D
How2 prevent this ?
as u see we used the maximum rate ( -9 ) for this file ,
but AV still warn us ! why ?
Cus AV know both , the orginal header and the compressed header.
BUT , if u pay attention u`ll see that most of the times AV`s
have only the orginal header , not the compressed one ,and after all
if they included the compressed header , they usually include the
Max.rate compressed header ... !;) yeah...not ALL possible rates...
so we found a way to escape :)
in such cases ,we try different rates of UPX againts out file ( BD.exe ).
let`s try...
C:\>upx -5 bd.exe
Ultimate Packer for eXecutables
Copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002
UPX 1.24w Markus F.X.J. Oberhumer & Laszlo Molnar Nov 7th 2002
File size Ratio Format Name
-------------------- ------ ----------- -----------
190464 -> 71680 37.63% win32/pe bd.exe
Packed 1 file.
Now ,usually our AV won`t detect it . u should try other rates if it didn`t worked.
don`t worry , we have 9 rates here . one would works for ur file ;)
2-=)Second trick maybe have more importance !
ans it`s when u get this error ,when u try to UPX ur file.
look :
C:\>upx -5 bd.exe
Ultimate Packer for eXecutables
Copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002
UPX 1.24w Markus F.X.J. Oberhumer & Laszlo Molnar Nov 7th 2002
File size Ratio Format Name
-------------------- ------ ----------- -----------
upx: bd.exe: AlreadyPackedException
Packed 1 file: 0 ok, 1 error.
Damn !.....
hey...i told u be patient ;)
nothing bad happened . UPX is just telling that the file ur trying to
compress is already packed ::: upx: bd.exe: AlreadyPackedException :::
in this case ( executeable files ) we can`t re-compress a file ,
but in normal caces ( .zip .rar ... ) we haven`t such problem.
so what should we do ???? :|
and as i`m again sure wich ur lasy and didn`t read the HELP of UPX
carefully , i`ll tell u what to do ....
We have a " -d " switch in UPX .
The job it do is Decompress , already compressed file . like the one we have.
Found what to do ? i don`t think so !!!
ok
Fisrt u decompress ur file with -d :
C:\>upx -d bd.exe
Ultimate Packer for eXecutables
Copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002
UPX 1.24w Markus F.X.J. Oberhumer & Laszlo Molnar Nov 7th 2002
File size Ratio Format Name
-------------------- ------ ----------- -----------
190464 <- 71680 37.63% win32/pe bd.exe
Unpacked 1 file.
As u see , u changed the file a lot ;)
size/header changed again . it may be enough to trick the AV itself.
but if AV warned again , try to compress the file with different rates...
Don`t forget we have 9 rates ....so try the one ,trick ur av ;)
Now u have a 75% chance to make ur file UNDETECTED !
where can it be usefull ?
The time u wanna install a backdoor ans specuially a rootkit
on a compromised system ;)
The only thing i forgot to mention is that we have same thing on
Unix/Linux too ! ;)
and sorry about my bad english wich sucks,,,
Happy packing
--Elite--
How To Trick Anti-virus Systems .... Makeing things undetectable...
#3
|
Our Sponsors: |
MultiQuote
