Government Security
Network Security Resources

Jump to content

Undetectable Trojans


  • Please log in to reply
96 replies to this topic

#1 Guest_aRpanetGuru_*

Guest_aRpanetGuru_*
  • Guests

Posted 20 October 2003 - 01:16 PM

I read a recent topic about someone asking "How to make a trojan undetectable" and the replies were nonsense. I came across a forum awhile back that showed how it was possible to make trojans undetectable by editing certian parts in Hex Edit. It goes a lot more in depth than that, but that was the easiest way to put it. Every AV software has their own signatures for different virus'. Anyways, what Im getting to, is wondering if anyone knows of any sites/forums that talk about this, or if one of you know much about it to explain it to the rest of us, I think it would be a great topic. Thanks.

#2 ssj4conejo

ssj4conejo

    Sergeant

  • Members
  • 239 posts

Posted 20 October 2003 - 06:55 PM

why not make it easy on yourself and find an already undetectable trojan. or one that isn't so widely detected. There are some flyign around even in this forum, *cough* winshell *cough* . just dont abuse the undetectable trojans because then they will become detectable = ). That happened to me with a trojan that i abused before, 2 months later it showed up in the latest defs.

#3 Guest_MAeStRo_*

Guest_MAeStRo_*
  • Guests

Posted 22 October 2003 - 11:10 AM

hi
i can get any signature used by kaspersky to detect the trojan
but
i still don't know how to change it using mah hex editor :(
anybody can tell the way?
any way this is the sign for net-devil server

Backdoor.NetDevil.15

Signature 1 :
Offset: 551221 ( 86935h)
Length: 7 ( 7h)
Checksum: (F0020DE8h)

Signature 2 :
Offset: 550379 ( 865EBh)
Length: 128 ( 80h)
Checksum: (F87C2107h)

but how can i use those infos to encrypt mah server?
plz help :(

#4 gman24

gman24

    Specialist

  • Sergeant Major
  • 643 posts

Posted 23 October 2003 - 07:14 PM

The best way: Make a new one.

#5 Guest_MAeStRo_*

Guest_MAeStRo_*
  • Guests

Posted 24 October 2003 - 03:58 AM

The best way: Make a new one.

how can i do that
do u know the best way to encrypt or change trojan signs?

#6 gman24

gman24

    Specialist

  • Sergeant Major
  • 643 posts

Posted 02 November 2003 - 12:33 PM

I suggest visual basic, it's the easiest language to learn.

Look at freevbcode.com or other site for examples of how to do certain things (whatever you want it to do). Put those together and make it do what you want.

You want to use a resource hacker or dissasembler to change the descriptions to something different, so that when zone alarm or something pops up it gives them that. Also the icon, don't want it the vb icon.

Just don't try infecting people who know what thier doing, they run a port/program checker and send it to AV. Then it will be scannable.

You need to change some things in assembly/resource hacker so it's not easily traced back to you.


After that you need to build a drop of some sort, in vb you can write files in binary "Open file for output as binary"(I think). Open your trojan in binary and copy paste it into the drop program.

Now it's undetectable :). Untill someone finds it and sends it to AV.

Edit:
LOL, sorry I forgot aboout that post, i really don't check this board that much

Sorry it took so long to reply.

Also after you are proficient in VB switch to C/C++ because they don't require the vb runtime files.

#7 Guest_incognito_*

Guest_incognito_*
  • Guests

Posted 06 February 2004 - 07:58 PM

If you have the source to the server, and it was coded in VB you can add random shit like:

Dim str_junk as string
str_junk ="56<{Zy]v>e~c=6}?Wڞ`%?e
Tn_MoSucker_CgiV5j?Ka܂v7zkˇ?YVictimName=m
zvMk>]uErL4()˨>?]?SK?ذ
k[Antivirus_killC[6]{l?vܹ*?_pCH_??=}Q
ck.] ^7l ݭo?ڃc! 뙶3:(Ʊ¾mqegi-?[ W>
r܊-fsYn;\][-?͊1e~Mv"

1) Change the info in your project properties (app name, comments, etc ..). Make sure the new values u put in have a different length than the previous ones.

2) Move around your subs and functions. Ex: Take all the functions/subs at the bottom of your modules and forms and move them to the top.

3) Sometimes AV will tag specific strings in your file, so no matter how much you move stuff around, it's still detected every time u compile the code. McAfee did this with MoSucker 3.0. For example, they tagged "port=" in the cgi string.

To find what they have tagged, backup your source, and then start deleting contents of subs and functions in the code. Don't delete the entire function, otherwise you'll get compile errors, just the content. Delete 5 or 6 of them and then try to compile. When it finally gets past AV, you know their tag was in the last 5 or 6 functions u deleted. Ctrl - Z and narrow it down from there. Then just encrypt the string that they have tagged. Simple.

If u delete all the code in each function and it's still detected, they they might have tagged a function name. Change function names until you find the one they chose.

If u have deleted all the code from the project (tried all the above) and the file is still detected. Start a new project in VB and copy all the server code into the new project, save, and compile.

Quoted from mosucker.net.

Also hex editing is good.

#8 edjorge

edjorge

    Private First Class

  • Members
  • 28 posts

Posted 07 February 2004 - 10:27 AM

Can someone explain more about Hex Editing stuff?

#9 ST.

ST.

    Private First Class

  • Members
  • 94 posts

Posted 07 February 2004 - 03:13 PM

use Ultraedit to hex them all :)

#10 Guest_Bigbowser_*

Guest_Bigbowser_*
  • Guests

Posted 07 February 2004 - 06:13 PM

Some trojans like Optix pro are decompiliable.. (its writen in delphi)
so just grab yourself a copy of DeDe and use that.

Also I'd recommend win32 dasm, It converts it to win32 asm (although it looks like 16 bit :huh: )
Then from there go somewhere like www.win32asm.cjb.net and just have a play with the source.

#11 edjorge

edjorge

    Private First Class

  • Members
  • 28 posts

Posted 08 February 2004 - 08:34 AM

Some trojans like Optix pro are decompiliable.. (its writen in delphi)
so just grab yourself a copy of DeDe and use that.

Is this good? :huh:

#12 TECHgenius

TECHgenius

    Private First Class

  • Members
  • 51 posts

Posted 09 February 2004 - 03:18 AM

Try reading this tut.
http://www.nakedcrew...p?showtopic=162

#13 forza

forza

    Private First Class

  • Members
  • 88 posts

Posted 12 February 2004 - 03:03 PM

I'm using TrendMicro Interner security and it detects all trojans i have tried.
Does anyone know a really undetectable trojan?

#14 xwarlordx

xwarlordx

    Private

  • Members
  • 4 posts

Posted 13 February 2004 - 10:48 AM

well the problem is, most trojans are user niveau based, witch always makes them (somehow) detecteble, if you really want to come close to undetecteble you should work kernel based (ntquery).

Then you should think about what you would like to hook exactly, like files reg keys dirs files ports even ?

Included most viruses still working with the reg run idea, witch is really simple to clear, why not hook it into a process like gina --> winlogon or smthing. (to bad that thats user based like svchost ;))

#15 forza

forza

    Private First Class

  • Members
  • 88 posts

Posted 14 February 2004 - 01:59 AM

i found a nice tool
ANTIantivirus
will make any file(virus,trojan, etc.) undetectable by antiviruses
v1.4 has ability to kill any running program when executed

http://z0mbie.bravepages.com/#anti




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users