Government Security
Network Security Resources

Jump to content

Undetectable Trojans

- - - - - virus trojan
  • Please log in to reply
96 replies to this topic

#76 int_80

int_80

    Private

  • Members
  • 10 posts

Posted 18 January 2006 - 10:27 AM

Decom the server in Ollydgb, create a stub, XOR it, then put a stub in which will unXOR it when executed. With a bit of perciverance you can make it pollymorphic too.

#77 My571k

My571k

    Private

  • Members
  • 1 posts

Posted 19 January 2006 - 07:13 AM

...pack it and hex. What's so hard? KAV sucks.

#78 Airstriker

Airstriker

    Private First Class

  • Members
  • 26 posts

Posted 02 February 2006 - 01:40 PM

or do it my way ;)

http://www.governmen...pic=18220&st=45

B)

#79 Guest_musictheft_*

Guest_musictheft_*
  • Guests

Posted 03 February 2006 - 04:37 AM

The best way: Make a new one.


agree totally

#80 Airstriker

Airstriker

    Private First Class

  • Members
  • 26 posts

Posted 04 February 2006 - 03:43 AM

is anybody able to answer this question?:

http://www.governmen...ndpost&p=142161

Thx in advance

#81 ambivalentika

ambivalentika

    Private

  • Members
  • 4 posts

Posted 09 September 2006 - 12:20 PM

there is at least 2 programs out there that crypt/pack any server as UD. (yes, even good old sub7 tested on kasperspy, bitdefender and NOD). Just gotta open your eyes.

#82 Radioactive Toy

Radioactive Toy

    Private

  • Members
  • 2 posts

Posted 04 October 2006 - 08:06 AM

Hi ppl. :)

I'm a newby.

To make my Optix server undetected I've debugged it with Olly, putted a stub, xored it, and so on... Then I've packed it manually, crypted with yoda, binded with iexpress and changed icon with res hack. I've got my server undetected on scan but not when it starts... :(

What do I miss?? How can I make it undetectable to make it start? Any suggestion?

#83 funtu$h

funtu$h

    Sergeant First Class

  • Members
  • 547 posts

Posted 04 October 2006 - 11:47 AM

U've tried everything on ur server buddy, is it intact :P ,

#84 Radioactive Toy

Radioactive Toy

    Private

  • Members
  • 2 posts

Posted 04 October 2006 - 12:32 PM

:D yes it is! I guess!

When I execute it AV detects it... what can I do more?? Is there any particular procedure?? What about stubs? Where can I read more?

#85 Zenob

Zenob

    Private

  • Members
  • 4 posts

Posted 12 October 2006 - 04:47 AM

:D yes it is! I guess!

When I execute it AV detects it... what can I do more?? Is there any particular procedure?? What about stubs? Where can I read more?


Is the AV labeling it as optix?
It might not be detecting the server, it might be detecting the binder/packer. You might try it again without the binding/packing and see if it still get's tagged.

#86 Edu

Edu

    First Sergeant

  • Members
  • 2,269 posts

Posted 12 October 2006 - 10:35 AM

lol... get a professional exe encryptor n good luck ;)
http://www.secumania.net - Secumania security blog.


Embed any executable in a JPEG image and get it to run upon opening the image with this cool tool that abuses a feature of GDI in Windows systems. for governmentsecurity.org members only! click here to get it!

#87 fivepointzer0

fivepointzer0

    Private

  • Members
  • 14 posts

Posted 18 October 2006 - 04:08 PM

I suggest visual basic, it's the easiest language to learn.

Look at freevbcode.com or other site for examples of how to do certain things (whatever you want it to do). Put those together and make it do what you want.

You want to use a resource hacker or dissasembler to change the descriptions to something different, so that when zone alarm or something pops up it gives them that. Also the icon, don't want it the vb icon.

Just don't try infecting people who know what thier doing, they run a port/program checker and send it to AV. Then it will be scannable.

You need to change some things in assembly/resource hacker so it's not easily traced back to you.


After that you need to build a drop of some sort, in vb you can write files in binary "Open file for output as binary"(I think). Open your trojan in binary and copy paste it into the drop program.

Now it's undetectable :). Untill someone finds it and sends it to AV.

Edit:
LOL, sorry I forgot aboout that post, i really don't check this board that much

Sorry it took so long to reply.

Also after you are proficient in VB switch to C/C++ because they don't require the vb runtime files.




You mention modifying source in VB.

I have a question reguarding editing a keylogger in C++

Currently the keylogger is easily picked up by AVG (Exactly the AV I don't want picking it up.)

I have the source to the keylogger, and I know a little bit of C++, but I'm not sure what to add or modify in order to fix the detection.

Any info you may have would be helpful. Even quoting some source I could add at random spots would help significantly.

Thanks and best reguards.

#88 Genesis

Genesis

    Private First Class

  • Members
  • 36 posts

Posted 01 December 2008 - 04:30 PM

I know this topic is old but i'm going to post here anyway for those of you that use it as a reference.

Making a trojan undectable really depends on which anti viruses u are trying to evade and if they are signature anti viruses or heuristic.

Most of the time, if you research an anti virus, you will learn its inner workings and by better understanding it, you can learn some secrets ;)

Also, anyone know how to evade Norman Sandbox?

#89 bang one

bang one

    Private

  • Members
  • 1 posts

Posted 25 January 2010 - 06:47 AM

just open your search engine, and believe me the best way is a editing hex your trojan, simple use this tools http://www.ntcore.co...plorerSuite.exe, this tools complete with PE editor, Hex editor, signature check, signature manange and many moore, in my cas to make it easy to editing, i'm use splitter http://shup.com/Shup...r-v5.1.1189.exe, i'm use this tools to find where is the AV signature flag than i'm edited with hex editor...

#90 Juza

Juza

    Specialist

  • Sergeant Major
  • 149 posts

Posted 16 February 2010 - 01:37 PM

I really recommend you to read Malware vs Avs.
Go to iamjuza.blogspot.com
Follow me twitter.com/iamjuza

The true beginning of our end.






Also tagged with one or more of these keywords: virus, trojan