Government Security
Network Security Resources

Jump to content

Photo

Undetectable Binder Tutorial


  • Please log in to reply
26 replies to this topic

#1 vnet576

vnet576

    Specialist

  • Members
  • 1,000 posts

Posted 29 February 2004 - 12:29 PM

This is the way I've been binding my files, and since I saw eyeless's thread I decided to make a tutorial for it. This is completely undetectable by Kaspersky av and I assume by other lesser AV such as norton, mcafee, etc. I included my binder source, the source for another prog, and my tutorial for this. I also included a bound file called File_Binder.exe. That file contains two very dangerous worms. That is to see if you're av detects it. If it does post what the two worms are and what AV you used. I decided to post the same tutorial on codelinx and here. For specific programming questions about this binder go there. Enjoy:

Undetected by Kaspersky:
http://www.kaspersky...teviruschk.html

Current object: File_Binder.exe
File_Binder.exe Ok


Edit:
Later I plan on adding an encryption algorithm to encrypt the hexdumped data..making it even more secure.

Attached Files


Edited by vnet576, 29 February 2004 - 12:33 PM.

  • darlingdank likes this

#2 fre4k

fre4k

    Specialist

  • Members
  • 122 posts

Posted 29 February 2004 - 12:37 PM

Many Thx for It! I will test B)

#3 Guest_Flapdrol_*

Guest_Flapdrol_*
  • Guests

Posted 29 February 2004 - 01:12 PM

Dunno what virii you added but I can confirm that McAfee didn't see any suspicious about the files.

#4 320X

320X

    Staff Sergeant

  • Members
  • 474 posts

Posted 29 February 2004 - 01:25 PM

thanks vnet576 for the post ;)

#5 invisible-boy

invisible-boy

    Private First Class

  • Members
  • 20 posts

Posted 29 February 2004 - 02:15 PM

thx @ lot
----
but my AV detect it,
first Bluster ,second W32.Sobig.A@mm "%systemroot%\newfile2.exe"
it detect and not undetect

#6 vnet576

vnet576

    Specialist

  • Members
  • 1,000 posts

Posted 29 February 2004 - 02:33 PM

of course it would...once the files are extracted and ran. I'm talking about the file File_Binder.exe which u would send to the victim.

BTW...I hope you're av detected them before those 2 worms had a chance to execute.

Edited by vnet576, 29 February 2004 - 02:51 PM.


#7 fyle

fyle

    Private First Class

  • Members
  • 26 posts

Posted 29 February 2004 - 09:51 PM

grisoft AVG detected one as lovesan.A but didn't find anything in the other

#8 paskaluis

paskaluis

    Private

  • Members
  • 9 posts

Posted 29 February 2004 - 09:58 PM

thx for the binder File i gonna check it out :D

#9 Guest_nexXx_*

Guest_nexXx_*
  • Guests

Posted 01 March 2004 - 12:08 AM

i have scanned it with g-data antivirenkit, but nothing found :(

#10 meinaeiner

meinaeiner

    Private

  • Members
  • 13 posts

Posted 01 March 2004 - 12:17 AM

@vnet576

antivir PE reports sorbig.a in file_binder.exe.
nod32 finds nothing.

thx

#11 linuxwolf

linuxwolf

    Corporal

  • Members
  • 173 posts

Posted 01 March 2004 - 05:06 AM

This looks like a very nice and original piece of work, it's rare, very.
Congratulations vnet, you've got my attention. :ph34r:

#12 Eyeless

Eyeless

    Specialist

  • Members
  • 143 posts

Posted 01 March 2004 - 01:26 PM

THANK YOU!

#13 d0whc3r

d0whc3r

    Private First Class

  • Members
  • 45 posts

Posted 03 March 2004 - 10:18 AM

Thx you!
very usefull, but the trojan is detected when the new file is created hehe

#14 vnet576

vnet576

    Specialist

  • Members
  • 1,000 posts

Posted 03 March 2004 - 12:48 PM

Thx you!
very usefull, but the trojan is detected when the new file is created hehe

Yes I've noticed that..but that is the case with most binders...Once the output file is placed on the desktop it becomes fair game to the AV. I'm open to ideas for bypassing that. I'm currently thinking about injecting the two output trojans directly into memory.

#15 DaClueless

DaClueless

    Specialist

  • Members
  • 135 posts

Posted 03 March 2004 - 01:28 PM

Thanks vnet576 :)

I will look it over, and decode your ASM and post it, if that is ok?

If not, just make a reply and I will not post the ASM version of your stuff




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users