Page 3 of 5 FirstFirst 12345 LastLast
Results 21 to 30 of 50

Thread: Hiding from AV

  1. #21
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    Quote Originally Posted by _jond View Post
    lol. I just like to start shit. And I don't like to help n00bs.
    Sounds like OP might be cool though. Either way, gencontrol. AV doesn't pick it up. It's free. Click click done.
    I don't like these kinds of posts either.

    @Topic

    Well fortunately there is no easy way out. Else it would make any AV useless.
    The method mentioned before with encrypting the whole file won't bypass most AV's since it will get detected when the whole file is encrypted. It pretty much comes down to find where an AV is detecting the signature and then trying to change it. And yes, that means quite some work. From what I experienced with AV detection is that quite a lot AV's use the same signature. So if you pick one of the well known AV's and bypass the signature of it, you will likely also bypass the signature detection of another 5-10 AV's. I noticed that virus scanners from Asia/India have kind of the best signatures in terms of harder to evade. And the McAfee Gateway scanner.
    Tiocfaidh ár lá

  2. #22
    Senior Member BigMac's Avatar
    Join Date
    Jan 2008
    Posts
    213

    Default

    Quote Originally Posted by KMDave View Post
    I don't like these kinds of posts either.

    @Topic

    Well fortunately there is no easy way out. Else it would make any AV useless.
    The method mentioned before with encrypting the whole file won't bypass most AV's since it will get detected when the whole file is encrypted. It pretty much comes down to find where an AV is detecting the signature and then trying to change it. And yes, that means quite some work. From what I experienced with AV detection is that quite a lot AV's use the same signature. So if you pick one of the well known AV's and bypass the signature of it, you will likely also bypass the signature detection of another 5-10 AV's. I noticed that virus scanners from Asia/India have kind of the best signatures in terms of harder to evade. And the McAfee Gateway scanner.
    you should check out the video that was posted KMdave! muts is brilliant...

    what i have done in the past was use virustotalDOTcom and a hex editor, with the use of the search utility you can find this string threw process of elimination.

    but what muts presented in that video was just insane, im sure his method will be automated and integrated into the framework in a short amount of time... if any one has any more documentation on what muts showed in his video please post links...

  3. #23
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    Oh missed it while I read through the thread.

    I'll check it out later again, I think I watched it some time ago.
    Tiocfaidh ár lá

  4. #24
    Junior Member
    Join Date
    Jan 2010
    Location
    Canada
    Posts
    84

    Default

    Quote Originally Posted by KMDave View Post
    Well fortunately there is no easy way out. Else it would make any AV useless.
    The method mentioned before with encrypting the whole file won't bypass most AV's since it will get detected when the whole file is encrypted.
    I assume the last word should be decrypted, and yes, it will bypass it. AVs scan in two ways, string scanning and Heuristics, String scanning hapens when the file is dormant, heuristics hapen when they are active.

    You cannot do a string scan while t is asctive because, aside from the whole protected running on ring3 thing, accessing a byte of memory from two different process ultimatly screws things up.

    Thus, full program encryption solves the string scanning part, next you just have to make sure you dont ge caught by heuristics.

    And this whole subject is rather a moot point because anyone who candefeat an AV in this or other manners should be able to code their own shells, etc.

  5. #25
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    Sorry, but whole program encryption won't prevent the signature from being detected.

    It might bypass one or two free AV's but more advanced AV's will still detect it, if the entire file is for instance xor encrypted.

    If on the other hand some parts are encrypted but not the entire file, it wiil work, at least for the specific AV.
    Tiocfaidh ár lá

  6. #26
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by HitThemLow View Post
    AVs scan in two ways, string scanning and Heuristics, String scanning hapens when the file is dormant, heuristics hapen when they are active.

    You cannot do a string scan while t is asctive because, aside from the whole protected running on ring3 thing, accessing a byte of memory from two different process ultimatly screws things up.
    There are more than just two techniques used by AV programs to detect viruses and signature based virus scanning of programs in memory has been available in some AV programs since DOS. Have a read of "The Art of Computer Virus Research and Defense" by Peter Szor, it covers the subject in detail.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  7. #27
    prowl3r
    Guest

    Default

    Well thank you everyone for your contributions, both in public and private.

    I believe I have info enough to continue this trip.

    While backdoors are not my area of expertise (and I don't pretend to know everything), I tend to agree with both KMDave and lupin. It is not as easy as it may seem and AV are becoming quite a sophisticated piece of software. I've seen it first hand. Unfortunately, crackers / lamers are usually the most proficient at this particular task.

    Having said that, I believe HitThemLow approach may also work. I did a quick search but I could not find references to that method (and I am pretty good at searching). I found however references to encrypt.exe downloads from obscure sources, some of them with undocumented registry changes. Problem here is I need to control every potential side effect in advance and everything should be reversible..

    Also I'll check DameWare and Hydrogen (thanks Gitsnik and lupin) and will watch Mati's video on the subject.

    @aliosity, no hard feelings. As far as I see it one needs to have really solid reasons to put someone else reputation into question.

    @spankdidly, LMAO

    Thanks guys, you are great

  8. #28
    Member mixit's Avatar
    Join Date
    Jan 2010
    Posts
    104

    Default

    @HitThemLow

    And this whole subject is rather a moot point because anyone who candefeat an AV in this or other manners should be able to code their own shells, etc.
    Could you expand on this? When I create a reverse_tcp exe payload with metasploit, for example, using the ./msfencode seems to evade AV just fine when its not running. When I open the exe file however, It is noted as a suspicious file and requests permission to run.

    Is the AV picking this up via heuristics or something else? I have scanned the file when it's dormant and it's not found suspicious. Could you point me towards something to look into?

  9. #29
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default

    Quote Originally Posted by _jond View Post
    lol. I just like to start shit. And I don't like to help n00bs.
    Sounds like OP might be cool though. Either way, gencontrol. AV doesn't pick it up. It's free. Click click done.
    Well you are not the kind of person we want around here then.

    KTHXBYE

  10. #30
    Senior Member BigMac's Avatar
    Join Date
    Jan 2008
    Posts
    213

    Default

    Quote Originally Posted by MixIt View Post
    @HitThemLow



    Could you expand on this? When I create a reverse_tcp exe payload with metasploit, for example, using the ./msfencode seems to evade AV just fine when its not running. When I open the exe file however, It is noted as a suspicious file and requests permission to run.

    Is the AV picking this up via heuristics or something else? I have scanned the file when it's dormant and it's not found suspicious. Could you point me towards something to look into?
    this warning might be caused from downloading a file from a unknown website, before you transfer your file packeg it with winrar or find another way to transport it...

Page 3 of 5 FirstFirst 12345 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •