1) it wasnt Xor it was a mutagenic bitshift (to prevent stub flagging)
2) I uploaded it to vrus total and novirusthanks and got a 0 detection rate on the scanning.
One last point I obviously havent been clear enough with here....
THIS, WILL, ONLY, DEFEAT, SIGNATURE, SCANNING, OF, A, FILE, ON, DISK..!!!
I didnt claim it would defeat heurstics or in memory scannin (although in my defense I did make an awesome way to defeat that to involving reading them out in an awesomely wierd way.)
Second: Mutagenic Custom Made Stubs ftw, Ive only had them get flagged when they are public ones.
Third: Learn to Recursion learn to recursion learn to recursion
Yes, I hate skype for that lol.Ok, so that covers file-system based (basics) of AV scanning.
In memory systems (a.k.a. on access scanning) works the same way - if it detects nc.exe signature IN MEMORY (i.e. while program is executing), often it will flag that and lock the system down. Having a completely encrypted binary will not stop this, as something like an XOR stub decrypts the binary and then executes it (check out the old cryptcom program for example).
One can evade an AntiVirus by decryption of "pages" of data in memory. This significantly reduces the memory access footprint that can be used for signatures (as well as being a nifty anti-debugging trick that programs such as Skype and a lot of copy protectors use). This prevents the signatures from being available for on access scanning.
Heuristics atm are very weak since you cannot simply block everything that COULD be used for bad, however they are getting better, as people "teach" computers to take context....It gets more complex: Most AV systems implement heuristics, which search for generalised sequences of functions (i.e. this program does not match my whitelist, and decrypts pages in memory, and my setting is set to "Paranoid" so I'm going to block this now) rather than individual signatures. Heuristics are definitely the way of the future, but for now they are merely a suppliment to signature based scans. These too can be defeated (usually by matching known good decryption algo's and such).
This Program connects to the inernet without permission: True
This Program makes one or system(), exece(), etc calls: True
This Program Takes no User Input: True
This Program Never shuts off: True
90% CHance of backdoor, shutting down now.
I must be dumb, i have NEVER used the killav script, its like raising OVER 9000 flags saying something is amiss. If I think my payload will get flagged I will try to use somthing not as conspicuous and work my around the AV.prowl3r I was just toying with something and had an idea - could you use the killav script and then restart the A/V service after the fact? If you are emulating a live attack this is what most would do anyway. Just because you're being nice doesn't mean you shouldn't be accurate.
Even Tripwire can be defeated without turning it off if you are smart enough (*cough* Function Hooking *cough*)