Description: Anti Virus software use signatures to detect malicious software such as computer viruses, worms and trojans. The signature is generally a certain pattern of bytes which uniquely identify the concerned program. Once this pattern is detected and deployed to all customers, the virus or worm becomes immediately detectable and is thus rendered useless. In such a case a virus writer needs to find out the signature which the AV uses and change it within the executable. There are other advances techniques to deal with this problem such as using writing polymorphic code. However, in this video we will look at a demo where the author finds out the signature of the trojan detected by the AV and then changes it to make the trojan undetectable by the AV.
In order to do this the author uses a file splitting programming called Dsplit. Dsplit breaks up the binary into many parts, each larger than the previous by a fixed amount. Thus when the AV is run on these parts, we are able to figure out which is the first part which contains the signature. If one were to iteratively apply this algorithmn by breaking this part into smaller ones and repat the process, he would be able to zero down on the actual signature bytes. Once the signature bytes are located, they can be modified and the binary patched to elude detection from the AV. Please watch the video, the process is very well explained.
To follow this video, please download Dsplit. There is also a graphical version of Dsplit made available recently at the GSO forums. The original post is available here.
Tags: tools ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Is the signature always going to be one byte? and what if its not a string byte and is an actual instruction? This is very interesting....
skinnyskenny, http://www.offensive-security.com/videos/shmoocon-presentation-2008-video/piss-on-your-av.html
But to have it work in real life you'd have to think up of some clever way to hijack the execution flow and have your decrypter work as AV will understand u have an decrypter during virtualization phase of the executable check.
And you'd have to build your executable mutiple times - one to encrypt your code and save the snapshot (from memory) with the encryptor, and then into the snapshot you'd have to add the decryptor (and take out the encryptor) if they're not the same. But all of this is relevant to the linked video, it's really good.
The actual process here is not hard to understand at all, but when giving a presentation or any kind of tutorial first off, there should be NO mistakes, as mistakes cause serious confusion. second, every one of these tutorials I see always tend to assume that small things like the exact labeleing of the functions in the program, or how to find these functions are never mentioned, its just assumed you already know. Third, the camera is pointed at the presenter WAY too much and valuable instruction is lost leaving the student to wonder what he could possibly have been doing during that time. Overall I would say horrible presentation.
Thank you for posting this video. AV avoidance is a topic a lot of people struggle with. Here is an article I wrote that hopefully explains it clearly.
http://www.pentestgeek.com/2012/01/25/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm/
Very good video...Quite informing... :)
The Dsplit file is mailicious wot to do plzz help???
This looks great, yet I have the same question as skinnyskenny's. M0x the link your provided is broken