Jump to content


Photo
- - - - -

Making a "virus" not be seen by antivirus?


  • Please log in to reply
20 replies to this topic

#1 Benny1123

Benny1123

    SCRiPT KiDDie

  • Members
  • 27 posts
  • Location:Australia

Posted 06 June 2009 - 01:25 AM

Ok, first of all I am not doing anything bad. I am not creating virus's or anything thing like that. I hate virus's, why would I make them.

Now thats out of the way... My problem is I need to make a "hacking tool" not be picked up by antivirus on peoples computers. The program is pwdump7. Here is an initial post so you know what I am doing:

Ok, my problem is I am creating a user interface to crack SAM and SYSTEM files and dump the hash. The program then uploads the hash to our servers in which we will crack them and send the cracked password back to the user automatically (freeware of course).

Now my problem is to crack NTLM hash's u need a newer version of bkhive and samdump2 than what I currently have. So I went to (cant post it) in which both bkhive and samdump are hosted (the versions I need). However the code is open source. I downloaded the source to find no project files, just c headers and code. I managed to somehow compile bkhive 1.1.1 with cygwin and it works fine on windows. But however, when i try to do the same with samdump2 it errors. I have tried every version receiving exactly the same error. I have not done much at all to do with compiling source, so I really have no idea where to go from here.


So my problem is how can i compile this source for windows....? If someone could take their time to compile it on their own computer and test that it works for me, I will be very thankful and quite willing to add your name to the authors of the finished project. If i can't get this running then I can't complete the project.

Thanks for your help
Ben


Now I haven't been able to compile this source and have been trying for days. So my next option is to use pwdump7. Unfortunately 1 in 4 antivirus programs quarantine and delete it as it is a "hacking tool". I only need to use pwdump7 with the following command: "pwdump7.exe -s <SAM> <SYSTEM> >pass.txt"
So it will never actually be trying to dump the password hashes from the computer it is being run on. Therefor it is not really dangerous.

So how can I make this program not be picked up as a hacking tool on other peoples computers? Obviously no one is going to install it if their antivirus says my program contains a virus.

Thanks to anyone who can help.

#2 phasma

phasma

    Hakker addict

  • Members
  • 527 posts
  • Country:
  • Gender:Male
  • Location:Pennsylvania

Posted 06 June 2009 - 10:11 AM

So how can I make this program not be picked up as a hacking tool on other peoples computers? Obviously no one is going to install it if their antivirus says my program contains a virus.

All anti-virus programs are different. Some have the option to allow you certain programs to run regardless of the risk. You'd probably either have to disable the anti-virus somehow or find the option to allow you to run whatever you want to be running.

EDIT: Fix quote box.

Edited by phasma, 06 June 2009 - 12:55 PM.


#3 thepcdude

thepcdude

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 353 posts
  • Location:Computer, Desk

Posted 06 June 2009 - 11:48 AM

Most AntiVirs work by signatures. They can tell a virus by looking at it's hash, IDs in the exe, or it's behavior like adding registry keys in certain places, etc.
What you need to do, is alter any one of those. Maybe just one won't be enough, but a couple more should do the trick. If you have the source, this is cake.

#4 Benny1123

Benny1123

    SCRiPT KiDDie

  • Members
  • 27 posts
  • Location:Australia

Posted 07 June 2009 - 07:06 AM

I don't think its open source. Pwdump7 consists of a dll (file system driver or something apparently) and an exe. I haven't been able to find any source.

#5 phasma

phasma

    Hakker addict

  • Members
  • 527 posts
  • Country:
  • Gender:Male
  • Location:Pennsylvania

Posted 07 June 2009 - 01:22 PM

I don't think its open source. Pwdump7 consists of a dll (file system driver or something apparently) and an exe. I haven't been able to find any source.

Do I feel a little reverse engineering coming along?

#6 Benny1123

Benny1123

    SCRiPT KiDDie

  • Members
  • 27 posts
  • Location:Australia

Posted 07 June 2009 - 09:03 PM

Do I feel a little reverse engineering coming along?

Hahahah, is there any specific way I should go about this? Change a few strings with olly or something?
I Haven't done to much to do with reverse engineering.

Thanks for the idea

#7 thepcdude

thepcdude

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 353 posts
  • Location:Computer, Desk

Posted 08 June 2009 - 09:58 PM

Do I feel a little reverse engineering coming along?

Hahahah, is there any specific way I should go about this? Change a few strings with olly or something?
I Haven't done to much to do with reverse engineering.

Thanks for the idea


It would be very beneficial if you knew reversing. You could find out how the software works, and write your own. This would be very time consuming, and if I tried, I would probably slip into a coma. So actually, you could try to change some strings in a hex editor or such. Might not be enough, but worth a try!

#8 Benny1123

Benny1123

    SCRiPT KiDDie

  • Members
  • 27 posts
  • Location:Australia

Posted 09 June 2009 - 06:28 AM

lol funny thing is, I changed a few strings and it made the file be detected by more antivirus programs!

How does that work?

I uploaded the original and my edited file at exactly the same time on two different computers to virus total (I know uploading to virus total is only going to make things worse, but it was for proof of theory). So either iv made it look like something else (like 1 in a 99 billion chance) or virus total is just very inaccurate. I did double check my findings too, I was baffled that my edited version had one more positive virus (or hacking tool, malware, whatever they want to call it) reading than the original. Excuse the brackets, just wanted to give all the detail.

What is going on? lol

Edit: This was ment to be a reply to thepcdude:

It would be very beneficial if you knew reversing. You could find out how the software works, and write your own. This would be very time consuming, and if I tried, I would probably slip into a coma. So actually, you could try to change some strings in a hex editor or such. Might not be enough, but worth a try!


Edited by Benny1123, 09 June 2009 - 06:37 AM.


#9 Colonel Panic

Colonel Panic

    Hakker addict

  • Members
  • 607 posts
  • Gender:Male
  • Location:IN YR BROWSER, SAYIN SUM SHIT

Posted 09 June 2009 - 09:37 AM

My guess is the AV software is flagging it as viral based on heuristic analysis.

As for avoiding the virus signature detection, you could maybe use a decompiler on the file, and then insert lots of random "decoy" code that has nothing to do with its actual operation. I understand some viruses try to avoid "signature-based" analysis by means of such mutagenic tricks, but you'd probably run into other problems from the AVs' heuristical analysis.

I believe the most effective anti-AV stealth tactics have to do with messing around with the AV software itself. Many malwares avoid AV detection by sniffing which AV software the host is using, and then altering or completely disabling certain parts of its functionality. This approach requires some degree of knowledge of the inner-workings of popular AV softwares.

Edited by Colonel Panic, 09 June 2009 - 05:51 PM.


#10 Benny1123

Benny1123

    SCRiPT KiDDie

  • Members
  • 27 posts
  • Location:Australia

Posted 10 June 2009 - 12:32 AM

Good reply, but I don't want to go messing around with peoples AV software and create potential security risks on their computer.

My project is for good, not bad (I spose you can use it for bad, but yeah....). It's for N00B's whom lose their password, only have one account on the computer and wish to recover it with a nice, simple and easy to use interface. These people probably don't even know what anti virus is, they just know when the box pops up, they are meant to press "delete".

#11 jabzor

jabzor

    hax?

  • Agents of the Revolution
  • 1,146 posts
  • Country:
  • Gender:Male
  • Location:Northern Elbonia, fighting the lefties

Posted 10 June 2009 - 12:55 AM

One popular method is using a file-splitter to create multiple smaller portions of the same exe to find the exact code-segments a particular av is picking up on, and then changing those portions.
Once you getting it working under one AV, move on to the next.

#12 Benny1123

Benny1123

    SCRiPT KiDDie

  • Members
  • 27 posts
  • Location:Australia

Posted 15 June 2009 - 01:29 AM

Hmm... can't get it to work...

#13 tlturner

tlturner

    SCRiPT KiDDie

  • Members
  • 20 posts

Posted 15 June 2009 - 06:12 AM

Here is an article on how this can be done with Netcat

http://packetstormse...Back_Netcat.pdf

Now that being said, I wouldn't go to too much trouble to do this on a redistributable package as its only a matter of time before some diligent sysadmin finds it on a users machine and submits it to their A/V vendor and then a new signature will be created. If you just want to use for internal testing thats a whole different matter and it's one I've used in my malware/intrusion training lab at work. I teach a course where my students play with live malware specimens in an isolated virtual machine environment running ESXi and I've had to modify some malware and tools to bypass the installed A/V on the VM's I have them working on so I can force them to use incident response techniques instead of blind reliance on A/V (taskmgr, netstat, registry, process research, dlls, etc)

Honestly you shouldn't even need to do this if you are an admin on the box you are trying to run it on. Just disable the A/V or create an exception for your tool. Disabling A/V services may work but most modern A/v tools actually use dll injection to prevent random malware X from just doing a net stop or *shudder* SC delete on the service.

If you decide to go with Fgdump instead of pwdump, it will also disable the A/V on your target which can come in handy for the dump since many modern A/V will prevent that, and then it tries to restart the A/V when its completed the dump.

#14 Benny1123

Benny1123

    SCRiPT KiDDie

  • Members
  • 27 posts
  • Location:Australia

Posted 16 June 2009 - 12:51 AM

Here is an article on how this can be done with Netcat

http://packetstormse...Back_Netcat.pdf

Thankyou so much, I haven't tried it yet but it seems like a winner.

#15 chaostic

chaostic

    rekcah-rebÜ

  • Members
  • 724 posts

Posted 16 June 2009 - 02:00 AM

Ha. I read that same article in Hackin9 magazine recently. Was going to suggest the same thing.

But changing a few strings in a compiled executable shouldn't help much (Hell, it shouldn't have triggered more hits). It's not like the scanners are looking for 100% match.

#16 Benny1123

Benny1123

    SCRiPT KiDDie

  • Members
  • 27 posts
  • Location:Australia

Posted 16 June 2009 - 04:47 AM

Hell, it shouldn't have triggered more hits.

I know how weird.... I really don't know whats going on there.

#17 Colonel Panic

Colonel Panic

    Hakker addict

  • Members
  • 607 posts
  • Gender:Male
  • Location:IN YR BROWSER, SAYIN SUM SHIT

Posted 16 June 2009 - 02:38 PM

Now that being said, I wouldn't go to too much trouble to do this on a redistributable package as its only a matter of time before some diligent sysadmin finds it on a users machine and submits it to their A/V vendor and then a new signature will be created.

+1.

#18 taco24501

taco24501

    Will I break 10 posts?

  • Members
  • 3 posts

Posted 19 June 2009 - 02:41 PM

Nothing is going to be FUD for a long time you would have to try it use and not tell any one about it to keep it FUD

#19 Colonel Panic

Colonel Panic

    Hakker addict

  • Members
  • 607 posts
  • Gender:Male
  • Location:IN YR BROWSER, SAYIN SUM SHIT

Posted 19 June 2009 - 02:59 PM

FUD? :unsure:

Fud
From Wikipedia, the free encyclopedia

Fud may refer to:

* FUD, Fear, uncertainty and doubt, a marketing or political strategy
* FUD, Female urination device
* FUD (food), a Mexican brand of cold cuts and hot dogs

http://en.wikipedia.org/wiki/Fud

?!?

#20 G-Brain

G-Brain

    mad 1337

  • Members
  • 127 posts
  • Country:
  • Gender:Male

Posted 19 June 2009 - 03:45 PM

Fully undetect(ed|able).




BinRev is hosted by the great people at Lunarpages!