Comments on: Converting Programs to Bypass AntiVirus http://www.cutawaysecurity.com/blog/archives/74 Cutaway's Observations, Opinions, Rants, Raves, Tantrums, and Tirades Wed, 02 Jun 2010 22:30:56 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: cutaway http://www.cutawaysecurity.com/blog/archives/74/comment-page-1#comment-1607 cutaway Sun, 07 Jan 2007 16:43:06 +0000 http://www.cutawaysecurity.com/blog/archives/74#comment-1607 I thought about using Eicar but I decided against it. As I am not a malware expert, and want to focus on other things, there is really no point in moving forward with this test as I have accomplished my goal and I think I will gain more from reading the results of other more experienced malware experts (at least at this point). Kev from Ethical Hacker has actually already done this anyway (http://www.ethicalhacker.net/component/option,com_smf/Itemid,49/topic,821.0/) I just didn't see it until after my post. It is obvious that most antivirus vendors use more information for their signatures than simple hashes and that the most common packerts/crypters will be included in their efforts. I think the primary goal of this experiment (at least for me) was start thinking about ways to hide programs that might be uploaded for penetration testing. What I get out of this is that simple modification is not enough. I will either need to write my own programs to function in the same manner as tools like Netcat, or I will have to find an exploit (remote or local) that I can then use to have Metasploit or Core Impact subvert a process for me. I like this better because uploads and new processes will probably be logged and then there is more work to hide it all. If I cannot get a subverted process then I will try and use as many local programs as possible before uploading any program that I know is detected by antivirus software. I will then also probably considers some of the other aspects of anti-virus evasion methods as described in the Ethical Hacker discussion (http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,940.0/) before doing such uploads. Thanks for your comments. Go forth and do good things, Cutaway I thought about using Eicar but I decided against it. As I am not a malware expert, and want to focus on other things, there is really no point in moving forward with this test as I have accomplished my goal and I think I will gain more from reading the results of other more experienced malware experts (at least at this point). Kev from Ethical Hacker has actually already done this anyway (http://www.ethicalhacker.net/component/option,com_smf/Itemid,49/topic,821.0/) I just didn’t see it until after my post. It is obvious that most antivirus vendors use more information for their signatures than simple hashes and that the most common packerts/crypters will be included in their efforts.

I think the primary goal of this experiment (at least for me) was start thinking about ways to hide programs that might be uploaded for penetration testing. What I get out of this is that simple modification is not enough. I will either need to write my own programs to function in the same manner as tools like Netcat, or I will have to find an exploit (remote or local) that I can then use to have Metasploit or Core Impact subvert a process for me. I like this better because uploads and new processes will probably be logged and then there is more work to hide it all. If I cannot get a subverted process then I will try and use as many local programs as possible before uploading any program that I know is detected by antivirus software. I will then also probably considers some of the other aspects of anti-virus evasion methods as described in the Ethical Hacker discussion (http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,940.0/) before doing such uploads.

Thanks for your comments.
Go forth and do good things,
Cutaway

]]> By: kurt wismer http://www.cutawaysecurity.com/blog/archives/74/comment-page-1#comment-1602 kurt wismer Sun, 07 Jan 2007 07:19:34 +0000 http://www.cutawaysecurity.com/blog/archives/74#comment-1602 instead of using a virus (which you do not have) to continue experimenting with, why not use the eicar standard anti-virus test file? after all, if you're just testing how well you can hide an arbitrary program from an anti-virus scanner all that should really matter is that you use something the scanner would normally detect - and just about everything detects the eicar standard anti-virus test file... instead of using a virus (which you do not have) to continue experimenting with, why not use the eicar standard anti-virus test file? after all, if you’re just testing how well you can hide an arbitrary program from an anti-virus scanner all that should really matter is that you use something the scanner would normally detect – and just about everything detects the eicar standard anti-virus test file…

]]>