Hexed Virus/Malware/Spyware/etc
Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Hexed Virus/Malware/Spyware/etc

  1. #1
    Member e><ius's Avatar
    Join Date
    Mar 2007
    Location
    So.Cal.
    Posts
    61

    Hexed Virus/Malware/Spyware/etc

    As i know, a hexed .exe can conceal its presence from an AV / Anti-SpyWare prog. is that true that it can be totally invisible to the scanner? or maybe it just has a % chance not to be found?

  2. #2
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    OK, general principles here

    By "hexed" I take it you are referring to an executable in hexadecimal notation?

    This does not "conceal" the file from the scanner, nor does it make it totally invisible. It would be the same if the file were encrypted.

    The issue would be whether the scanner could recognise the malware for what it was.

    For example, I have a collection of malware generation toolkits. AVG does not detect them. I know that it opens them in a temporary file because Avast! goes ballistic when it does so.

    Similarly, some scanners cannot handle compressed files (.zip, .tar) or packed files (UPX). This is probably reasonably true if they are looking for heuristics or behavioural traits. Again, some scanners will ignore a compiled binary malware if the file is .txt whereas others will spot it. If you change the extension to an executable, the first scanner will then detect it for what it is.

    To actually hide things you need to look at alternate data streams, writing to slack space, writing to cluster nodes and things like that; where the scanner either doesn't look or won't recognise what is there.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  3. #3
    Banned
    Join Date
    Jul 2006
    Location
    /
    Posts
    385
    I have a collection of malware generation toolkits.
    Johnno care to share your toys.

  4. #4
    Member e><ius's Avatar
    Join Date
    Mar 2007
    Location
    So.Cal.
    Posts
    61
    nihil ur on track. what those ppl refer to in "hexing" is adding binary spaces to transform certain strings within a malware to avoid detection, but doesnt kill its function. do u know if it still works on today's new AV. im assuming that av scanners are able to bypass this sort of method and do its job.

  5. #5
    Senior Member Aardpsymon's Avatar
    Join Date
    Feb 2007
    Location
    St Annes (aaaa!)
    Posts
    434
    I remember once I wanted to e-mail a perl script I had written home to myself so I could work on it some more. Hotmail ate it as a virus so I renamed it .txt and all was well.

    As for how clever virus scanners are at detecting minor changes such as adding pointless loops or whatever to change appearance but not function, guess that depends on how smart the programmers are at the AV company in question and how smart the virus writers are. I do know I usually end up disabling the heuristic detection since otherwise it starts flagging everything as a virus.
    If the world doesn't stop annoying me I will name my kids ";DROP DATABASE;" and get revenge.

  6. #6
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    e><ius,

    I cannot give you a definitive answer because there is a constant and ongoing battle between malware authors and anti-malware providers.

    A lot depends on what you use and how it works. Disguising or obfuscating the code will only really work against an antimalware program that relies on patterns or signatures. Even then it is possible that the anti software can strip out redundant spacing and the like.

    In other cases it may spot the dropper or packer and take it from there.

    Heuristic scanning has already been mentioned, but a number of products now use behavioural analysis and sandboxing techniques.

    An example of the former might be looking for attempts to modify the registry or executable files. In the case of sandboxing the program is allowed to run in a controlled environment and the protecting software looks to see what it tries to do.

    I would not have thought that simple attempts to obfuscate the code were anything like as effective as they were when detection almost solely relied on recognising code strings.

    Hopefully one of our members who works in the anti-malware sector will be able to give you a more authoritative answer
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  7. #7
    Member e><ius's Avatar
    Join Date
    Mar 2007
    Location
    So.Cal.
    Posts
    61
    Aardpsymon this is assuming that the pearl script doesnt get flagged on ur own computer right?

    nihil thanks for your hefty input. so this sandboxing method moves the location of malware to a mirrored image of the harddrive with the same directories and files into a controlled environment?

    do u think i should repost this topic in the "anti-malware" section? or what if somebody moved this topic to that sector instead.
    i had to ask this cuz im still a bit timid here at AO... dont like ******** =X

  8. #8
    Member e><ius's Avatar
    Join Date
    Mar 2007
    Location
    So.Cal.
    Posts
    61
    is ...f_l_a_m_e_a_g_e ... a bad word?

  9. #9
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    This concept is also called "Packing", as in, packing the executable down into a smaller size, thus changing the signature.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  10. #10
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hi e><ius,

    The sandboxing technique is slightly different from using a virtual machine environment.

    Typically, a virtual machine allows you to create a machine within a machine. So you could run a Linux distro, Windows XP and Windows 98SE in separate "environments" on the same hardware platform. VMWare is a classic example of this.

    Mirroring type software would include software such as Faronics' "Deep Freeze" This loads your operating system into a separate location. When the user has finished, the original image is restored for the next user. Anything that the previous user has done is reversed.

    Read more here:

    http://www.faronics.com/

    From a security standpoint there are "sandboxes" such as SandboxIE and Fortres Grand. You can read more about them here:

    http://www.sandboxie.com/
    http://www.fortresgrand.com/


    Finally there are antivirus products that use an internal "sandbox" to open and examine files in. This is actually a rather old concept. I still have a copy of Aladdin Knowledge Systems Ltd's antivirus, that used this technique some 10 years ago.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •