Hexed Virus/Malware/Spyware/etc

[e><ius]

As i know, a hexed .exe can conceal its presence from an AV / Anti-SpyWare prog. is that true that it can be totally invisible to the scanner? or maybe it just has a % chance not to be found?

[nihil]

OK, general principles here

By "hexed" I take it you are referring to an executable in hexadecimal notation?

This does not "conceal" the file from the scanner, nor does it make it totally invisible. It would be the same if the file were encrypted.

The issue would be whether the scanner could recognise the malware for what it was.

For example, I have a collection of malware generation toolkits. AVG does not detect them. I know that it opens them in a temporary file because Avast! goes ballistic when it does so.

Similarly, some scanners cannot handle compressed files (.zip, .tar) or packed files (UPX). This is probably reasonably true if they are looking for heuristics or behavioural traits. Again, some scanners will ignore a compiled binary malware if the file is .txt whereas others will spot it. If you change the extension to an executable, the first scanner will then detect it for what it is.

To actually hide things you need to look at alternate data streams, writing to slack space, writing to cluster nodes and things like that; where the scanner either doesn't look or won't recognise what is there.

[acidtone]

I have a collection of malware generation toolkits.

Johnno care to share your toys.

[e><ius]

nihil ur on track. what those ppl refer to in "hexing" is adding binary spaces to transform certain strings within a malware to avoid detection, but doesnt kill its function. do u know if it still works on today's new AV. im assuming that av scanners are able to bypass this sort of method and do its job.

[Aardpsymon]

I remember once I wanted to e-mail a perl script I had written home to myself so I could work on it some more. Hotmail ate it as a virus so I renamed it .txt and all was well.

As for how clever virus scanners are at detecting minor changes such as adding pointless loops or whatever to change appearance but not function, guess that depends on how smart the programmers are at the AV company in question and how smart the virus writers are. I do know I usually end up disabling the heuristic detection since otherwise it starts flagging everything as a virus.

[nihil]

e><ius,

I cannot give you a definitive answer because there is a constant and ongoing battle between malware authors and anti-malware providers.

A lot depends on what you use and how it works. Disguising or obfuscating the code will only really work against an antimalware program that relies on patterns or signatures. Even then it is possible that the anti software can strip out redundant spacing and the like.

In other cases it may spot the dropper or packer and take it from there.

Heuristic scanning has already been mentioned, but a number of products now use behavioural analysis and sandboxing techniques.

An example of the former might be looking for attempts to modify the registry or executable files. In the case of sandboxing the program is allowed to run in a controlled environment and the protecting software looks to see what it tries to do.

I would not have thought that simple attempts to obfuscate the code were anything like as effective as they were when detection almost solely relied on recognising code strings.

Hopefully one of our members who works in the anti-malware sector will be able to give you a more authoritative answer

[e><ius]

Aardpsymon this is assuming that the pearl script doesnt get flagged on ur own computer right?

nihil thanks for your hefty input. so this sandboxing method moves the location of malware to a mirrored image of the harddrive with the same directories and files into a controlled environment?

do u think i should repost this topic in the "anti-malware" section? or what if somebody moved this topic to that sector instead.
i had to ask this cuz im still a bit timid here at AO... dont like ******** =X

[e><ius]

is ...f_l_a_m_e_a_g_e ... a bad word?

[zencoder]

This concept is also called "Packing", as in, packing the executable down into a smaller size, thus changing the signature.

[nihil]

Hi e><ius,

The sandboxing technique is slightly different from using a virtual machine environment.

Typically, a virtual machine allows you to create a machine within a machine. So you could run a Linux distro, Windows XP and Windows 98SE in separate "environments" on the same hardware platform. VMWare is a classic example of this.

Mirroring type software would include software such as Faronics' "Deep Freeze" This loads your operating system into a separate location. When the user has finished, the original image is restored for the next user. Anything that the previous user has done is reversed.

Read more here:

http://www.faronics.com/

From a security standpoint there are "sandboxes" such as SandboxIE and Fortres Grand. You can read more about them here:

http://www.sandboxie.com/
http://www.fortresgrand.com/


Finally there are antivirus products that use an internal "sandbox" to open and examine files in. This is actually a rather old concept. I still have a copy of Aladdin Knowledge Systems Ltd's antivirus, that used this technique some 10 years ago.