As i know, a hexed .exe can conceal its presence from an AV / Anti-SpyWare prog. is that true that it can be totally invisible to the scanner? or maybe it just has a % chance not to be found?
Printable View
As i know, a hexed .exe can conceal its presence from an AV / Anti-SpyWare prog. is that true that it can be totally invisible to the scanner? or maybe it just has a % chance not to be found?
OK, general principles here :D
By "hexed" I take it you are referring to an executable in hexadecimal notation?
This does not "conceal" the file from the scanner, nor does it make it totally invisible. It would be the same if the file were encrypted.
The issue would be whether the scanner could recognise the malware for what it was.
For example, I have a collection of malware generation toolkits. AVG does not detect them. I know that it opens them in a temporary file because Avast! goes ballistic when it does so.
Similarly, some scanners cannot handle compressed files (.zip, .tar) or packed files (UPX). This is probably reasonably true if they are looking for heuristics or behavioural traits. Again, some scanners will ignore a compiled binary malware if the file is .txt whereas others will spot it. If you change the extension to an executable, the first scanner will then detect it for what it is.
To actually hide things you need to look at alternate data streams, writing to slack space, writing to cluster nodes and things like that; where the scanner either doesn't look or won't recognise what is there.
Johnno care to share your toys. :DQuote:
I have a collection of malware generation toolkits.
nihil ur on track. what those ppl refer to in "hexing" is adding binary spaces to transform certain strings within a malware to avoid detection, but doesnt kill its function. do u know if it still works on today's new AV. im assuming that av scanners are able to bypass this sort of method and do its job.
I remember once I wanted to e-mail a perl script I had written home to myself so I could work on it some more. Hotmail ate it as a virus so I renamed it .txt and all was well.
As for how clever virus scanners are at detecting minor changes such as adding pointless loops or whatever to change appearance but not function, guess that depends on how smart the programmers are at the AV company in question and how smart the virus writers are. I do know I usually end up disabling the heuristic detection since otherwise it starts flagging everything as a virus.
e><ius,
I cannot give you a definitive answer because there is a constant and ongoing battle between malware authors and anti-malware providers.
A lot depends on what you use and how it works. Disguising or obfuscating the code will only really work against an antimalware program that relies on patterns or signatures. Even then it is possible that the anti software can strip out redundant spacing and the like.
In other cases it may spot the dropper or packer and take it from there.
Heuristic scanning has already been mentioned, but a number of products now use behavioural analysis and sandboxing techniques.
An example of the former might be looking for attempts to modify the registry or executable files. In the case of sandboxing the program is allowed to run in a controlled environment and the protecting software looks to see what it tries to do.
I would not have thought that simple attempts to obfuscate the code were anything like as effective as they were when detection almost solely relied on recognising code strings.
Hopefully one of our members who works in the anti-malware sector will be able to give you a more authoritative answer :)
Aardpsymon this is assuming that the pearl script doesnt get flagged on ur own computer right?
nihil thanks for your hefty input. so this sandboxing method moves the location of malware to a mirrored image of the harddrive with the same directories and files into a controlled environment?
do u think i should repost this topic in the "anti-malware" section? or what if somebody moved this topic to that sector instead.
i had to ask this cuz im still a bit timid here at AO... dont like ******** =X
is ...f_l_a_m_e_a_g_e ... a bad word?
This concept is also called "Packing", as in, packing the executable down into a smaller size, thus changing the signature.
Hi e><ius,
The sandboxing technique is slightly different from using a virtual machine environment.
Typically, a virtual machine allows you to create a machine within a machine. So you could run a Linux distro, Windows XP and Windows 98SE in separate "environments" on the same hardware platform. VMWare is a classic example of this.
Mirroring type software would include software such as Faronics' "Deep Freeze" This loads your operating system into a separate location. When the user has finished, the original image is restored for the next user. Anything that the previous user has done is reversed.
Read more here:
http://www.faronics.com/
From a security standpoint there are "sandboxes" such as SandboxIE and Fortres Grand. You can read more about them here:
http://www.sandboxie.com/
http://www.fortresgrand.com/
Finally there are antivirus products that use an internal "sandbox" to open and examine files in. This is actually a rather old concept. I still have a copy of Aladdin Knowledge Systems Ltd's antivirus, that used this technique some 10 years ago.
What joo packin? "I'm packing HEAT!"Quote:
Originally Posted by zencoder
that was what i was refering to. what does this "sandbox" consist of? a folder? a directory? an image? if i were in my sandbox, i'd eventually wanna play 4-square or kickball.Quote:
Originally Posted by nihil
Yes, that is the origin of the term. A sandbox was a safe play area for small children.
AVs use a folder to open items in and observe their attempted behaviour. As this is a restricted environment it is comparatively safe.
however there have been examples of code that can break out of sandboxes, notably an exploit in java that would give a website arbitrary code access to the entire PC. I can't recall the specifics any more, my memory sucks.
FYI If you only hex something like a virus it will still be picked up by a virus scanner and picked up as the same virus. I have tried this. The only time it would bypass a malware or virus check is if the engine you are running only scans for files with certian crc's or md5's. I do not think there are any engines that rely on checksums like this today- at least I hope not haha.
Edit: Oh even packing an executable usually does not help because scanners have the ability to unpack most common types of packers. However, there are a few that cannot be unpacked - usually ones that are "private" and developed by "underground" groups. However if it is already in memory it is virtually unpacked then executed so a memory scanner would catch them.
Yes, in the old days viruses were written by people who generally had some idea, and were, perversely, quite jealous of their achievements.
Then skiddies started taking pre-existing code and modifying it, a process which generally involved some form of obfuscation, as they never really knew which strings were already detected.
I agree with oofki that these days, the virus is still most likely to be detected if it is merely obfuscated. Depending on how your AV decides to report things it may be called something like "XYZ generic" which indicates that minor modification/obfuscation of the original code has taken place.
As for the custom packing, I believe that some AVs will warn you of files that they cannot unpack or decompress? Just as they will also warn you of files they cannot scan because they are in use.
I actually tried to hex a trojan before like subseven just to see if it was caught or not. And it still was picked up as the same subseven trojan. That is because they are virus "patterns" the pattern of the actual program is the same because it is still essentially executing the same commands.
And yes Nihil I think you are right about custom packing. This happens with password protected zip files all the time. It could at least lead you to suspicion.