Jump to content

Encrypting executables


sc0rpi0

Recommended Posts

the problem you'll have is that if the .exe is encrypted you cannot run it, and when you decrypt it the AV picks it up, but i do believe something like this is possible.

Link to comment
Share on other sites

Here's something interesting:

People at SecuriTeam (http://www.securiteam.com) has found a simple way to bypass the virus checking capability of several popular AntiViruses. The method is as simple as it can get. Just rename the Virus infected file in such a way that it should contain non-printable ASCII characters.

Several AVs fail to open/test this file as they can not handle the non-printable ASCII in the filenames.

Several AntiVirus programs do not scan filesnames that contain non-printable ASCII characters, in addition instead of blocking them they are simply ignored.

Details

Vulnerable Systems:

* BitDefender Antivirus

* Trustix Antivirus

* Avast! Antivirus

* Cat Quick Heal Antivirus

* Abacre Antivirus

* VisNetic Antivirus (bypass only with manual scan)

* AntiVir Personnal Edition Antivirus

* Clamav for Windows Antivirus

* Antiy Ghostbusters Professional Edition

Immune Systems:

* Kaspersky Antivirus

* AVG Free

Several AntiVirus programs do not scan files that contain extended ASCII characters and characters that are lower than 0x20. An attacker can rename a malicious filename to such a filename which in turn will cause the AntiVirus programs to ignore the filename.

Full info:- http://www.securiteam.com/windowsntfocus/5TP0M2KGUQ.html

Not all major AVs are tested there, but you can test your AV for yourself. Get the Eicar test pattern file and rename the file so that it contains a Non-printable ASCII character.

For example, if xyz.exe if the filename then you can use xyz[ALT+1].exe, pressing ALT+number would get an ASCII character.

Get Eican test virus here:- http://www.eicar.org/anti_virus_test_file.htm

Taken from http://www.techspot.in/forum/archive/index.php?t-1872.html

Link to comment
Share on other sites

Here's something interesting:

People at SecuriTeam (http://www.securiteam.com) has found a simple way to bypass the virus checking capability of several popular AntiViruses. The method is as simple as it can get. Just rename the Virus infected file in such a way that it should contain non-printable ASCII characters.

Several AVs fail to open/test this file as they can not handle the non-printable ASCII in the filenames.

Several AntiVirus programs do not scan filesnames that contain non-printable ASCII characters, in addition instead of blocking them they are simply ignored.

Details

Vulnerable Systems:

* BitDefender Antivirus

* Trustix Antivirus

* Avast! Antivirus

* Cat Quick Heal Antivirus

* Abacre Antivirus

* VisNetic Antivirus (bypass only with manual scan)

* AntiVir Personnal Edition Antivirus

* Clamav for Windows Antivirus

* Antiy Ghostbusters Professional Edition

Immune Systems:

* Kaspersky Antivirus

* AVG Free

Several AntiVirus programs do not scan files that contain extended ASCII characters and characters that are lower than 0x20. An attacker can rename a malicious filename to such a filename which in turn will cause the AntiVirus programs to ignore the filename.

Full info:- http://www.securiteam.com/windowsntfocus/5TP0M2KGUQ.html

Not all major AVs are tested there, but you can test your AV for yourself. Get the Eicar test pattern file and rename the file so that it contains a Non-printable ASCII character.

For example, if xyz.exe if the filename then you can use xyz[ALT+1].exe, pressing ALT+number would get an ASCII character.

Get Eican test virus here:- http://www.eicar.org/anti_virus_test_file.htm

Taken from http://www.techspot.in/forum/archive/index.php?t-1872.html

Thanks.

This seems to work...sort of...only with some executables.

I am currently looking for a solution to veil executables from the larger AV's such as Norton and Mcafee.

Maybe "encrypt" was not the correct word.

What I am trying to do is package a file so that the contents can be ran but not detected.

I have tried upx and iexpress and managed to hide a file from av but not when it is being run.  :(

Any more ideas?

Thanks.

Link to comment
Share on other sites

get yourself a private packer/crypter, and your problems are solved ;)

Where do I pick up one of these?

I am presuming that when you say "private" you mean secret: not open to the public.

If so, then my previous question was very pointless. Ignore it then.

There aren't many of these around are there are there? Even if I manage to find one, how do I know it won't backfire?

I know I'm paranoid but don't I have a reason to be?

Thanks.

Link to comment
Share on other sites

I found an EXE binder in NetTools...Looks like it just binds 2 exe's together and they both run...I dunno, havent fiddled around with it yet. Make sure you check out NetTools...amazing program. Don't have a link...too lazy to look it up (im on dialdown right now), just google it. ;)

Link to comment
Share on other sites

As it has already been said, if you pack/crypt an exe your AV might detect it by general detection of the cryptor. So you need a private packer.  :-?

As private means NOT public there are no links  :D

But you can also try one of the public known packers, like Yoda's Protector

Is this better than UPX or iexpress [all windows come with this--just type "iexpress" into run box]?

Thanks very much.

Link to comment
Share on other sites

So has anybody got this going?

Good question.

I am currently on my non-hacking computer.

I know it sounds odd, but I have a separate computer for testing even safe software [being the paranoid person I am]

It will probably be down until somewhere in winter break  :(  Sorry if this causes anyone any inconvenience.

Once it's fixed, I'll test the packaging tools and reply on this topic.

Eventually, it should show up in your "Show new replies to your posts" tab thing.

If any one else would like try, please go right ahead. If it's not too much trouble, post your results here. 

For test binding purposes, I would  recommend trying "pspv.exe" in the switchblade usb package. My av goes nuts when I unzip this.

Or another that your av would typically pick up without binding.

Good luck!

 

Link to comment
Share on other sites

As it has already been said, if you pack/crypt an exe your AV might detect it by general detection of the cryptor. So you need a private packer.  :-?

As private means NOT public there are no links  :D

But you can also try one of the public known packers, like Yoda's Protector

Is this better than UPX or iexpress [all windows come with this--just type "iexpress" into run box]?

Thanks very much.

upx and iexpress will not work against good antiviruses, and good packer will, so those are imo better.

Link to comment
Share on other sites

I've been reading this thread continuously hoping for a solution.  It wasn't until I finally took some initiative that I may have figured out a solution.

I tested this on XP SP2 running Symantic AV with definition files current as of 12/14/2007.

On a different box, I used ccrypt to encrypt the files.  This renames the files to <program>. exe. cpt.  This successfully passed Symantec scan's. 

I'm hacking some c++ now which will follow this paradigm:

-Scan computer for known AV

-If AV present, try to kill the process

-If kill successful, decrypt payload

-Run payload & encrypt files back

Let me know what you think.  Once I have some time to get a VM up and running, I'll test ccrypt with other AV's.  As far as I know though, this should work against all signature based ones. . .

Link to comment
Share on other sites

I've been reading this thread continuously hoping for a solution.  It wasn't until I finally took some initiative that I may have figured out a solution.

I tested this on XP SP2 running Symantic AV with definition files current as of 12/14/2007.

On a different box, I used ccrypt to encrypt the files.  This renames the files to <program>. exe. cpt.  This successfully passed Symantec scan's. 

I'm hacking some c++ now which will follow this paradigm:

-Scan computer for known AV

-If AV present, try to kill the process

-If kill successful, decrypt payload

-Run payload & encrypt files back

Let me know what you think.  Once I have some time to get a VM up and running, I'll test ccrypt with other AV's.  As far as I know though, this should work against all signature based ones. . .

That is a good idea...don't mean to steal your idea, but I have been working on a huge list of

av and firewall processes to kill also . It's nearly done and will probably be posted on the usb hacks forum soon.

I will consider using this ccrypt ...it looks interesting. Could you please post the commands for what you are trying to do?

Keep up the good work!  :)

Thanks for taking the initiative. Please post any new results so that we may become equally enlightened.

Thanks again.

Link to comment
Share on other sites

I'd just like to say that password protected rar's also don't get detected by anti viruses, I'd consider using rar's since they are more widely used but it's up to you.

Thanks for the fantastic suggestion.

I just tried it and it veils the files from any av intervention.

Thanks again for the idea.

Link to comment
Share on other sites

Interesting, but that doesnt get past the fact that you need to actually run the executables. Using a rar for temporary storage will be nice, but how will that help getting around running the apps?

The plan is that the nasties [switchblade apps that avs don't like] will be hidden from detection.

Before the nasties are extracted, a batch file or another executable will be run, hopefully killing the av.

I am currently compiling the list of av processes and will probably post that sometime during winter break.

However, I will may need a little assistance because google doesn't find all av processes.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...