sc0rpi0 Posted December 8, 2007 Share Posted December 8, 2007 Is it possible to encrypt the executables in the switchblade [i.e. pwdump, etc]? My annoying AV is continuously picking them up and deleting them. I'm not too keen on disabling my AV. If so, what program(s) would I need? Thanks very much. Quote Link to comment Share on other sites More sharing options...
sablefoxx Posted December 9, 2007 Share Posted December 9, 2007 the problem you'll have is that if the .exe is encrypted you cannot run it, and when you decrypt it the AV picks it up, but i do believe something like this is possible. Quote Link to comment Share on other sites More sharing options...
excid3 Posted December 9, 2007 Share Posted December 9, 2007 is it possible to have an encrypted exe that decrypts itself, then executes it?...guess the av would detect the decrypted one anyways....nvm Quote Link to comment Share on other sites More sharing options...
sc0rpi0 Posted December 10, 2007 Author Share Posted December 10, 2007 Could there be another way of avoiding AV [other than disabling it?] Much appreciated. Quote Link to comment Share on other sites More sharing options...
SomeoneE1se Posted December 10, 2007 Share Posted December 10, 2007 ... wouldn't that defeat the ENTIRE purpose of anti-virus?! Quote Link to comment Share on other sites More sharing options...
excid3 Posted December 10, 2007 Share Posted December 10, 2007 Here's something interesting: People at SecuriTeam (http://www.securiteam.com) has found a simple way to bypass the virus checking capability of several popular AntiViruses. The method is as simple as it can get. Just rename the Virus infected file in such a way that it should contain non-printable ASCII characters. Several AVs fail to open/test this file as they can not handle the non-printable ASCII in the filenames. Several AntiVirus programs do not scan filesnames that contain non-printable ASCII characters, in addition instead of blocking them they are simply ignored. Details Vulnerable Systems: * BitDefender Antivirus * Trustix Antivirus * Avast! Antivirus * Cat Quick Heal Antivirus * Abacre Antivirus * VisNetic Antivirus (bypass only with manual scan) * AntiVir Personnal Edition Antivirus * Clamav for Windows Antivirus * Antiy Ghostbusters Professional Edition Immune Systems: * Kaspersky Antivirus * AVG Free Several AntiVirus programs do not scan files that contain extended ASCII characters and characters that are lower than 0x20. An attacker can rename a malicious filename to such a filename which in turn will cause the AntiVirus programs to ignore the filename. Full info:- http://www.securiteam.com/windowsntfocus/5TP0M2KGUQ.html Not all major AVs are tested there, but you can test your AV for yourself. Get the Eicar test pattern file and rename the file so that it contains a Non-printable ASCII character. For example, if xyz.exe if the filename then you can use xyz[ALT+1].exe, pressing ALT+number would get an ASCII character. Get Eican test virus here:- http://www.eicar.org/anti_virus_test_file.htm Taken from http://www.techspot.in/forum/archive/index.php?t-1872.html Quote Link to comment Share on other sites More sharing options...
sc0rpi0 Posted December 15, 2007 Author Share Posted December 15, 2007 Here's something interesting: People at SecuriTeam (http://www.securiteam.com) has found a simple way to bypass the virus checking capability of several popular AntiViruses. The method is as simple as it can get. Just rename the Virus infected file in such a way that it should contain non-printable ASCII characters. Several AVs fail to open/test this file as they can not handle the non-printable ASCII in the filenames. Several AntiVirus programs do not scan filesnames that contain non-printable ASCII characters, in addition instead of blocking them they are simply ignored. Details Vulnerable Systems: * BitDefender Antivirus * Trustix Antivirus * Avast! Antivirus * Cat Quick Heal Antivirus * Abacre Antivirus * VisNetic Antivirus (bypass only with manual scan) * AntiVir Personnal Edition Antivirus * Clamav for Windows Antivirus * Antiy Ghostbusters Professional Edition Immune Systems: * Kaspersky Antivirus * AVG Free Several AntiVirus programs do not scan files that contain extended ASCII characters and characters that are lower than 0x20. An attacker can rename a malicious filename to such a filename which in turn will cause the AntiVirus programs to ignore the filename. Full info:- http://www.securiteam.com/windowsntfocus/5TP0M2KGUQ.html Not all major AVs are tested there, but you can test your AV for yourself. Get the Eicar test pattern file and rename the file so that it contains a Non-printable ASCII character. For example, if xyz.exe if the filename then you can use xyz[ALT+1].exe, pressing ALT+number would get an ASCII character. Get Eican test virus here:- http://www.eicar.org/anti_virus_test_file.htm Taken from http://www.techspot.in/forum/archive/index.php?t-1872.html Thanks. This seems to work...sort of...only with some executables. I am currently looking for a solution to veil executables from the larger AV's such as Norton and Mcafee. Maybe "encrypt" was not the correct word. What I am trying to do is package a file so that the contents can be ran but not detected. I have tried upx and iexpress and managed to hide a file from av but not when it is being run. :( Any more ideas? Thanks. Quote Link to comment Share on other sites More sharing options...
remkow Posted December 15, 2007 Share Posted December 15, 2007 get yourself a private packer/crypter, and your problems are solved ;) Quote Link to comment Share on other sites More sharing options...
sc0rpi0 Posted December 15, 2007 Author Share Posted December 15, 2007 get yourself a private packer/crypter, and your problems are solved ;) Where do I pick up one of these? I am presuming that when you say "private" you mean secret: not open to the public. If so, then my previous question was very pointless. Ignore it then. There aren't many of these around are there are there? Even if I manage to find one, how do I know it won't backfire? I know I'm paranoid but don't I have a reason to be? Thanks. Quote Link to comment Share on other sites More sharing options...
excid3 Posted December 16, 2007 Share Posted December 16, 2007 I found an EXE binder in NetTools...Looks like it just binds 2 exe's together and they both run...I dunno, havent fiddled around with it yet. Make sure you check out NetTools...amazing program. Don't have a link...too lazy to look it up (im on dialdown right now), just google it. ;) Quote Link to comment Share on other sites More sharing options...
sc0rpi0 Posted December 16, 2007 Author Share Posted December 16, 2007 Thanks so much for the help. Quote Link to comment Share on other sites More sharing options...
sc0rpi0 Posted December 16, 2007 Author Share Posted December 16, 2007 _ Quote Link to comment Share on other sites More sharing options...
The Brain Posted December 16, 2007 Share Posted December 16, 2007 As it has already been said, if you pack/crypt an exe your AV might detect it by general detection of the cryptor. So you need a private packer. :-? As private means NOT public there are no links :D But you can also try one of the public known packers, like Yoda's Protector Quote Link to comment Share on other sites More sharing options...
remkow Posted December 16, 2007 Share Posted December 16, 2007 Public packer won't help at all testingqwerty: PM me which files you want to be undetected and I'll pack them for you. Quote Link to comment Share on other sites More sharing options...
sc0rpi0 Posted December 16, 2007 Author Share Posted December 16, 2007 As it has already been said, if you pack/crypt an exe your AV might detect it by general detection of the cryptor. So you need a private packer. :-? As private means NOT public there are no links :D But you can also try one of the public known packers, like Yoda's Protector Is this better than UPX or iexpress [all windows come with this--just type "iexpress" into run box]? Thanks very much. Quote Link to comment Share on other sites More sharing options...
HarshReality Posted December 16, 2007 Share Posted December 16, 2007 So has anybody got this going? Quote Link to comment Share on other sites More sharing options...
sc0rpi0 Posted December 16, 2007 Author Share Posted December 16, 2007 So has anybody got this going? Good question. I am currently on my non-hacking computer. I know it sounds odd, but I have a separate computer for testing even safe software [being the paranoid person I am] It will probably be down until somewhere in winter break :( Sorry if this causes anyone any inconvenience. Once it's fixed, I'll test the packaging tools and reply on this topic. Eventually, it should show up in your "Show new replies to your posts" tab thing. If any one else would like try, please go right ahead. If it's not too much trouble, post your results here. For test binding purposes, I would recommend trying "pspv.exe" in the switchblade usb package. My av goes nuts when I unzip this. Or another that your av would typically pick up without binding. Good luck!  Quote Link to comment Share on other sites More sharing options...
remkow Posted December 17, 2007 Share Posted December 17, 2007 As it has already been said, if you pack/crypt an exe your AV might detect it by general detection of the cryptor. So you need a private packer. :-? As private means NOT public there are no links :D But you can also try one of the public known packers, like Yoda's Protector Is this better than UPX or iexpress [all windows come with this--just type "iexpress" into run box]? Thanks very much. upx and iexpress will not work against good antiviruses, and good packer will, so those are imo better. Quote Link to comment Share on other sites More sharing options...
hexlax Posted December 17, 2007 Share Posted December 17, 2007 I've been reading this thread continuously hoping for a solution. It wasn't until I finally took some initiative that I may have figured out a solution. I tested this on XP SP2 running Symantic AV with definition files current as of 12/14/2007. On a different box, I used ccrypt to encrypt the files. This renames the files to <program>. exe. cpt. This successfully passed Symantec scan's. I'm hacking some c++ now which will follow this paradigm: -Scan computer for known AV -If AV present, try to kill the process -If kill successful, decrypt payload -Run payload & encrypt files back Let me know what you think. Once I have some time to get a VM up and running, I'll test ccrypt with other AV's. As far as I know though, this should work against all signature based ones. . . Quote Link to comment Share on other sites More sharing options...
sc0rpi0 Posted December 18, 2007 Author Share Posted December 18, 2007 I've been reading this thread continuously hoping for a solution. It wasn't until I finally took some initiative that I may have figured out a solution. I tested this on XP SP2 running Symantic AV with definition files current as of 12/14/2007. On a different box, I used ccrypt to encrypt the files. This renames the files to <program>. exe. cpt. This successfully passed Symantec scan's. I'm hacking some c++ now which will follow this paradigm: -Scan computer for known AV -If AV present, try to kill the process -If kill successful, decrypt payload -Run payload & encrypt files back Let me know what you think. Once I have some time to get a VM up and running, I'll test ccrypt with other AV's. As far as I know though, this should work against all signature based ones. . . That is a good idea...don't mean to steal your idea, but I have been working on a huge list of av and firewall processes to kill also . It's nearly done and will probably be posted on the usb hacks forum soon. I will consider using this ccrypt ...it looks interesting. Could you please post the commands for what you are trying to do? Keep up the good work! :) Thanks for taking the initiative. Please post any new results so that we may become equally enlightened. Thanks again. Quote Link to comment Share on other sites More sharing options...
hexlax Posted December 18, 2007 Share Posted December 18, 2007 Yeah man, as soon as my code is complete and cleaned I'll post it up. Probably not till the weekend though... I'm really interested in that AV list you're compiling. That would help me out greatly! Quote Link to comment Share on other sites More sharing options...
Silva Posted December 18, 2007 Share Posted December 18, 2007 I'd just like to say that password protected rar's also don't get detected by anti viruses, I'd consider using rar's since they are more widely used but it's up to you. Quote Link to comment Share on other sites More sharing options...
sc0rpi0 Posted December 18, 2007 Author Share Posted December 18, 2007 I'd just like to say that password protected rar's also don't get detected by anti viruses, I'd consider using rar's since they are more widely used but it's up to you. Thanks for the fantastic suggestion. I just tried it and it veils the files from any av intervention. Thanks again for the idea. Quote Link to comment Share on other sites More sharing options...
excid3 Posted December 19, 2007 Share Posted December 19, 2007 Interesting, but that doesnt get past the fact that you need to actually run the executables. Using a rar for temporary storage will be nice, but how will that help getting around running the apps? Quote Link to comment Share on other sites More sharing options...
sc0rpi0 Posted December 20, 2007 Author Share Posted December 20, 2007 Interesting, but that doesnt get past the fact that you need to actually run the executables. Using a rar for temporary storage will be nice, but how will that help getting around running the apps? The plan is that the nasties [switchblade apps that avs don't like] will be hidden from detection. Before the nasties are extracted, a batch file or another executable will be run, hopefully killing the av. I am currently compiling the list of av processes and will probably post that sometime during winter break. However, I will may need a little assistance because google doesn't find all av processes. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.