On the topic of binary obfuscation, you might be interested in this tool. Morphine, http://hxdef.czweb.org/download/Morphine27.zip , which I understand was designed by the HackerDefender rootkit designer(s). The general purpose is to render a binary unrecognizable to current anti- virus engines without affecting the execution capability of the program. Keep in mind that the tool was designed with malicious intent for use with a rootkit, and as such, should only be trusted as far as you can throw an elephant. Its an interesting concept though, one which must most definitely be forcing anti-virus companies to come up with new detection methods which don't rely solely on checksumming of files.
Robert Perriero Montclair State University On Thu, 2005-06-16 at 14:08 +0200, class wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > [EMAIL PROTECTED] a écrit : > > > = Advisory: Sophos doesn't recognize keylogger after string > > alteration = > > > > During a Penetrationtest RedTeam found out that Sophos Anti-Virus > > (SAV for short) won't recognize a keylogger as malware, after > > alteration of a string in the keylogger's binary. > > > > == Details == > > > > Product: Sophos Anti-Virus Affected Version: <= 5.0.2 Immune > > Version: None known OS affected: tested on Win2k, GNU/Linux, > > probably all supported by Sophos Security-Risk: medium > > Remote-Exploit: no Vendor-URL: http://www.sophos.com Vendor-Status: > > informed Advisory-URL: > > http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005-013 > > Advisory-Status: published > > > > == Introduction == > > > > "Sophos Anti-Virus provides integrated virus detection on a wide > > range of Windows platforms. Our award-winning technology protects > > corporate servers, desktops and laptops from viruses, Trojans, > > worms and malicious spyware." (from Vendor's page) > > > > SAV fails to recognize a keylogger binary after altering a few > > bytes in a string contained in the program. > > > > > > == More Details == > > > > During a Penetrationtest, RedTeam wanted to install a keylogger on > > a victim's system. Klogger (written by Arne Vidstrom, see [1]) was > > chosen because of its small size, simplicity, and the ability to be > > executed from the command prompt. Since we knew that SAV was > > running on the target system, we did a test in our lab at > > RWTH-Aachen University. This test revealed that SAV would recognize > > the Klogger binary as malicious and raise alarm. > > > > In a simplistic attempt to confuse SAV, a few bytes in the Klogger > > binary (there is no source code available) which belonged to a > > string containing the author's name where changed with a hex > > editor. To our astonishment this was enough to foil SAV - no alarms > > where raised for the modified binary. Apparently the only detection > > method deployed by SAV for this binary was a hash comparison or > > something to the same effect. > > > > Tests with other antivirus programs showed that all of them > > recognized the binary even after the string alteration. As for SAV, > > additional tests with more popular malware showed that for these, > > proper heuristics were used: it was not enough just to change a > > few bytes with other malware binaries we tested. > > > > This example shows impressively, how easy some virusscanners can be > > bypassed. An attacker just has to spend less than one minute to > > manipulate the keylogger to prevent SAV from detecting the file. > > > > As keyloggers are more and more used by criminals like phishers to > > get e.g. online-banking data, it is important that protection > > software has robust detection mechanisms for malware. Simple > > circumvention of protection mechanisms could lead to a severe > > information leakage and compromise of the user. It is not uncommon > > for malware code to be hex-edited by the entities deploying them > > or even to change itself, thus potentially circumventing SAV if > > this practice is used with other malicicous code, too. > > > > [1] http://ntsecurity.nu/toolbox/klogger/ > > > > == Proof of Concept == > > > > Just download klogger and change some bytes. > > > > == Workaround == > > > > Never rely only on your antivirus program, regardless how good it > > is. Those programs can only detect known malware with 100% > > certainty. Unknown but also slightly modified malicious code is > > only recognized using heuristics, which fail much too often. Always > > use common sense and don't execute or even open files you don't > > exactly know where they come from. > > > > == Fix == > > > > None known. > > > > > > == Security Risk == > > > > As users should not rely only on their antivirus programs (as > > stated above) in the first place, the security risk may be seen as > > medium. > > > > > > == History == > > > > 14.04.2005 discovery of SAV's behaviour 21.04.2005 additional > > tests with other programs 10.05.2005 advisory is written > > 03.06.2005 contacted Sophos. Answer: the attachement you sent is > > clean. Eh? Apparently, they sent the attached pgp-signature to > > their virus-lab... Asked for a security contact. Got back the offer > > that if we send a file with a virus, they can scan it. Okaaaay, > > that was not the question, was it? Told them we were short of > > viruses, sorry. Contact promised to sent the mail to their > > headquarter in England. Never heard from them again. 16.06.2005 > > Advisory released > > > > == RedTeam == > > > > RedTeam is a penetration testing group working at the Laboratory > > for Dependable Distributed Systems at RWTH-Aachen University. You > > can find more Information on the RedTeam Project at > > http://tsyklon.informatik.rwth-aachen.de/redteam/ > > > > _______________________________________________ Full-Disclosure - > > We believe in it. Charter: > > http://lists.grok.org.uk/full-disclosure-charter.html Hosted and > > sponsored by Secunia - http://secunia.com/ > > This is not really a vulnerablity but more a lack of detection on this > malware, because try to do the same with hackdefender, sophos and > kaspersky are much advanced than the others AV to detect it, believe > me, I got it undetected with your method on almost all av , instead of > sophos and kaspersky using some signature that if you mod, you break > the program , nor yu should understand some asm. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (MingW32) > > iD8DBQFCsWvVLyZ8K9aT7rARAkRRAKC6vP8EG/o1QX2Ss2L5d8u+9C+m9wCgp3BN > i1uiKZyFy21TGUs/VbulY08= > =xRt7 > -----END PGP SIGNATURE----- > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
