Here’s an example of how bad some AV providers are. They’re just flagging on a string in the file, or an md5 hash of the .idata section. The method below wont defeat the decent AV, but all the crap ones like SCEP, ClamAV etc. About half of them in virus total.
ClamAV detects ncx99.exe as WIN.Trojan.NCX.
Luckily, clamav has sigs you can download, extract and grep for whatever. You don’t even need to do a filesplit.
clamav databases. http://www.clamav.net/downloads
Extract with sigtool -u clam.cvd
cat daily.* | grep NCX
WIN.Trojan.NCX:1:S0+13712:8b5c24048b2b8b7318643b3500000000740956e80822000083c40483fe0074308d432050e8e72200000bc
074168b43203d30324356750c8b43240bc0741253ffd0eb0d8b431c5056e81522000083c4086a008b4314e89c2200008bd38b5a048b7a0
88b720c8b44240883f80183d0008b621083c404ff6214c3cccccccccccccc8b4c240c5785c9747a56538bd98b742414f7c6030000008b7c2
4107507c1e902756feb218a064688074749742584c074
Sig is near 398A
Mod that first 8b to an 8c.
Comes up clean for NCX, but has a hit for Win.Trojan.Agent-373892.
ncx99.exe still functions.
Look for the other hit.
root@bt:~/ClamAV_DB# cat main.* | grep Win.Trojan.Agent-373892
2048:2e0039a30ff7ecac946b460cc95a97d5:Win.Trojan.Agent-373892
Looks like it’s an md5 hash of the .idata section.
.idata md5: 2e0039a30ff7ecac946b460cc95a97d5 sha1: 3c218263d85a2cf4f5d446aa3f4e5b5ba86fd525 size: 2048
Here’s the original .idata section.
I add 10 bytes to the .idata section, and then fill it with 00s in a hexeditor.
Save it and it bypasses AV and still works.
0 Comments