Archive for May, 2012

 

AntiVirus – Now You See Me, Now You Don’t

May 15, 2012 in Security

[SecurePlanet Wiki][SecurePlanet RSS Feed][SecurePlanet RSS Vulnerabilities]
So I was on a penetration test and one of my tools was being identified by a certain Anti-Virus vendor. I needed to figure out what string was causing the AV tool to pickup my tool and see if I could modify it. There are many different ways you can go about it.  If you wanted to, you could just run a packer [http://www.virusbtn.com/resources/glossary/packer.xml], but unless you have a custom packer, it could also trigger some AV signatures.  You could also use Metasploit’s msfencoder to encode your executable, but I was looking for something simpler.

So, I literally put this together last night in Python and threw together a front end GUI for it.  What it does is that it takes an executable, an ouput folder, and the byte size to split the file by as requirements.  It takes that executable and makes multiple versions of that file based on the defined size.  Lets say you have a 50k file and you wanted to split the file by 5k.  It will make 10 different versions of that file.  The first one will only be the first 5k of the file (will contain the MZ header and some additional information).  The second file will include the first 5k and include the next 5k of data.  This goes for the rest of the files.

Now we should have 10 different files.  Start with the smallest file (5k) and scan that file with your AV of choice.  Does an AV signature trigger on that file?  If no, keep going through each version of that file.  When you finally do get AV to trigger, you know that something between the last file and the clean file right before it contained the string that the AntiVirus program looks for.

Now that take the diff between the files, open it up in any Hex Editor (I love HxD), make the proper modifications, and now your new executable doesn’t trigger AV. When I get some more time and I’m not sitting at a coffee shop, I’ll put some better pictures up.

The Evade tool was developed completely in Python and Glade was used as the front end.
Want to give it a try: Download Evade
Source: Download Evade Source
Remember it was a quick release and I haven’t really QA’ed it at all.
Questions or Comments about the Tool: Email me at Secure[a@t]securepla.net