Hex undetecting a trojan

Printable View

03-25-2008, 09:27 PM
Ataraxia

Hex undetecting a trojan

Hey guys, I just spent the last 2 hours trying to make this trojan undetectable by a few AV's. I got it to be undetected, but the program no longer runs (figures eh) The problem is part of the hex I edited.
[[B]4D[/B]5A *000 0*00 0000 0400 0000 FFFF 0000]
Here is what happens if I leave the hex as it is...
[code]
A-Squared
Found nothing
AntiVir
Found HEUR/Malware
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found BackDoor.Bandok.B
BitDefender
Found Backdoor.Bandok.AV
ClamAV
Found Trojan.Bandok-7
CPsecure
Found BackDoor.W*2.Bandok.av
Dr.Web
Found BackDoor.Iam
F-Prot Antivirus
Found W*2/Warezov.gen*!W*2DL
F-Secure Anti-Virus
Found Backdoor.Win*2.Bandok.av
Fortinet
Found W*2/Bandok.AW!tr.bdr
Ikarus
Found Backdoor.Win*2.Bandok.av
Kaspersky Anti-Virus
Found Backdoor.Win*2.Bandok.av
NOD*2
Found probably a variant of Win*2/Bandok (probable variant)
Norman Virus Control
Found W*2/Bandok.gen*
Panda Antivirus
Found nothing
Rising Antivirus
Found Backdoor.Agent.hfl
Sophos Antivirus
Found Mal/Bandook-A
VirusBuster
Found Backdoor.Bandok.BE
VBA*2
Found BackDoor.Iam
[/code]

and obviously when I removed the bolded part it becomes undetected by AV's

If you'd like to give a shot at it I'd be grateful. I don't plan on using this, I put a fake server just doing it for learning purposes.
Here is a link to the file as I currently have it in the 'undetected' state. Change the first line to the above to have it detected but runnable.

[COLOR="red"]WARNING: The following download IS a trojan, although it doesn't work or install the server it is still a trojan. I'm giving you fair warning although I'd appreciate it if you helped... If you run it it'll install to
Windows/System*2/ali.exe[/COLOR]
[URL="http://dodownload.filefront.com/*88**02//6d0856e622a*cd5c8*64d8027*c774*6afa2e8*b2bb*770*4bbc47c7*67*0*de07548d*0**6*4*4e"]Trojan[/URL]
03-25-2008, 10:02 PM
coz

What you modified is the DOS stub of the .exe. So all executables have what you just modified. If you learn the basic executable file structure you would be able to modify the hex much more easily and with much less errors. The byte you changed is specifically an executable signature telling the OS (Windows), hey you need to execute this when opened.

You should not edit anything in any of the headers because that is what is used by Windows to execute the file. It has nothing to do with malware avoiding detection in most cases. Also you have to think if I were to create signatures for a virus database I would base the signature on things the virus/trojan cannot change or it will not run. So code needed to run the malware could be a signature and may not be able to be changed that's why most malware is packed in some way.

Anyway if you still interested in this try SignatureZero. It will help you a lot just google for it. You should also have a deb***er like Olly, IDA, W*2Dasm, etc., that way you can see if what your changing is important. Hope this info helps you.
03-26-2008, 07:58 AM
gordo

Also, don 't test your server at jotti or virustotal. If it is detected by just one scanner, the detected strings are given to all of the others, and your server will be detected by all very soon.