"Undetectable" Malware?

Discussion in 'other anti-virus software' started by rOadToIS, Jul 3, 2009.

Thread Status:
Not open for further replies.
  1. rOadToIS

    rOadToIS Registered Member

    Joined:
    Dec 16, 2008
    Posts:
    168
    Is it really true that crackers can make malware that can bypass most AVs with just a File Splitter and a Hex editor? I also heard that "undetectable" malware can be created with the help of a packer. Are these all true?
     
  2. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Yes.

    Some AV's might detect the packer, but not always the nasty. It may report the file/s as Suspicious, but lots of innocent things are packed. That's one reason we sometimes see FP's

    To be Undetectable doesn't rely on packing. Think Rootkit.
     
  3. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    Those "patchers" are the amateurs and script kiddies who lack programming knowledge. They usually do not even bother to test if their "creations" are still executable. Professional malware writers can easily generate a new "variant" which is totally different from the previous variants, write their own cryptors and obfuscating code generators. Sometimes I wonder if they put more work into obfuscating their crap and could rather write legal software with less effort. But that's not easy earned money, then.
     
  4. Wildest

    Wildest Registered Member

    Joined:
    Apr 28, 2009
    Posts:
    304
    Hi!
    Where can I find more information about how to write my own cryptors and obfuscating code generators?
    This seems like it would be a fun activity!
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    Don't post any links here.

    Thanks,

    Pete
     
  6. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    No worries, I see enough of this stuff daily and don't want even more. :gack:
     
  7. Wildest

    Wildest Registered Member

    Joined:
    Apr 28, 2009
    Posts:
    304
    It does not have to be in the form of links.

    Can you recommended any textbooks, universities that give computer science courses, research fellows, etc.
    :)


    Thanks.
     
  8. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    I know many groups and individuals, indirectly, through their malware, utilities and sites.

    Their aim is to find something that will be grasped by users, infect it and circulate it. This is usually best done through file sharing - find a program that many people will be interested in using and not having to pay for it. They now need to change the program and making it, to coin a phrase, Fully UnDetectable. As already mentioned using a crypter will help in contrasting the program.

    edit :
    Same here, but as you say e a s y money.
     
    Last edited: Jul 3, 2009
  9. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    it might be true but the statement is ambiguous. it is trivial to modify an existing piece of malware or create a new piece of malware that will go unnoticed by a known-malware scanner, basically by definition. But is AV just known-malware scanning? many statements (like the one your asking about) pretty much assume that it is, but AV is more than just known-malware scanning, and the malware techniques your talking about aren't nearly as effective other AV techniques that are outside the realm of known-malware scanning.

    so the answer to your question is that it depends. it depends on what (if any) other additional techniques are employed by the AV product in question.
     
  10. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Wildest

    " might be fun "

    All the best with it, too heavy duty for me though lol.

    www.rootkit.com has been linked to on here in the past, so it must be ok to mention it. Lots of code, links etc on there.
     
  11. Wildest

    Wildest Registered Member

    Joined:
    Apr 28, 2009
    Posts:
    304
    Thanks, I have bookmarked this page, although WOT blocked it.
    Interestingly, Avira Webguard said nothing.

    I do find it interesting that it is ok to talk about the design of defensive systems but it isn't to talk about the design of offensive systems.
    I can hardly imagine that a professional malware writer could learn anything here other than end-user experiences, and I don't see why it is ok for me to know how to build a lock but not ok for me to know how to pick it.
    In fact, if taken further, the malware writers are the leaders and the anti-malware people are the followers in terms of technological sophistication.

    IAC, in retrospect I think I should have asked this question on a unix-focused forum since this information would most likely be less taboo there.
     
  12. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    rootkitdotcom(Greg Hoglund) is a clearing house for everything 'rootkits' and in evidently POCs, rootkits and antirootkits are uploaded there. I'm a member there, it's a good site - check out the blogs!
    ___________________________

    You'll soon find the info you want looking for hacking and cracking tools, papers, blackhat and forums.
     
    Last edited: Jul 3, 2009
  13. Wildest

    Wildest Registered Member

    Joined:
    Apr 28, 2009
    Posts:
    304
    Wow, this is great.
    His list of published works is impressive as well.

    Thanks! :thumb:
     
Loading...
Thread Status:
Not open for further replies.