Thursday, August 9, 2007

Can anti-virus be bypass?

What will the VX writer or "hacker" do when trying to bypass the "Signature-Based" Anti-virus program? They will normally "compressed" the executable file using packer tools such as UPX (Ultimate Packer for eXecutables). Tools like UPX will reduce the size of the executable file and will modified the "file signature".

I try to test this theory but running UPX on the Netbus trojan.

I uses the UPX to compress Netbus.exe to netbus-upx1.exe

UPX on Netbus
The executable file have a compression ratio of 37.75% and compress from 599K to 226K.
In order to test the trojan on various Anti virus program, I decided to use "VirusTotal" website (which is a website that will scan with several different anti-virus program) to scan on the original NetBus.exe

Scan NetBus with VirusTotal
After scanning the NetBus.exe on 32 Anti Virus program. Out of 32 AV, 31 of them detected as NetBus trojan.

Scan Compressed NetBus
When scanning the "UPX-compressed" NetBus file, netbus-upx1.exe, only 23 out of the 32 Anti-Virus program detected it

Detail on the scan
The 9 Anti-Virus that did not detect are,
- CAT-QuickHeal
- eTrust-Vet
- FileAdvisor
- NOD32v2
- Norman
- Prevxl
- Sunbelt
- TheHacker
- VirusBuster

So u know that some anti virus can be bypassed. As NetBus is a very old and famous tools, many well-known Anti virus vendors had already added the variants. But you can still try to "compressed" other malware to see if they can bypass "signature-based" anti virus programs.

No comments: