Thursday, August 9, 2007

Can anti-virus be bypass?

What will the VX writer or "hacker" do when trying to bypass the "Signature-Based" Anti-virus program? They will normally "compressed" the executable file using packer tools such as UPX (Ultimate Packer for eXecutables). Tools like UPX will reduce the size of the executable file and will modified the "file signature".

I try to test this theory but running UPX on the Netbus trojan.

UPX_processing
I uses the UPX to compress Netbus.exe to netbus-upx1.exe



UPX on Netbus
The executable file have a compression ratio of 37.75% and compress from 599K to 226K.


www.virustotal.com
In order to test the trojan on various Anti virus program, I decided to use "VirusTotal" website (which is a website that will scan with several different anti-virus program) to scan on the original NetBus.exe


Scan NetBus with VirusTotal
After scanning the NetBus.exe on 32 Anti Virus program. Out of 32 AV, 31 of them detected as NetBus trojan.






Scan Compressed NetBus
When scanning the "UPX-compressed" NetBus file, netbus-upx1.exe, only 23 out of the 32 Anti-Virus program detected it





Detail on the scan
The 9 Anti-Virus that did not detect are,
- CAT-QuickHeal
- eTrust-Vet
- FileAdvisor
- NOD32v2
- Norman
- Prevxl
- Sunbelt
- TheHacker
- VirusBuster

So u know that some anti virus can be bypassed. As NetBus is a very old and famous tools, many well-known Anti virus vendors had already added the variants. But you can still try to "compressed" other malware to see if they can bypass "signature-based" anti virus programs.
Posted by w01f at 12:05 AM 0 comments
Labels: , ,

Tuesday, August 7, 2007

Newbie guide in sockets and more ...

Security-Freak.net is an attempt to lower the entry barrier for starting computer security research. During my interactions with security enthusiasts in general and students in particular, i have noticed that many lose interest because of the lack of organized learning resources in this area. This is not to undermine the sheer volume of tutorials written on various security related topics such as raw sockets, packet injection etc. But for most beginners it is very difficult to assimilate these voluminous documents at one go.

Find out more at:
http://www.security-freak.net/index.html

GB
Posted by Alf at 11:31 AM 0 comments
Labels:

Sunday, August 5, 2007

Grammy for "security"

There is a "Grammy" type of award for the Security Community. It is 'The Pwnie Award', an annual award ceremony celebrating the achivements and failures of security community.

Here are the list of awards:
- Best Server-Side Bug
- Best Client-Side Bug
- Mass 0wnage
- Most Innovative Research
- Lamest Vendor Response
- Most Overhyped Bug
- Best Song

The panel of judges comprised of some famous Security individuals
- Dave G
- Mark Dowd
- Dino Dai Zovi
- HD Moore
- Dave Aitel
- Halvar Flake
- Alexander Sotirov

For more details on this award, http://pwnie-awards.org/
Posted by w01f at 8:53 PM 0 comments
Labels:
Subscribe to: Posts (Atom)