FUD through Hex Editor Heading

October 20, 2012, by | 2 Comments

Introduction

Mostly all Trojans/key loggers are detectable by the antivirus. One of the most common problems being faced is making Trojan/key loggers undetectable from the antivirus. So in this tutorial I am going to tell you how to make your Trojan undetectable from the antivirus. But first you need to understand how antivirus software works.

DETECTION TECHNIQUE

Antivirus software typically uses two different techniques to identify malicious program. First is, signature based malware detection and second is behavior based malware detection. Antivirus software can employ one or both of the methods depending on the sophistications of the program.

Signature-based Malware Detection

Signature-based detection depends on pattern recognition.  The antivirus software scans the file in question, comparing specific bytes of code against information in its malware-signature database. If the scanned file has a pattern duplicating one in the database, the file is considered malware.

Behavior-based Malware Detection

In the behavior based malware detection, the antivirus monitors the behavior of a program to determine whether it is malicious or not. For example if any executable tries to write data on another program or want access to write to a locked file. This behavior is identified as suspicious and user is prompted for the action. This malware detection technique is basically used to identify the new malware.

How to make a FUD

In simple words, we can say that if we change the signature of the Trojan/key loggers, we can easily make the Trojan undetectable from the antivirus software. The ways to make Trojan/key loggers undetectable from the antivirus software are listed below.

1. Encryptors/Compressors:

This is a very simple way to make a Trojan undetectable. In this technique we use some encoding software that changes the signature of the Trojans. But the problem is that most of the people use the same software so often that the anti-virus software knows pretty much all the signatures.

2. Hex Editing:

This is much more complicated and takes a lot more practice to get right. The idea here is to find the signature that the antivirus software detects in the Trojan and change it by adding a different byte so that the antivirus cannot detect the Trojan program any more.

3. Byte Adder:

This technique allows you to add junk bytes to your Trojan, so as to confuse anti-virus software. It does this by moving the code inside the executable around, as the bytes are being added. This means that the signature will not be in the place the Anti-Virus expects it to be.

TUTORIAL:

In this tutorial we are going to use hex editing to make a Trojan undetectable. Hex editing is one of the most secure, most complicated technique used by some people to make their file Fully Undetectable (FUD). As we have learnt before that antiviruses use signature based identification to identify a suspicious file read and through hex editing we search for the antivirus flagged signature and change it to some other hex so antivirus can’t identify the file.

These are following tools which you need to be installing on the system to make the Trojan undetectable.

  • Antivirus Software
  • Hex Editor
  • File Splitter
  • A Trojan making software

Antivirus Software

I am going to use avast antivirus software for Trojan detection.

Hex Editor

A hex editor is a program that allows a user to manipulate the fundamental binary data that makes up computer files. You can get this software under the following link.

http://mh-nexus.de/en/downloads.php?product=HxD

File Splitter

File Splitter is freeware program which does not require installation and can be use to split a file into multiple files as well as to merge multiple files into a single file. You can get this software under the following link.http://www.filesplitter.org/

Trojan Making Software

A Trojan making software is used to create a Trojan. In this tutorial I have used a general key logger software program to make the Trojan. It is key logger program which records all keystrokes and sends these key logs through the email. You can get this software through a simple google search for ‘General Key logger’.
These are following steps which you need to follow to make the Trojan undetectable.

Step 1:

First of all turn off your antivirus real-time protection. In my case I am using avast anti-virus so first I will disable the real –time protection.

Step 2:

Download and launch the key logger software, and enter the details like Gmail Username, Gmail Password and Send Logs Every.

Gmail Username: Enter the Gmail ID to which the Trojan will send the key logs.

Gmail Password: Enter the Gmail password of the account.

Send Logs Every: In this text box enter the time period after which you want to receive the logs.

Now click on Build.

Make the key logger server file and place the server file in a folder.

Step 3:

Scan this folder with your anti-virus software and check whether this file is detectable by the anti-virus software.
Now I scan server.exe file with avast antivirus software. You can see this file is detected by the antivirus.

Step 4:

Download and launch the File Splitter software. And split your server file with your File Splitter into 200 bytes per file. This may make a lot of files in your selected folder (depending on how large the server file is).

Step 5:

Now Scan the split the files with your anti-virus software and make note of those files which are infected. Those will be once you edit.

In my case only one file server.exe.chunk145 is infected. Now I will edit this file in hex editor.

Step 6:

Now open each infected file in the hex editor and change the offset. There is no full proof way of doing this, you will have to experiment. In my case this is the hex code of the infected file. Now I will change AntiWireShark into antiwireshark and save this file.

There will not be much which you need to change. Just change one character or byte at a time and then save the program. Re-scan to see if it worked. If it did not, go back and try again.

Step 7:

Once you have found all signatures are changed then, Rejoin the file with File Splitter and test your Server to see if it works.

Steps 8:

Scan the server file with the antivirus and we can see now is not detectable by the antivirus.

Remember that too much editing will make your Trojan file useless so be careful while editing the file in the hex editor.

REFERENCES:

http://en.wikipedia.org/wiki/Malware
http://en.wikipedia.org/wiki/Antivirus_software
http://www.techrepublic.com/blog/security/how-antivirus-software-works-is-it-worth-it/3015
http://www.avast.com/free-antivirus-download
http://mh-nexus.de/en/hxd/
http://www.filesplitter.org/


Author bio not avialable

2 Comments

  1. John Says Reply

    Hey
    Thnx for that amazing guide it´s really helpful.
    Well I got one problem though.
    When I split the file and scan all those pieces, my scanner doesn´t detect any viruses.
    However when I glue them together again it does detect a virus.
    So how can I find the piece that I have to change?
    I hope to receive an answer you would help me a lot.
    John

  2. Neel Says Reply

    Is it will work now for pro-rat trojans?

Leave a Reply