Description: Anti Virus software use signatures to detect malicious software such as computer viruses, worms and trojans. The signature is generally a certain pattern of bytes which uniquely identify the concerned program. Once this pattern is detected and deployed to all customers, the virus or worm becomes immediately detectable and is thus rendered useless. In such a case a virus writer needs to find out the signature which the AV uses and change it within the executable. There are other advances techniques to deal with this problem such as using writing polymorphic code. However, in this video we will look at a demo where the author finds out the signature of the trojan detected by the AV and then changes it to make the trojan undetectable by the AV.
In order to do this the author uses a file splitting programming called Dsplit. Dsplit breaks up the binary into many parts, each larger than the previous by a fixed amount. Thus when the AV is run on these parts, we are able to figure out which is the first part which contains the signature. If one were to iteratively apply this algorithmn by breaking this part into smaller ones and repat the process, he would be able to zero down on the actual signature bytes. Once the signature bytes are located, they can be modified and the binary patched to elude detection from the AV. Please watch the video, the process is very well explained.
To follow this video, please download Dsplit. There is also a graphical version of Dsplit made available recently at the GSO forums. The original post is available here.
Tags: tools ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.