Leaderboard

First of all, I was floored when this worked. Really AV? It’s that easy? Really? So here is the break down, go get “Resource Hacker”… You’re almost done. Only 3 steps left. (1 of which is optional) I started with fgdump, a well known hashdumping/pwdump tool. It’s detected by 80% of all AVs and by all the top 10. You see this on your AV report for your domain controller, and you’re having a bad day, probably week. Watch this magic trick though: [*] Step 1: Open Res Hacker and drag a “normal” executable on to the window or Open File. Click “Save All Resources” Essentially what you are doing in this step is simply extracting the .ico file (Icon) from the executable. Now you can do this with other tools, but we’ll be using resource hacker in a minute again, so it’s just easy to do it all with one tool. We are done with this executable unless you are doing Step 2, in that case, leave it open, open another Res Hacker window and open your ‘evil’. (In our case, fgdump.exe) [*] Step 2 (Optional): If you destination executable has tell-tale signs of it’s intent, much like fgdump as seen below: You can simply copy and paste the version info from your ‘normal’ executable into your new one and hit “Compile Script”: [*] Step 3: Next we need to “Add a new Resource” (our icon) into our “evil” binary. Once this prompt comes up, select the ICO file that shows the icon you want it to have (some binaries have a ton, so make sure it’s the right one). Put in ‘1’ for resource name, and ‘1033’ for your resource language. (You can play with these values, not sure what impact they have, but from the binaries I’ve looked at those values are pretty standard for a windows executable). Save your new awesome binary as something else, I chose vlc2.exe And… (drum roll) Tada! Sad isn’t it? Only 1 of the top 10 AV now detect this binary. Good job AVG and Avast! You still picked it up, but Trend, Symantec, Microsoft, ClamAV, Kaspersky, Panda, Norman, NOD32, Sunbelt, F-Secure, Fortinet, BitDefender WTF guys!? Oh and Kaspersky now flags it as “not-a-virus” but still flags it. Room362.com - Blog - AV bypass madestupid

Un script micut pentru a goni curiosii. Daca cineva incearca accesarea unui folder privat scriptul modifica .htaccess adaugand clauza deny cu masca 255.255.255.0. Pentru o clasa mai mare de IP-uri e recomandat 255.255.0.0 Cei banati vor fi trimisi direct in google. Fisierul .htaccess va contine: ErrorDocument 400 /index.php ErrorDocument 401 /index.php ErrorDocument 404 /index.php ErrorDocument 405 /index.php ErrorDocument 408 /index.php ErrorDocument 410 /index.php ErrorDocument 411 /index.php ErrorDocument 412 /index.php ErrorDocument 413 /index.php ErrorDocument 414 /index.php ErrorDocument 415 /index.php ErrorDocument 500 /index.php ErrorDocument 501 /index.php ErrorDocument 502 /index.php ErrorDocument 503 /index.php ErrorDocument 506 /index.php ErrorDocument 403 http://www.google.com <Limit GET HEAD POST> order allow,deny allow from all </LIMIT>index.php in acest caz va contine scriptul: <?php $ip=$_SERVER['REMOTE_ADDR']; if(strpos(" ".$ip,"127.0.0.1")||strpos(" ".$ip,"192.168.0.")) echo "<b>Known user!</b>"; else { $tried=explode('/',$_SERVER['REQUEST_URI']); switch($tried[1]){ case 'cgi-bin': case 'apache2triadcp': case 'awstats': case 'phpxmail': case 'uebimiau': case 'phpsftpd': case 'cpanel': case 'mss': case 'webmail': case 'admin': { $htaccess=file_get_contents(".htaccess"); $htaccess=substr($htaccess,0,strpos($htaccess,"allow from all"))."deny from ".$ip."/255.255.255.0\r\nallow from all\r\n</LIMIT>"; file_put_contents(".htaccess",$htaccess); echo "<br><b>Forbidden! Your IP has been banned!</b>" break; } } } ?> Observatie: IP-urile locale sunt ignorate, se afiseaza mesajul "known user!": if(strpos(" ".$ip,"127.0.0.1")||strpos(" ".$ip,"192.168.0.")) inseamna ignora 127.0.0.1 si 192.168.0.* Modificati cu IP-ul local si adaugati altele de pe care nu intra altcineva. In loc de mesajul de ban (echo "<br><b>Forbidden! Your IP has been banned!</b>") puneti header:"Location:http://www.google.com"; In acest fel il si dati afara dupa ce a fost banat, fara explicatii. Adaugati linii case cu numele folderelor care vreti sa nu fie accesate.

What ever nu are rost sa ne certam pentru asa ceva

Nu trebuie SFX si parolat poate intra "hack-eri" si vad baza de date pe care el a gasit-o deja publica pe nu stiu ce site!! Scuza-mi ironia!!!