White paper explaining how to try and bypass detection from antivirus software by recompiling the same code with a few minor changes.
ed996b12d0f2df8baf46b0eb9266cbde4f7134bafe3dd50cd775fe7dd5ff08c9
Recompiling Code to Bypass Detection by an Antivirus
----------------------------------------------------
By klemster | klemster@weed5.org
Visit Weed5 Computer Security Group http://www.weed5.org/ for more
====================================================================
Contents
--------
Recompiling Code to Bypass Detection by an Antivirus
Disclaimer
====================================================================
Recompiling Code to Bypass Detection by an Antivirus
Any trojan/backdoor/virus/worm, etc.. that is released is mostly
detected by any antivirus within a week of it's release. This is
because the antivirus companies constantly keep updating their
signature database, which extracts a unique signature from the virus
and detects it.
Mostly, if one version of the program is detected, then all the
other versions of the code are also detected. So, to make a program
that is already detected by an Antivirus to bypass the detection,
you will need to recompile it in a different way.
I had made a keylogger called skl0g about three years ago, and
it of course started getting detected by the antiviruses after it's
release. Now, I decided to make a better version of the keylogger.
After compiling the new code, I realised that even this was getting
detected.
Therefore, to figure out what signature of the program that
the antivirus (Norton) was using, I opened the compiled binary file
in notepad. In the data was this:
\A D : \ h a c k \ s t a l l I O n s \ s k l o g \ s k l o g . v b p
This is the path of the visual basic code for skl0g. So, all I
did was copy the old code (the first version) to a new folder and
compiled it. The same program that was detected by Norton was not
detected when it was compiled in a new directory. No changes were
made to the code. The only difference was that it was compiled in
a new directory.
Therefore, this is a very easy way to bypass the antivirus by
just recompiling the code in a new directory. Please note, this is
for Visual Basic code.
If you're program is in other languages, try opening the
compiled binary in some text-viewer and check for signatures of the
program that the antivirus may be using. All you have to do is
rename the value that the antiviruses use and recompile the code.
For example: If you have used a file called abcdef.xyz and you can
see that value in the binary file, try renaming the file to
something else and recompiling the code.
This paper might not be entirely correct, but it helps in many
situations to try the methods. If you come up with anything else,
please feel free to mail me at klemster@weed5.org
====================================================================
DISCLAIMER
There is no guarantee on the accurateness of this text and
this is subject to change anytime. This text is meant only for
educational purposes. Following or reading this text is entirely at
the choice and risk of the user. I will not be responsible directly
or indirectly for any damages caused due to reading this, or
abuse/misinterpretation of this paper.
====================================================================
klemster | klemster@weed5.org