How anti-virus works and why it's useless against the real hacker
I was wondering one day how an anti-virus program works. The other day I was playing around with the santy worm and my AVG constantly kicked up the virus warning and deleted the file. Fortunately I have backups :) Anyway I got to thinking it's one of two ways:
1) byte signature.
2) behaviour signature.
I suspect 99.999% of AV now use the first one, ie byte signature. In the case of santy worm the main exploit could not be modified significantly enough to bypass AVG. Now that got me thinking, what about viruses or trojans that could be sufficiently modified? What about custom-written ones by good coders? What about viruses in memory? What if the code was encrypted then decrypted in memory then executed?
Then I stumbled upon a few new things (to me at least). The first is Morphine, in simple words it is a way to encrypt a virus or trojan. I haven't tried it out but it seems similar to UPX and I suspect it's gonna be damn effective.
The second is Hacker Defender and the best part about this is there's source. After managing to recompile the damn sucker, I got it to work past my AVG! OMG... This sucker is also able to bypass software personal firewalls because it can mask itself as a known app or hook onto one (eg iexplore.exe).
This proves one thing, AV is only interested in catching or preventing the casual player, but the real deals, the existing shit can't do anything about them. To catch them, AV companies must change their thinking and fight not by bytes but by behaviour. Then again maybe AV knows this and allows it. If not no biz LOL
Anyone who wants a copy of the recompiled version or wants to learn, just drop a line.
1) byte signature.
2) behaviour signature.
I suspect 99.999% of AV now use the first one, ie byte signature. In the case of santy worm the main exploit could not be modified significantly enough to bypass AVG. Now that got me thinking, what about viruses or trojans that could be sufficiently modified? What about custom-written ones by good coders? What about viruses in memory? What if the code was encrypted then decrypted in memory then executed?
Then I stumbled upon a few new things (to me at least). The first is Morphine, in simple words it is a way to encrypt a virus or trojan. I haven't tried it out but it seems similar to UPX and I suspect it's gonna be damn effective.
The second is Hacker Defender and the best part about this is there's source. After managing to recompile the damn sucker, I got it to work past my AVG! OMG... This sucker is also able to bypass software personal firewalls because it can mask itself as a known app or hook onto one (eg iexplore.exe).
This proves one thing, AV is only interested in catching or preventing the casual player, but the real deals, the existing shit can't do anything about them. To catch them, AV companies must change their thinking and fight not by bytes but by behaviour. Then again maybe AV knows this and allows it. If not no biz LOL
Anyone who wants a copy of the recompiled version or wants to learn, just drop a line.
posted by Beng Hacks at 7:09 PM
1 Comments:
hi.. i was wondering if you could link me to a site where i could learn how to code exe joiners? i'm very much curious about how two programs can be joined together into one executable file and still works.. thank you in advance... btw, here's my email addy... nimble_guy_07@yahoo.com
Post a Comment
<< Home