Is it really that easy to bypass firewall and antivirus?
Someone emailed me asking this very question. The short answer is NO, unless you are good in programming and know MS VC++. Of cuz assuming u're writing a trojan for Windows.
The longer answer is YES tho. It is actually a simple affair to bypass AV. Just write unique code, don't rip off stuffs you download from the net. Once you can do that, you bypass AV, since AV detect by known signature, NOT behaviour.
How about firewall? Ok, software based firewall eg ZoneAlarm and Sygate Personal Firewall, well they block traffic based on known application, eg iexplore.exe or firefox.exe. The cruel fact is you can write a program to hijack running apps to do work for you. This is known as DLL Injection. How it works is via a combinatino of a few things, including SetWindowsHookEx, (optionally) LoadLibrary and Windows Messages. You can get running apps (your trojan) to ask other apps to load a DLL of your choosing.
Using Windows Messages is particularly good. You can intercept standard messages like alt-tab/windows focus, keypress and mouse click. Anyway in the example of bypassing firewall, you write a DLL with functions to log keypress and upload to a FTP server. Then you write a hook to make every app that is run by the user load your DLL. Eg he run notepad, it loads your DLL and log keypress. This is allowed cuz Windows allows programs to load DLL, since that's how Windows functions!
When you detect a alt-tab/window focus to eg Internet Explorer (aka iexplore.exe), you request iexplore.exe to load your DLL as normal. But this time since it's iexplore.exe, ur DLL runs an extra function, which is to FTP ur logs to your FTP server. Since Internet Explorer is most likely already approved by ur SPF or ZA as an ok-to-access-net app, the upload succeeds without user intervention or firewall blocking!
If you need source to explain more, just email me.
But wait, how to infect the person? Simple, u need another app, called a joiner. You can write your own (best) or download some but those likely detected by AV. To write a joiner u need to understand CreateFileFromResource. Once u do, it's a simple affair to package your own trojan using a nice payload like a game crack.
The longer answer is YES tho. It is actually a simple affair to bypass AV. Just write unique code, don't rip off stuffs you download from the net. Once you can do that, you bypass AV, since AV detect by known signature, NOT behaviour.
How about firewall? Ok, software based firewall eg ZoneAlarm and Sygate Personal Firewall, well they block traffic based on known application, eg iexplore.exe or firefox.exe. The cruel fact is you can write a program to hijack running apps to do work for you. This is known as DLL Injection. How it works is via a combinatino of a few things, including SetWindowsHookEx, (optionally) LoadLibrary and Windows Messages. You can get running apps (your trojan) to ask other apps to load a DLL of your choosing.
Using Windows Messages is particularly good. You can intercept standard messages like alt-tab/windows focus, keypress and mouse click. Anyway in the example of bypassing firewall, you write a DLL with functions to log keypress and upload to a FTP server. Then you write a hook to make every app that is run by the user load your DLL. Eg he run notepad, it loads your DLL and log keypress. This is allowed cuz Windows allows programs to load DLL, since that's how Windows functions!
When you detect a alt-tab/window focus to eg Internet Explorer (aka iexplore.exe), you request iexplore.exe to load your DLL as normal. But this time since it's iexplore.exe, ur DLL runs an extra function, which is to FTP ur logs to your FTP server. Since Internet Explorer is most likely already approved by ur SPF or ZA as an ok-to-access-net app, the upload succeeds without user intervention or firewall blocking!
If you need source to explain more, just email me.
But wait, how to infect the person? Simple, u need another app, called a joiner. You can write your own (best) or download some but those likely detected by AV. To write a joiner u need to understand CreateFileFromResource. Once u do, it's a simple affair to package your own trojan using a nice payload like a game crack.
posted by Beng Hacks at 7:10 PM
5 Comments:
Hi beng. Yes, I'm going to start off on VC++ this June and I am interested in creating trojans and viruses in order to help me understand virus and trojan penetration better along with operating system responses to these threats.
Any help (material wise or source code wise in vc++ will greatly be appreciated).
I'm at : insidious.trojan@gmail.com
hi there, you give me the impression that you're pretty naive. You'd ever heard of programs able to detect injections? FYI, many of the AV/FW/ASPW programs are no longer merely independent pieces of sofware, but come in complete suites that are more than capable to handle your antics. ;)
@Anonymous, the AV detects mischief only if the pattern of the program matches an already existing pattern defined within the Av. If the behavior is different there's pretty much nothing that any existing AV can do about it.
Exactly, artful. Take Norton Symantec's Internet Security. Sure, firewall, AV, spam filter, the works.
Totally blind to my works LOL.
@anonymous, I think it's you that's naive. Take a look at the real world. The fact is, the protection world vs the attacking world, the attackers are winning. What the protectors are catching are script kiddies who don't know how to make their own shite.
The truly dedicated, it's a trivial affair to make something totally invisible. And will work against ALL AV and firewall, simply because of basic design flaws in creating these tools.
I'm open to challenges if u're up to it. My email is benghacks@gmail.com.
Post a Comment
<< Home