Defeating Virus Signatures

Defeating Virus Signatures / U3 Custom ISO

I'm sure many of you have heard of the U3 technology found in many of your common thumb drives these days. The concept is that you plug in your thumb drive and a set of programs launch from it all without user interaction. The concept works because the thumb drive has two hardware ID's one is a CDROM drive the other is the actual thumb drive ID. When you plug in the U3 device the operating system sees the CDROM and autoruns just like any other CDROM device. It runs any file that is located in the autorun.inf file. In this case it runs a program that opens from the actual thumb drive. This doesn't work if you have auto run turned off but even if you double click on the CDROM drive it will still run the autorun. Pretty cool idea, and thumbs up to U3 for the idea.

Now I had my U3 drive for a while when I came across a utility called the Switchblade. This allowed you to change what programs ran from the U3 drive when you plugged it into the computer. In this case it was a host of password recovery tools and cache recovery tools. Granted this could be used for some pretty maniacal things, I had to try it out. After downloading Gonzor's Payload, I installed the utility and configured it to run the set of tools that I wanted. I plugged it into a spare computer of mine. The hard drive cycled and I could tell things where happening, then bong! The antivirus popped up and said it had caught a Trojan, then a couple of more popped up saying hacker tool etc etc... Hmm not very stealthy. If I had gave this to someone and this happened they would know for sure something happened. If only there was a way to make it undetectable by the antivirus, this thing would be pretty cool.

So I have created this How-To so that you can run these tools without the antivirus tools throwing up red flags as soon as you plug in the U3 drive. Now this basic concept will work with any program that you want to be able to use without antivirus detecting it, with some exceptions.

I am using Symantec Antivirus with the latest definition, but most antivirus software work the same way. The way antivirus software works is that it looks for signatures. These signatures can be hash based, string based, or activity based. What that means is that the antivirus software will look at a file, or process and generate a hash from it. If the hash matches one in its database it quarantines it. If a file contains a string that matches from its database it will quarantine it. Then finally if a program or process has a specific behavior then it will quarantine it. What we want to do in this case is change the hash or the string of the file so that it doesn't match what it has in its database.

To start download your copy of the Switchblade Version 2.0 and Universal customizer

Then download a copy of XVI32 hex editor

Now you will need some way to have your files on your machine initially without your antivirus detecting the files. The method I use is to run a VM machine, I unzip GonZors_SwitchBlade-V2.0.zip on my virtual machine because my antivirus can't detect files on the VM. Another way is to disable your antivirus while your working. This will make things a little harder because you will need it to verify if your new file is being detected or not. Your antivirus may also support exceptions, for example I can create a folder then tell my antivirus to create an exception for that folder so that it won't be scanned. Overall you just need to be able to modify the file freely without your antivirus flagging on it until you are able to get it to the point that it won't see a signature in it. I highly suggest getting a copy of VMware or Microsoft VM it makes things so much easier. You can also use another machine or laptop without antivirus turned on, then you can copy your test files over a network share to the machine that has antivirus running.

Lets get started! Unzip your copy of GonZors_SwitchBlade-V2.0.zip into your Exceptions folder, or Virtual Machine, or non-antivirus enabled computer.

Then I use winrar to extract the U3CUSTOM.ISO file. It is best to extract it into another folder.

Once you have your extracted files you will need to figure out the files that have a virus signature. To do this copy each file one by one onto your machine that has the antivirus enabled, or out of your exceptions folder into another folder without exception.

As you can see the first file for me is cachedump.exe, my Symantec Antivirus calls it Trojan.Zlob

Now we need to find out how the antivirus is flagging on it. Open up cachedump.exe using XVI32 hex editor.

The first thing I do is see if it is flagging on a file hash. This is the easiest kind to fix because all that you have to do is change 1 byte of the original file and it will no longer match on the hash. I usually scroll all the way to the bottom. There is usually a large area of padding or area that contains all zeros. Here you can see that I've changed a random 00 to a 01 then I save the file as cachedump2.exe

Now that I have my new cachedump2.exe file I will try and copy it over to the antivirus enabled machine.

Now you can see that cachedump2.exe was copied over to my antivirus enabled machine without being caught.

As you can see even if I run a 'Scan for Viruses...' on it it still doesn't flag on its signature. This is because the file hash is different. This is the easiest kind to do because you only need to change one byte. Now you will need to verify if the program still runs the way that it was suppose to because what you've changed may be important. But in my experience changing the buffer zone by one byte will not harm or change the way the program runs. Another method to change the file has is to use a program called Resource Hacker. This program allows you to change version information or icons within the exe thus changing its file hash. I'm not going to go into it but Irongeek talks about it in this video.

Next I'm going to show you have to defeat a string based signature. These are somewhat harder to do because you have to find the string within the exe that the antivirus is flagging on. To do this I uses a deductive method. I've tried to copy PSPV.EXE over to my antivirus enabled machine. As you can see it has identified it as Hacktool.PassRecovery.

I open PSPV.EXE with XSI32 hex editor and scrolled all the way to the bottom. Here I can see that there are 52,735 bytes (Note: You will need to click on the right hand side to see the decimal value.)

I usually open up notepad to do some calculations. I take the total number of bytes and divide it by 20. This breaks the file into 20 segments and allows me to systematically search through the file to find its string signature. As you can see the first segment will be 50099.

XVI32 has a nice option under the address menu called 'Goto...' or you can hit Ctrl+G. Click the decimal box and type in your first address 50099.

Then select the Edit menu then click Delete from cursor. Then click the File menu then 'Save As...', name the file something different from the original. In this example I would call it 1.exe in reference to the memory address I am using. Keep XVI32 open while doing this step you will still need it. Then copy the file over to the antivirus enabled machine and see if it catches it. If it does move onto the next memory address in my case it was 47463. Keep working down the list until your able to copy the file over to the antivirus enabled machine. In my case it didn't detect it between the jump from 34283 and 31647. That means the string signature is in that area. Once you have the range work your way from the high number to the low number by deleting little by little. You can also overwrite data little by little by putting 00's in there. You can do as many as you like I usually do a couple of rows at a time.

I was able to find the exact string that my antivirus was flagging on. If I change one byte in the entire red area the antivirus would not pick it up.

In my case I changed the capital M in 'Messaging' to a lowercase m. I was able to copy the file without it flagging the signature. To prove the concept further I even copied the section in red into another file without changing anything. I then tried to copy the file over to my antivirus enabled machine and it picked up the same as if it was the whole file. Pretty neat huh! In XVI32 you can highlight areas in red by holding down the shift key then using the arrow keys to highlight the area. I use this to help me keep track of areas that I've deleted. I also encourage you to change random parts of the signature string such as making the S in 'Subsystem' a small s or something like that, this will help keep antivirus vendors from making a signature string for the changed file.

Remember to test your program after you've modified it. As you can see I am still able to run PSVP.EXE after the change on the antivirus enabled machine. In some cases you won't be able to change the signature string. I'll explain further.

Below I've highlighted the signature string for mspass.exe. As you can see there doesn't seem to be any readable text for us to change. In this case mpass.exe was made by a company named NirSoft. NirSoft used what is called a exe compressor to compress the size down or they encrypted the exe using some form of encryption. This means that if you change any bit the program will not run. Even though the antivirus won't pick it up. This leaves us with a dead end in this case. We are stuck in a catch 22, if we change the file it will not work but if we leave it it will be caught by the antivirus. The only way around this is to maybe find a earlier version of the program that isn't compress/encrypted or to use an exe morpher of some kind. In my case I just didn't use mspass in my project.

Another type of signatures antivirus venders use is a activity based signature. There isn't an easy way around this one without recompiling the original source code. But the above method fixes most of your 'hacktool' type files.

Once you have modified your exes so that they aren't detected its time to recreate the U3CUSTOM.ISO FILE. Unzip the 'Universal_Customizer.zip' file into a folder. Then copy all of your modified exes into the folder called U3CUSTOM. You will need to keep the same format that they where originally in. So the modified exes will be under SYSTEM>SRC folder.

Once you have the the files in the U3CUSTOM folder double click the ISOCreate.cmd file.

This will run a script that creates an ISO using a utility called ISOIMAGE.EXE.

You should now have a new U3CUSTOM.ISO file in the BIN directory.

Now place your U3 drive into your USB port and double click the Universal_Customizer.exe. This will copy your new U3CUSTOM.ISO image onto the CDROM portion of the U3 drive. Once it is done installing you can now use the U3 drive to silently work its magic without antivirus going off. Remember if your antivirus software flags on signature based activity this method will not help you, also if the exe is compressed/encrypted you may not be able to safely change the signature string while keeping the program intact, finally some of the utilities may also require that you are logged in as Admin for them to properly run. Also remember that the files you've changed may not be picked up by your antivirus but may still be picked up by other vendors. So if your target is using McAfee and have Symantec you still run the risk that McAfee will pick up on your modified Exes

Good luck! :)

Links

Gonzor's web site -http://gonzor228.com/

Irongeeks web site - http://www.irongeek.com/

VMwares web site - http://www.vmware.com/

Microsoft VM site - http://www.microsoft.com/windows/products/winfamily/virtualpc/default.mspx

XVI32 hex editor - http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm

Winrar download site - http://www.rarlab.com/

Also I thought I would add how to protect yourself to keep others from doing this to you.

Open a run box and type gpedit.msc

Then expand Administrative Templates under the Computer Configuration. and click on the System folder.

Then on the right pane double click 'Turn off Autoplay'. Then click the enabled and change the drop down to All Drives. Then reboot your machine, now when you plug in your U3 drive it will not autoplay. Only do this if you don't want to use the Autoplay feature.