Go4Expert (http://www.go4expert.com/)
-   Ethical hacking Tips (http://www.go4expert.com/articles/ethical-hacking-tutorials/)
-   -   Altering Trojan Signature ! (http://www.go4expert.com/articles/altering-trojan-signature-t5035/)

kush_2207 1Jul2007 20:42

Altering Trojan Signature !
Originally article author - boonlia

I was about to present my presentation on Trojan signature alteration. Here I am posting the same.

What is the signature: Signatures are nothing but a part of the Trojan that an anti virus company uses to track it. It can be any part from the entire file. Now each company decides on its own as to what part of data or file it wants to use as a signature. Very often the company uses 2 or three chunks of it for the detection purpose.

How to get rid of it: The first method is by way of decompiling the file and then changing the code substantially and then recompiling it. The second method is by using a hex editor.

How to find the chunk that is used by the anti virus company as signature.

To stat with you have to first install that anti virus in your machine and get the auto protect disabled. Now open the Trojan in a hex editor.

Now go to the half way mark (Almost not exact) and copy the upper half and paste it to a new file and save it as upper.exe(As it contains upper half). Then copy the remaining half and paste it to other file and save it as Lower.exe (As it contains lower half). Be careful to see the proper offset. (I would like to mention here that in case u just increase or decrease the file by just one bit you will end up with complete file unusable and corrupt).

Fine now you have two files or rather one file split in two.

Make a backup copy of each and then scan each with the anti virus. If you are lucky enough you will be able to get one of them not infected. (If so then the signature is not in those bits). But very often you will find both of them infected.

Now same way divide the upper.exe into 2 parts (Upper_upper.exe and upper_lower.exe) and scan each of them. Do same with the lower.exe as well. Now out of these four you will find at least one file that is not detected as infected. Keep it separate. This is the file that does not contain the signatures. Now take the infected files again and split again.

Keep doing so as long as you can get the files infected.

Now at some point it will happen that the file you divide is an infected one but the resultant divided files are both Trojan free.
Wow now what does it mean. It means that you have divided the file at the point which is in fact the signature.

Now what you can do?

To alter the signature just change the last bit of the first file and the first bit of the last file and join them back.

Make changes this way and finally join all the files back at proper offsets.

Scan the file and you will find it Trojan free.

By using this method you can even isolate the chunk of bits that are signatures and you can play with them.

Now what happens if you alter a single bit?

Very often the file will still work. And you will be able to get out of the clutches of the anti virus as well.

You can opt the other way out as well. Just copy first few lines to a new file and scan it.

Then copy next few lines and scan it. Keep doing so until you get it detected. Now as soon as it gets detected change 1 or 2 bit from the middle of the last copied chunk and carry on again. Do it till you have entire file copied and trojan signatures altered.

Try out.

What is the other method of finding the signatures

Well as far as I think is that they are somewhere in the virus update file in some encrypted form. But when anti virus runs it has to somehow get decrypted (how can you compare the signatures otherwise). These decrypted forms should be somewhere in memory (I guess)

So we can try out to find it there. Don't know how successful it will be but will give it a try and let you all know soon :D

Also i would like to give you some screen shots of this thing done practically....will post it soon.

Comments as always welcomed ! :)

pradeep 4Jul2007 11:59

Re: Altering Trojan Signature !
Really interesting article! Thanks for sharing!

heiro 22Sep2007 10:58

Re: Altering Trojan Signature !
is there posible way to convert exe to text document????

shabbir 22Sep2007 11:01

Re: Altering Trojan Signature !
You are trying to convert an Apple into an Orange.

boonlia 8Aug2008 22:11

Re: Altering Trojan Signature !

This Article was written by me and published on Yahoo group. The article is copied as such here but without mentioning my name.

How sad is it that the peoples tend to get cheap publicity.

Just shocking....

GreenGrass 8Aug2008 22:31

Re: Altering Trojan Signature !
Well please post a link then...

shabbir 8Aug2008 22:40

Re: Altering Trojan Signature !
There are 2 options to it.

1. We remove the article.
2. Edit to add your link.

I searched for it but could not find it and so can you let us know what is the original article link.

boonlia 9Aug2008 17:18

Re: Altering Trojan Signature !

Here is the yahoo group link where the same was posted.


Just join the group an check it. It was posted on May 28 2006 almost an year prior to its being published here.

Well Mentioning the name will suffice.In fact had the person took my permission i would not have bothered for the name as well.

Someone has also posted it here with the reference


The date is 31st of Jan 2007

Hope this is fine enough to support my claim


Boonlia Prince Komal

shabbir 9Aug2008 20:56

Re: Altering Trojan Signature !
I could not join the group but I have still added your name as original author.

XXxxImmortalxxXX 11Aug2008 00:14

Re: Altering Trojan Signature !
e-mail the yahoo corrporation and tell them of this and they should help you

All times are GMT +5.5. The time now is 19:02.