Originally article author - boonlia I was about to present my presentation on Trojan signature alteration. Here I am posting the same. What is the signature: Signatures are nothing but a part of the Trojan that an anti virus company uses to track it. It can be any part from the entire file. Now each company decides on its own as to what part of data or file it wants to use as a signature. Very often the company uses 2 or three chunks of it for the detection purpose. How to get rid of it: The first method is by way of decompiling the file and then changing the code substantially and then recompiling it. The second method is by using a hex editor. How to find the chunk that is used by the anti virus company as signature. To stat with you have to first install that anti virus in your machine and get the auto protect disabled. Now open the Trojan in a hex editor. Now go to the half way mark (Almost not exact) and copy the upper half and paste it to a new file and save it as upper.exe(As it contains upper half). Then copy the remaining half and paste it to other file and save it as Lower.exe (As it contains lower half). Be careful to see the proper offset. (I would like to mention here that in case u just increase or decrease the file by just one bit you will end up with complete file unusable and corrupt). Fine now you have two files or rather one file split in two. Make a backup copy of each and then scan each with the anti virus. If you are lucky enough you will be able to get one of them not infected. (If so then the signature is not in those bits). But very often you will find both of them infected. Now same way divide the upper.exe into 2 parts (Upper_upper.exe and upper_lower.exe) and scan each of them. Do same with the lower.exe as well. Now out of these four you will find at least one file that is not detected as infected. Keep it separate. This is the file that does not contain the signatures. Now take the infected files again and split again. Keep doing so as long as you can get the files infected. Now at some point it will happen that the file you divide is an infected one but the resultant divided files are both Trojan free. Wow now what does it mean. It means that you have divided the file at the point which is in fact the signature. Now what you can do? To alter the signature just change the last bit of the first file and the first bit of the last file and join them back. Make changes this way and finally join all the files back at proper offsets. Scan the file and you will find it Trojan free. By using this method you can even isolate the chunk of bits that are signatures and you can play with them. Now what happens if you alter a single bit? Very often the file will still work. And you will be able to get out of the clutches of the anti virus as well. You can opt the other way out as well. Just copy first few lines to a new file and scan it. Then copy next few lines and scan it. Keep doing so until you get it detected. Now as soon as it gets detected change 1 or 2 bit from the middle of the last copied chunk and carry on again. Do it till you have entire file copied and trojan signatures altered. Try out. What is the other method of finding the signatures Well as far as I think is that they are somewhere in the virus update file in some encrypted form. But when anti virus runs it has to somehow get decrypted (how can you compare the signatures otherwise). These decrypted forms should be somewhere in memory (I guess) So we can try out to find it there. Don't know how successful it will be but will give it a try and let you all know soon Also i would like to give you some screen shots of this thing done practically....will post it soon. Comments as always welcomed !
Oh This Article was written by me and published on Yahoo group. The article is copied as such here but without mentioning my name. How sad is it that the peoples tend to get cheap publicity. Just shocking....
There are 2 options to it. 1. We remove the article. 2. Edit to add your link. I searched for it but could not find it and so can you let us know what is the original article link.
Hi Here is the yahoo group link where the same was posted. http://tech.groups.yahoo.com/group/afceh-batch1/message/1272 Just join the group an check it. It was posted on May 28 2006 almost an year prior to its being published here. Well Mentioning the name will suffice.In fact had the person took my permission i would not have bothered for the name as well. Someone has also posted it here with the reference http://www.orkut.co.in/CommMsgs.aspx?cmm=1450780&tid=2513003895530252354&kw=boonlia The date is 31st of Jan 2007 Hope this is fine enough to support my claim regards Boonlia Prince Komal