Nmap Development mailing list archives
Re: Latest dist v5.2
From: Ron <ron () skullsecurity net>
Date: Wed, 27 Jan 2010 17:51:02 -0600
On Wed, 27 Jan 2010 23:12:12 +0000 Brandon Enright <bmenrigh () ucsd edu> wrote:
[...] There are other well-known offsets in the MZ stub and PE header that AV products will check against for XOR encoding too. So, if we want to defeat dumb signatures and still obfuscate in a simple, easy to decode way, I'd suggest we XOR by 4 bytes, say, 0xabcd1234, and prepend a null to the result. So our file would be \x00<xor of the file> This will defeat all generic, accidental signatures. Of course, it won't defeat deliberate targeting by AV companies. If AV companies take issue with our binary and write signatures for it, no amount of obfuscation we try is going to work in the long run. We can take the issue up with them if it comes to that. Brandon
Hey, sorry I missed this earlier. I only read part of the email (*facepalm*). I just experimented with replacing the first byte (the 'M') with something else, that that passed virustotal.com with 0 hits. Pre-pending a NULL-byte to the .exe also works (as I'm sure you know, because somebody else already checked earlier today :) ). Anybody want to make a call on which to use? Or both? Or should we go with the "include it separately" idea after all? -- Ron Bowes http://www.skullsecurity.org _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- AW: Latest dist v5.2, (continued)
- AW: Latest dist v5.2 Wissmann, Dirk (Jan 21)
- Re: Latest dist v5.2 Fyodor (Jan 21)
- Re: Latest dist v5.2 Tom Sellers (Jan 21)
- Re: Latest dist v5.2 Ron (Jan 23)
- Re: Latest dist v5.2 David Fifield (Jan 25)
- Re: Latest dist v5.2 Ron (Jan 25)
- Re: Latest dist v5.2 David Fifield (Jan 26)
- Re: Latest dist v5.2 Ron (Jan 26)
- Re: Latest dist v5.2 Fyodor (Jan 27)
- Re: Latest dist v5.2 Brandon Enright (Jan 27)
- Re: Latest dist v5.2 Ron (Jan 27)
- Re: Latest dist v5.2 Fyodor (Jan 27)
- Re: Latest dist v5.2 Ron (Jan 27)
- Re: Latest dist v5.2 Jonathan R (Jan 27)
- Re: Latest dist v5.2 Ron (Jan 28)
- Re: Latest dist v5.2 Fyodor (Jan 28)
- Re: Latest dist v5.2 David Fifield (Jan 25)
- Re: Latest dist v5.2 Ron (Jan 27)
- Re: Latest dist v5.2 Brandon Enright (Jan 27)
- Re: Latest dist v5.2 Brandon Enright (Jan 27)