Re: False positives on antivirus

[Ron <ron () skullsecurity net>]

On Thu, 28 Jan 2010 13:43:10 -0500
Michael Pattrick <mpattrick () rhinovirus org> wrote:

> On Thu, Jan 28, 2010 at 10:57 AM, Ron <ron () skullsecurity net> wrote:
> > 1. Encode the file in a simple way
> > --> Didn't work in the simplest case, because some a/v still detects it
> Out of curiosity, what did you try?
I should have linked to the other thread, it was sort of off topic, but eh? I tried xor'ing every byte by a static 
value, which failed, spectacularly. 

We found a couple ways that DO work, such as by prepending a null byte to the file, replacing the 'MZ' at the start 
with something else, etc. But like I said, it's a matter of time before some kind of malware does the same thing and we 
start getting picked up again. 

> > 2. Encrypt the file properly
> > --> No reason that it wouldn't work (though I've said that before and was very wrong ;) )
> > --> Dependency on OpenSSL (dependency already exists)
> > --> Will take me awhile to implement (I'm going to be rather busy for the next month or so)
>
> I'd argue that we don't need to go as far as a dependency on OpenSSL
> just to trick antivirus programs. The attached file implements a
> simple - small - stream cipher, which should be able to trick all
> antiviruses. The encryption operation is the same as the decryption
> operations, so it should be convenient to use.
That's true, but we already have a dependency on OpenSSL (you would never get to this point without it), so it makes 
more sense (and requires less code) to just use one of their crypto routines. 

> -M


-- 
Ron Bowes
http://www.skullsecurity.org
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/