hiding netcat

[nberthaume at gmail.com (Nicholas B.)]

I have had issues using these methods with some programs that I've attempted
to sheild from AV.  On occassion I've found that I've needed to extend .text
section(s) inside of the binaries using lordpe for programs like gsecdump in
order to get scramblers or encoders to work well.

On Wed, May 19, 2010 at 9:20 AM, xgermx <xgermx at gmail.com> wrote:

> I get most things through A/V the same way (be it nc or fgdump).
> I split the executable in half and scan each piece with the A/V. I
> discard the piece that passes and focus on the piece that gets
> flagged. I then split that piece in half and repeat the process. I do
> this multiple times until I'm left with a small amount of code
> responsible for triggering the A/V. I then use a hex editor on the
> original executable to make very small modifications to that specific
> block of code. Usually it only takes a few character changes for the
> A/V not to recognize it anymore. This, in combination with editing the
> PE (I second PE scrambler) rarely fails me.
>
>
> On Wed, May 19, 2010 at 1:07 AM, Ali Alhebshi <alialhebshi at gmail.com>
> wrote:
> > Has anyone succeeded in getting fgdump past AV systems?
> >
> > On Mon, May 17, 2010 at 4:04 PM, bytes abit <bytesabit at gmail.com> wrote:
> > > Also, as a side note.. perhaps if you want to keep ncat on the system
> you
> > > could use the "Copy CON" techniques discussed in PDC...
> > > Can't remember the episode, think it was in the 160-170 range...
> > >
> > >
> > >
> > > On Mon, May 17, 2010 at 8:35 AM, Jim Halfpenny <jim.halfpenny at gmail.com
> >
> > > wrote:
> > > > Hi,
> > > > Busybox provides netcat functionality plus lots more with a small
> > > > footprint. I have not come across any AV software which detects
> > > > busybox as a potentially unwanted program.
> > > >
> > > > Regards,
> > > > Jim
> > > >
> > > > On 16 May 2010 17:49, Chris Teodorski <chris.teodorski at gmail.com>
> wrote:
> > > > > Thanks to all for the great advice.  I was using NetCat, because I'm
> > > > > putting it on a Teensy++ and I'm very limited in space.  The
> > > > > executable needs to be super small...
> > > > >
> > > > > I followed the article here:
> > > > > http://packetstormsecurity.nl/papers/virus/Taking_Back_Netcat.pdf
> > > > >
> > > > > It seems to have worked.
> > > > >
> > > > > Thanks to all for the help.
> > > > >
> > > > >
> > > > >
> > > > > On Sat, May 15, 2010 at 2:15 PM, Rob Fuller <jd.mubix at gmail.com>
> wrote:
> > > > > > Just curious, by why are you using Netcat?
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Rob Fuller | Mubix
> > > > > > Room362.com | Hak5.org | TheAcademyPro.com
> > > > > > Ignore this:
> > > > > > X5O!P%@AP
> [4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
> > > > > > On Sat, May 15, 2010 at 1:02 PM, Professor Thread
> > > > > > <professorthread at gmail.com> wrote:
> > > > > > > On 05/15/2010 03:08 PM, Chris Teodorski wrote:
> > > > > > >
> > > > > > > All,
> > > > > > >
> > > > > > > Does anyone know a good way to sneak netcat past modern AV?
> > > > > > >
> > > > > > > Chris
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Have you tried nmap's "ncat" version?
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > Pauldotcom mailing list
> > > > > > > Pauldotcom at mail.pauldotcom.com
> > > > > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > > > > Main Web Site: http://pauldotcom.com
> > > > > >
> > > > > >
> > > > > > _______________________________________________
> > > > > > Pauldotcom mailing list
> > > > > > Pauldotcom at mail.pauldotcom.com
> > > > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > > > Main Web Site: http://pauldotcom.com
> > > > > _______________________________________________
> > > > > Pauldotcom mailing list
> > > > > Pauldotcom at mail.pauldotcom.com
> > > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > > Main Web Site: http://pauldotcom.com
> > > > _______________________________________________
> > > > Pauldotcom mailing list
> > > > Pauldotcom at mail.pauldotcom.com
> > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > Main Web Site: http://pauldotcom.com
> > >
> > >
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom at mail.pauldotcom.com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> >
> >
> >
> > --
> > Ali Al-Hebshi
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100519/65d331fa/attachment.htm