Friday, June 27, 2008

Bypass modern anti virus with an 8 year old backdoor

This is the first of a 3 part blog entry, well blog entry/warning/tutorial - pick which you think fits this best. As soon as people find out I work in IT Security normally the first question I'm asked is which is the best Anti Virus product to use? Normally I just say one of the big providers, F-Secure, Symantec etc but I do also state that they aren't a silver bullet.

What I'm going to do in this 3 part blog is first download tini.exe which is a backdoor roughly 8 years old and submit it to Virus Total. This will be scanned by 33 different anti virus products and I will show the results. Then the fun bit, I will modify just the port that tini.exe listens on and its name then see how many report it as a backdoor!

Secondly I will show you how to wrap this backdoor into any application you want and have it install silently along with the real application. The third step will be a demonstration of a second machine connecting to this backdoor.

First download the tini installer. I will submit the default Tini.exe backdoor to virus total and see how many of the modern anti virus companies will detect this old backdoor.



All of the products have figured out that it is some kind of backdoor/trojan.

So now to crack tini open with a hex editor and find the default port value, 7777 in this case:


Now I have picked a random port of 39846 (9ba6) and I will edit the backdoor as shown below:


I saved the modified version as dave.exe and I will re-submit this Virus Total. The results are shown below:



You can see that only 21 of the products now reported this file as being malicious. So by just changing the listening port and the name of the backdoor 21/33 products detected this 8 year old backdoor (first scan was 32/33). It is hardly inspiring reading is it?

Part two of this post will show you how to wrap this modified backdoor with a genuine application to install it in stealth on the victims machine.

Please be patient for post two, I have commitments to meet for the OWASP Code Review guide for the next few days before I can put part two up.
Posted by at
Labels: , , ,

2 comments:

Conor Mc Goveran said...

I believe that the obvious weakness of signature based detection systems has been well aired. This weakness being the premise that everything is good apart from what I 'know' to be bad. Tsk, any cynical information security hack would be appalled at such a thought. We all know that everything is bad apart from that which can be verifiably proven to be good and them only as long as it doesn't do anything unexpected.

June 28, 2008 at 3:55 PM
David Rook said...

"I believe that the obvious weakness of signature based detection systems has been well aired."

One might suggest that if the problem is that well known we would have anti virus products that would be more efficient in finding the "bad" things.

As for the cynicism, perhaps there is a hint of cynicism in my post but its aim was to show that anti virus is certainly not the silver bullet certain marketing material would have you believe ;-)

Dave

June 29, 2008 at 3:19 AM

Post a Comment

Subscribe to: Post Comments (Atom)