This is a list of the best XSS scanners:
http://www.sven.de/xsss/
http://pixybox.seclab.tuwien.ac.at/pixy/dist/pixy_3_03.zip
Friday, January 30, 2009
Wednesday, January 28, 2009
Web Application Scanners Comparison
This is a comparison between some of the well known web scanners (Acuentix, HP WebInspect, IBM Rational Appscan). Do not depend on it totally, as there are some concerns about the methodology, however it is a good starting point.
Acuentix seems to be the best, I personally like it.
http://anantasec.blogspot.com/2009/01/web-vulnerability-scanners-comparison.html
Acuentix seems to be the best, I personally like it.
http://anantasec.blogspot.com/2009/01/web-vulnerability-scanners-comparison.html
Tuesday, January 27, 2009
Malicious Shortcut
Malicious Shortcut is new way of dropping a mlaware on your PC, while the shortcut itself is not a malware, however, it contains a script to launch cmd.exe and ftp to a malicious ftp server and download malware.
The link can be sent by email or hosted on a web server, it is a nice trick to evade your email AV and your Internet filtering system.
http://www.avertlabs.com/research/blog/index.php/2009/01/26/abusing-shortcut-files/
The link can be sent by email or hosted on a web server, it is a nice trick to evade your email AV and your Internet filtering system.
http://www.avertlabs.com/research/blog/index.php/2009/01/26/abusing-shortcut-files/
Sunday, January 25, 2009
JavaScript Obfuscators
I got some comments and suggestions on this entry so, I have updated it.
There are lots of commercial and open source Javascript obfuscators for legitimate use, such as enhancing the web page performance. Hackers are using the same tools to hide the malicious activity of their Javascript code, here is a small list of some of the available tools:
Free/Open-source JS Obfuscators:
http://www.javascriptobfuscator.com/Default.aspx
http://dean.edwards.name/packer/
http://www.shaneng.net/index.php?n=Main.JavaScriptObfuscator
http://scriptasylum.com/tutorials/encdec/javascript_encoder.html
http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php
http://www.jimmyleo.com/work/FreShowStart.htm
Commercial JS Obfuscators (some has full functional, time-trial versions):
Jasob3:
http://www.jasob.com/
Thicket obfuscator:
http://www.semdesigns.com/Products/Obfuscators/ECMAScriptObfuscator.html
Javascript obfuscator:
http://www.javascript-source.com/javascript-obfuscator.html
Stunnix:
http://www.stunnix.com/prod/jo/
SOC:
http://www.codehouse.com/products/soc/
TrickyScripter:
http://trickyscripter.com/
ESC:
http://www.saltstorm.net/depo/esc/
Quick notes:
- At the end of the day, the obfuscated code will be running on the browser without obfuscation, so this should not be considered as a security feature.
- The only reason from my point-of-view to study obfuscation is by the web filtering vendors to make sure that their internet filtering solutions can decode the obfuscated code before passing it to the end-user.
Some of the obfuscation techniques:
Character encoding, randomization of variables and function names, strings manipulation, comments insertion, code nesting, code shuffling, new line characters and NOPs, and encryption.
There are lots of commercial and open source Javascript obfuscators for legitimate use, such as enhancing the web page performance. Hackers are using the same tools to hide the malicious activity of their Javascript code, here is a small list of some of the available tools:
Free/Open-source JS Obfuscators:
http://www.javascriptobfuscator.com/Default.aspx
http://dean.edwards.name/packer/
http://www.shaneng.net/index.php?n=Main.JavaScriptObfuscator
http://scriptasylum.com/tutorials/encdec/javascript_encoder.html
http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php
http://www.jimmyleo.com/work/FreShowStart.htm
Commercial JS Obfuscators (some has full functional, time-trial versions):
Jasob3:
http://www.jasob.com/
Thicket obfuscator:
http://www.semdesigns.com/Products/Obfuscators/ECMAScriptObfuscator.html
Javascript obfuscator:
http://www.javascript-source.com/javascript-obfuscator.html
Stunnix:
http://www.stunnix.com/prod/jo/
SOC:
http://www.codehouse.com/products/soc/
TrickyScripter:
http://trickyscripter.com/
ESC:
http://www.saltstorm.net/depo/esc/
Quick notes:
- At the end of the day, the obfuscated code will be running on the browser without obfuscation, so this should not be considered as a security feature.
- The only reason from my point-of-view to study obfuscation is by the web filtering vendors to make sure that their internet filtering solutions can decode the obfuscated code before passing it to the end-user.
Some of the obfuscation techniques:
Character encoding, randomization of variables and function names, strings manipulation, comments insertion, code nesting, code shuffling, new line characters and NOPs, and encryption.
Saturday, January 24, 2009
The largest data breach in history
Around 100 million credit and debit accounts have been leaked in the black market. A malware on a processing system in Heartland Payment Systems company is responsible of collecting this huge number of cards information, the exact details is not yet released including the exact number of leaked cards information and the exact parts of information that was leaked.
http://voices.washingtonpost.com/securityfix/2009/01/payment_processor_breach_may_b.html
http://voices.washingtonpost.com/securityfix/2009/01/payment_processor_breach_may_b.html
Updated:
The source of breach is outside USA, can you make a country guess???
http://www.storefrontbacktalk.com/securityfraud/feds-identify-overseas-suspect-in-heartland-case/
http://www.storefrontbacktalk.com/securityfraud/feds-identify-overseas-suspect-in-heartland-case/
If you have time to play the guessing game, take a look at:
End-of-year Security Reports - 2008
Updated:
Here is my TOP 10 list of security reports
Cisco 2008 Annual security report:
Vulnerabilities increased by 11.5% than last year, 90% increase in the threats from legitimate domains,.
http://cisco.com/en/US/prod/vpndevc/annual_security_report.html
Finjan:Cisco 2008 Annual security report:
Vulnerabilities increased by 11.5% than last year, 90% increase in the threats from legitimate domains,.
http://cisco.com/en/US/prod/vpndevc/annual_security_report.html
Expected sharp rise in cybercrime in 2009 due to the current economic downturn
http://www.finjan.com/GetObject.aspx?objid=641
Anti-Phishing Working Group:
Password stealing malicious code URLs are on the rise
http://www.antiphishing.org/reports/apwg_report_Q2_2008.pdf
Cenzic Q2 2008 report:
http://www.cenzic.com/news_events/Cenzic_AppSecTrends_Q2-08.php
Symantec Underground Economy Report:
F-Secure Threat Summary for H2, 2008:
Trend Micro, Most Abused Infection Vector:
MessageLabs:
Arbor:
Sophos:
http://www.sophos.com/securityreport2009
Updated:
I have added more reports to my top 10 list:
Whitehat Security:
http://www.whitehatsec.com/home/resource/stats.html
Enisa (European Network and Information Security Agency):
http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_pp_web2.pdf
Panda Security:
http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2008/12/31/Annual_Report_Pandalabs_2008_ENG.pdf
WebSense:
-77% of web sites hosting malicious content are legitimate sites
- 70% of the top 100 sites hosted or redirect to a malicious content
- 57% of data stealing attacks are conducted over the web
http://www.websense.com/site/Docs/whitepapers/en/WSL_ReportQ3Q4FNL.PDF?CMP=NR012109A
CSI:
Aladdin:
IBM X-Force:
Friday, January 23, 2009
Pen-Testing Resources
Updated:
This is a summary of multiple old posts related to Pen-Testing
Tips and Tricks:
Some very good presentations on network pen-testing with very few tools, the aim is to select the most effective tools for your testing, and how to maximize their usage, there are very nice tips, tricks, and examples in the presentations.
http://pauldotcom.com/TriplePlay-NetworkPenTestingTools.pdf
http://inguardians.com/pubs/PenTestPerfectStormPart1FINAL.pdf
http://inguardians.com/pubs/PenTestPerfectStormPart2FINAL.pdf
Tools:
FireCat is a collection of the most efficient and useful FireFox extensions for application security auditing and assessment. This is how to turn your FireFox into a security auditing and assessment tool.
http://www.security-database.com/toolswatch/FireCAT-1-5-released.html
Sample Report:
This is a summary of multiple old posts related to Pen-Testing
Application Pen-Testing Time Estimator:
http://www.coffeeandsecurity.com/resources/tools/tamapper.aspxTips and Tricks:
Some very good presentations on network pen-testing with very few tools, the aim is to select the most effective tools for your testing, and how to maximize their usage, there are very nice tips, tricks, and examples in the presentations.
http://pauldotcom.com/TriplePlay-NetworkPenTestingTools.pdf
http://inguardians.com/pubs/PenTestPerfectStormPart1FINAL.pdf
http://inguardians.com/pubs/PenTestPerfectStormPart2FINAL.pdf
Tools:
FireCat is a collection of the most efficient and useful FireFox extensions for application security auditing and assessment. This is how to turn your FireFox into a security auditing and assessment tool.
http://www.security-database.com/toolswatch/FireCAT-1-5-released.html
Sample Report:
Offensive Security has just released a sample penetration testing report, it is not "Nessus results" kind of reports, must-seen...
http://www.offensive-security.com/offsec-sample-report.pdf
Wednesday, January 21, 2009
Mobile Credit Theft
Researchers discovered new trojans on Symbian platform that transfer a small amount of the victim credit to the attacker mobile, the trojan will transfer small amount in order not to be noticed.
No information available on how to protect yourself from these trojans or the propagation vector.
http://www.viruslist.com/en/weblog?weblogid=208187621
No information available on how to protect yourself from these trojans or the propagation vector.
http://www.viruslist.com/en/weblog?weblogid=208187621
Monday, January 19, 2009
Must have Firefox Add-ons
Updated
Control cookie permissions
https://addons.mozilla.org/en-US/firefox/addon/2497
No Script
Allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice
FireKeeper
IDS/IPS for your Firefox, will intercepts all your browser request/responses and can prevent all suspicious activities.
Zotero
The best tool ever in organizing your research, manage files, web pages, and images from within your browser in a single place.
https://addons.mozilla.org/en-US/firefox/addon/3504
JSView
View the embedded source code of JavaScripts and Style Sheets in any web page
https://addons.mozilla.org/en-US/firefox/addon/2076
SwitchProxy
Manage and switch between multiple proxy configuration
https://addons.mozilla.org/en-US/firefox/addon/125
JSView
View the embedded source code of JavaScripts and Style Sheets in any web page
https://addons.mozilla.org/en-US/firefox/addon/2076
SwitchProxy
Manage and switch between multiple proxy configuration
https://addons.mozilla.org/en-US/firefox/addon/125
HauteSecure
Threat warning and reputation rating for the web sites you are visiting. Protect from web-based malware.
RequestPolicy
Control Cross-Site-Requests, comprehensive client-side protection against CSRF
Targeted Advertising Cookie Opt-Out (TACO) 1.3
Prevent Advertising Networks from collecting your personal information from cookies
https://addons.mozilla.org/en-US/firefox/addon/11073
Prevent Advertising Networks from collecting your personal information from cookies
https://addons.mozilla.org/en-US/firefox/addon/11073
Collection:
Malware Hash Registry:
Mass Injection Analysis
Redirection Chaining
Deobfuscation Analysis
Content Profiling
Sunday, January 18, 2009
Millions of infections exploiting MS08-067
A malware is spreading everywhere, if you are following the basic general security recommendations, you should not be concerned, however the infection numbers are showing that people are still doing the same old mistakes. if you company is infected, it is an indication of a poor security policy.....
The estimated number of infected hosts is several millions worldwide, and it is getting worse.
Downadup or Conficker worm designed to call back home, and receive further instructions.
http://www.f-secure.com/weblog/archives/00001584.html
the worm has other names:
Win32/Conficker.A (CA)
Mal/Conficker-A (Sophos)
Trojan.Win32.Agent.bccs (Kaspersky)
W32.Downadup.B (Symantec)
Propagation vector:
Like other worms, the infected machine will scan the network looking for vulnerable machines, but the worm has other ways of propagation, it will scan the company network trying to guess passwords using hundreds of common words, then infect these machines. It will also try to infect your removable USB stick and propagate using the autorun.inf
Once infected, the worm will disable many security services on the victim machine and will block access to some sites such as Microsoft and most Anti-Virus sites.
MS advisories:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
http://blogs.technet.com/mmpc/archive/2009/01/13/msrt-released-today-addressing-conficker-and-banload.aspx
F-Secure Advisory:
http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml
TrendMicro Analysis:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DOWNAD.AD&VSect=T
Obfuscated autorun.ini file analysis:
http://www.sophos.com/security/blog/2009/01/2628.html?_log_from=rss
Mcafee Analysts discovered that the exploit used in this worm was made using Metasploit, which raise a concern about the security tools being used by the bad guys.
http://www.avertlabs.com/research/blog/index.php/2009/01/15/conficker-worm-using-metasploit-payload-to-spread/
In the early releases of the worm, the worm will expose the machine to a fake security software, earning 30$ per sale
http://blogs.zdnet.com/security/?p=2388
The way the worm is calling home is a new technique. by using a complicated algorithm that is changing on daily basis, the worm will generate many possible domain names everyday and will try to connect to. It impossible to shut down all possible domains, because many of them are never registered, this gives the guys who are controlling the worm the ability to select the time and domain they want to use to get control of the infected machines. F-Secure manged to play the same game and predict un-registered domain name, and used it to control the worm.
http://www.f-secure.com/weblog/archives/00001579.html
CNN Coverage:
http://edition.cnn.com/2009/TECH/ptech/01/16/virus.downadup/index.html
Protection:
- Patch your systems with MS08-067, the patch was released late October 2008
- Use long difficult passwords
- MS Malicious Software Removal Kit is able to detect and clean the worm
- Disable the autorun feature:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93502.mspx?mfr=true
F-Secure disinfection tool:
ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip
My blog entry about the early worm:
http://okamalo.blogspot.com/2008/11/worm-exploiting-ms08-067-in-wild.html
Updated
In-depth analysis on memory injection, and how conflicker is injected into rundll32.dll to bypass the firewall and HIPS.
http://blog.threatexpert.com/2009/01/confickerdownadup-memory-injection.html
The estimated number of infected hosts is several millions worldwide, and it is getting worse.
Downadup or Conficker worm designed to call back home, and receive further instructions.
http://www.f-secure.com/weblog/archives/00001584.html
the worm has other names:
Win32/Conficker.A (CA)
Mal/Conficker-A (Sophos)
Trojan.Win32.Agent.bccs (Kaspersky)
W32.Downadup.B (Symantec)
Propagation vector:
Like other worms, the infected machine will scan the network looking for vulnerable machines, but the worm has other ways of propagation, it will scan the company network trying to guess passwords using hundreds of common words, then infect these machines. It will also try to infect your removable USB stick and propagate using the autorun.inf
Once infected, the worm will disable many security services on the victim machine and will block access to some sites such as Microsoft and most Anti-Virus sites.
MS advisories:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
http://blogs.technet.com/mmpc/archive/2009/01/13/msrt-released-today-addressing-conficker-and-banload.aspx
F-Secure Advisory:
http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml
TrendMicro Analysis:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DOWNAD.AD&VSect=T
Obfuscated autorun.ini file analysis:
http://www.sophos.com/security/blog/2009/01/2628.html?_log_from=rss
Mcafee Analysts discovered that the exploit used in this worm was made using Metasploit, which raise a concern about the security tools being used by the bad guys.
http://www.avertlabs.com/research/blog/index.php/2009/01/15/conficker-worm-using-metasploit-payload-to-spread/
In the early releases of the worm, the worm will expose the machine to a fake security software, earning 30$ per sale
http://blogs.zdnet.com/security/?p=2388
The way the worm is calling home is a new technique. by using a complicated algorithm that is changing on daily basis, the worm will generate many possible domain names everyday and will try to connect to. It impossible to shut down all possible domains, because many of them are never registered, this gives the guys who are controlling the worm the ability to select the time and domain they want to use to get control of the infected machines. F-Secure manged to play the same game and predict un-registered domain name, and used it to control the worm.
http://www.f-secure.com/weblog/archives/00001579.html
CNN Coverage:
http://edition.cnn.com/2009/TECH/ptech/01/16/virus.downadup/index.html
Protection:
- Patch your systems with MS08-067, the patch was released late October 2008
- Use long difficult passwords
- MS Malicious Software Removal Kit is able to detect and clean the worm
- Disable the autorun feature:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93502.mspx?mfr=true
F-Secure disinfection tool:
ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip
My blog entry about the early worm:
http://okamalo.blogspot.com/2008/11/worm-exploiting-ms08-067-in-wild.html
Updated
In-depth analysis on memory injection, and how conflicker is injected into rundll32.dll to bypass the firewall and HIPS.
http://blog.threatexpert.com/2009/01/confickerdownadup-memory-injection.html
And here is a tool to detect a list of C&C domain names:
Friday, January 16, 2009
Web Hacking Challenges
This is a list of some web hacking challenges for learning purposes, there are many levels and several technologies to hack like XSS, SQL-Injection, Flash, Java, HTML,.....
http://www.hackthissite.org
http://www.hack-test.com/
http://www.hackthissite.org
http://www.hack-test.com/
http://www.hellboundhackers.org/
http://www.hack4u.org/index.php?choices=1&code=level0
http://xss-quiz.int21h.jp/
http://www.hack4u.org/index.php?choices=1&code=level0
http://xss-quiz.int21h.jp/
Wednesday, January 14, 2009
VoIP Security incidents in 2008
The list of incidents are taken from Mark Collier's blog:
Most incidents in 2008 are fraud cases, where people are hacking the phone system of an organization to place lots of long distance calls, average losses per case are several thousands US dollars.
Most incidents in 2008 are fraud cases, where people are hacking the phone system of an organization to place lots of long distance calls, average losses per case are several thousands US dollars.
http://www.boston.com/news/local/articles/2008/07/27/library_phone_system_hacked/
http://www.networkworld.com/news/2008/072908-georgia-student-arrested-for-hacking.html
http://www.networkworld.com/news/2008/072808-businesses-ignore-telecoms.html
http://www.msnbc.msn.com/id/26319201
http://www.usken.no/2008/09/30/voip-attacks-are-escalating/
http://www.ipcom.at/fileadmin/public/2008-10-22_Analysis_of_a_VoIP_Attack.pdf
http://www.winnipegfreepress.com/local/hacker_makes_costly_calls.html
Updated:
And 2009 is here:
http://www.thewest.com.au/default.aspx?MenuID=77&ContentID=119462
Friday, January 9, 2009
Cyber warfare against Israel
Several thousands of Israeli web sites have been hacked during the last few days, as part of Arab hackers reaction to the latest Israeli attack on Gaza, Palestine.
Several defacement are part of coordinated efforts, while others are just individual expressions.
Hackers are mainly from Algeria, Morocco, Egypt, Turkey, Saudi Arabia.
There were also some coordinated efforts to launch a DDOS attacks on some Israeli governmental sites, the hackers used many forums to distribute the message, tools, date and time to launch the attack, I would assume that the bad performance of Internet in the Arab world due to the cables cut in the Mediterranean, largely reduced the effect of the DDOS.
Updated:
Check the Arabic attack archive site: http://www.arabic-m.com for a list of hacked websites.
On the other side, Israel is making use of Internet channels like YouTube and Twitter to deliver their political messages, in addition to online monitoring service like http://israel.internet-haganah.com/
Several defacement are part of coordinated efforts, while others are just individual expressions.
Hackers are mainly from Algeria, Morocco, Egypt, Turkey, Saudi Arabia.
There were also some coordinated efforts to launch a DDOS attacks on some Israeli governmental sites, the hackers used many forums to distribute the message, tools, date and time to launch the attack, I would assume that the bad performance of Internet in the Arab world due to the cables cut in the Mediterranean, largely reduced the effect of the DDOS.
Updated:
Check the Arabic attack archive site: http://www.arabic-m.com for a list of hacked websites.
On the other side, Israel is making use of Internet channels like YouTube and Twitter to deliver their political messages, in addition to online monitoring service like http://israel.internet-haganah.com/
Updated:
Israeli domain registration server (DomainTheNet) was hacked by a Moroccan hackers group, the hackers were able to get a password that allowed them to change the DNS records of some web pages to be forwarded to other pages with some political messages.
Updated:
Israeli hackers developed a program and published it on the Internet attracting Israeli people to download the tool and contribute to the current cyber warfare between Israel and Palestine.
Analysis of the program was done by SANS, and it seems to be a risky one as it will try to connect to an irc server, and wait for orders, this can be used for many purposes.
The site is changing the location regularly, the last working address for it is http://help-israel-win.tk/
Updated:
USA military sites are now part of the war, turkish hacker successfully defaced some USA military web sites and NATO Parliament site using SQL-Injection attacks.
Thursday, January 8, 2009
10 ways to protect yourself
ESET blog has some nice "10 ways to protect your self" articles, aimed at normal users.
- Disable autorun in windows
- Do not use your computer with administrator privileges
- Use different passwords for your computer and your online services
- Change the password frequently
- Do not trust links in your email, even from friends
- Protect sensitive information on your computer with encryption
- Backup your data regularly
- Avoid fake security software
- Avoid free wifi hotspots
- Do not use cracked/pirated software, audio and video.
- Keep applications and operating system components up-to-date with automated updates and patches
- Do not disclose sensitive information on the public we sites like facebook or linkedin
- Do not depend on antivirus only, use personal firewall, antispam, anti-phishing toolbars
Monday, January 5, 2009
Nokia S60 phones exploit blocks SMS/MMS
DOS against Nokia Series 60 phones have been disclosed and demonstrated in 25th Chaos Communication Congress, Berlin , last week.
The 3GPP TS 23,040 standard specifies a method of sending email via SMS, if this email is longer than 32 characters, the affected symbian versions will fail to display the message or give any indication on the user interface, and the device will not be able to send or receive any more SMS or MMS messages.
S60 version 2.6 and 3.0 will be locked after just one message, while 2.8 and 3.1 will be locked up after more than 11 messages.
The only way to recover from this situation is to perform factory reset, no firmware update is available to fix this problem till now
Although this is not high security risk, the risk can be mitigated by the operators by filtering this kind of SMS on the network.
F-Secure report:
http://www.f-secure.com/weblog/archives/00001569.html
Advisory:
http://berlin.ccc.de/~tobias/cos/s60-curse-of-silence-advisory.txt
Video:
https://berlin.ccc.de/~tobias/cos/s60-curse-of-silence-demo.avi
Affected devices are mainly Nokia E and N sieres, list of models are in the advisory.
The 3GPP TS 23,040 standard specifies a method of sending email via SMS, if this email is longer than 32 characters, the affected symbian versions will fail to display the message or give any indication on the user interface, and the device will not be able to send or receive any more SMS or MMS messages.
S60 version 2.6 and 3.0 will be locked after just one message, while 2.8 and 3.1 will be locked up after more than 11 messages.
The only way to recover from this situation is to perform factory reset, no firmware update is available to fix this problem till now
Although this is not high security risk, the risk can be mitigated by the operators by filtering this kind of SMS on the network.
F-Secure report:
http://www.f-secure.com/weblog/archives/00001569.html
Advisory:
http://berlin.ccc.de/~tobias/cos/s60-curse-of-silence-advisory.txt
Video:
https://berlin.ccc.de/~tobias/cos/s60-curse-of-silence-demo.avi
Affected devices are mainly Nokia E and N sieres, list of models are in the advisory.
Sunday, January 4, 2009
Evading Anti-Virus, the easy way
This is just an example of how well-known malware can evade Anti-Virus:
- Use a file splitter software to split the malware into several small size files
- Run the anti-virus engine locally to scan all the small files, the anti-virus will detect a signature of the malware in one or more of the small splitted files.
- Next step is to use a Hex editor to change the signature of these detected files, by changing any byte within the file.
- Test the anti-virus again against all edited files, you may want to repeat the process and change a different byte.
- Re-run your file splitter to un-split your files
- Test the malware if it works fine or your changes did break the code. You will have to start over again, if the code is broken.
- Once your tests succeeded, your malware should be now un-detectable.
- Use a file splitter software to split the malware into several small size files
- Run the anti-virus engine locally to scan all the small files, the anti-virus will detect a signature of the malware in one or more of the small splitted files.
- Next step is to use a Hex editor to change the signature of these detected files, by changing any byte within the file.
- Test the anti-virus again against all edited files, you may want to repeat the process and change a different byte.
- Re-run your file splitter to un-split your files
- Test the malware if it works fine or your changes did break the code. You will have to start over again, if the code is broken.
- Once your tests succeeded, your malware should be now un-detectable.
Subscribe to:
Posts (Atom)