Gravitation: How to bypass AV

Ever since Symantec added Netcat's signature to their virus database, there have been repeated outcries against the detection of Netcat as a “Hack Tool”; while Netcat is a very useful networking utility. Here we try to show how to locate the signature used to identify Netcat, and modify it. The executable no longer matches Symantec's signature, without interfering with any of the program's functionality. This is an exercise in identifying and modifying sections of code (aka, signatures) that are used by anti virus programs to identify malicious code; the tools and techniques used here can be applied to any program that is marked as malicious by AV applications.

Using tools

1. Netcat 1.11 (https://eternallybored.org/misc/netcat/)

2. Anti-Virus ( https://nodistribute.com)

3. HexWorkshop v6.8 (http://www.bpsoft.com/downloads)

4. Olly Debugger (http://www.ollydbg.de)

Lets see to the Netcat via Antivirus tools.

Identifying a Signature

What is the Signature of the file – File magic number: bytes within a file used to identify the format of the file; generally a short sequence of bytes (most are 2-4 bytes long) placed at the beginning of the file.

The Portable Executable (PE) format is a file format for executables, object code, DLLs, FON Font files, and others used in 32-bit and 64-bit versions of Windows operating systems. The PE format is a data structure that encapsulates the information necessary for the Windows OS loader to manage the wrapped executable code. This includes dynamic library references for linking, API export and import tables, resource management data and thread-local storage (TLS) data.

How to find the PE headers? Notice a few text strings such as “This program cannot be run in DOS mode”, “.text”, “.data” and “.rdata”, followed by several hundred bytes of 0s. This is the PE header section of the program; the actual program instructions begin immediately after the section of 0s at offset 1000:

Changing File Signatures

Once your AV agent has identified a file as a virus, trojan, worm, or other malicious program,

you need to locate the section of the file that is used by the AV application to identify the program as malicious. If you open the program in a hex editor and replace making the second half of the file with a string of 0’s, and the AV application no longer identifies the file as a malicious program, then the AV signature (or at least part of it) is located in the second half of the file. Conversely, if it is still identified as a malicious program, then the signature is located in the first half of the file. This halving technique can be used again and again to narrow down the location of the signature, until you can positively identify the exact location and length of the signature.

There are some easy ways of changing the signature of a program (packers, encryptors, etc), they may not always be viable options for those wishing to bypass anti virus applications. Additionally, it would be easy for anti virus companies to run a program such as Netcat through a few popular packers/encryptors and add signatures for the resulting binaries to their virus databases as well. We will manually examining and editing the Netcat program in order to create a custom “version” of the Netcat utility.

How to edit the signature of file? First open up Netcat with Hex Workshop (right click nc.exe and select ‘Hex edit with Hex Workshop’). If you scroll to the bottom of the hex dump, you see the last byte is located at offset 8EAF. Divide 8EAF in half and you get 4547; open up a goto box (Ctl+G) and go to the offset 4547 from the beginning of the file:

Select everything from 4547 to the end of the file (8EAF), right click, select ‘Fill’, and fill the selected section with 0s:

Save your changes; when prompted to make a backup, say yes.

We can safely eliminate the PE header, as it would not be used as part of a virus signature. Thus, we know that the signature must be somewhere between offsets 1000 and 4547; this can be confirmed by zeroing out all the file contents between these two addresses as we did with the second half of the file, and running a virus scan on nc.exe again.

We can continue this process of elimination by systematically modifying sections of code between 1000 and 4547 and testing the resulting file against AV. If the file is still detected as the Netcat “Hack Tool”, then we know that the section that was modified was not used as part of the signature; if it is not detected, then we know that the modified section was used as part of the signature. Of course, it is important to delete the modified file after each modification and make any new changes to a copy of the original file (just as we did in the previous example), or else your results may be skewed and you will have a non-functioning program to boot. For brevity, I will simply list the sections that I zeroed out and the results that each modification had on the AV detection.

When Ollydbg helps

The easiest way to identify where and how to change the program code is to open it up in a disassembler/debugger and analyze the resulting assembly code; for this we will use OllyDbg. Open up the original copy of nc.exe in Olly, and scroll up to the top of the code window.

The enter point offset 00401160.

Notice that the code starts at offset 1020, and that the hex dump of the code located there matches the hex dump at offset 1020 in Hex Workshop. This confirms our previous assumption that this offset was the beginning of the actual program instructions:

If we stroll down we find a string of INT3 instructions starting at offset 1355.

INT3 is a software interrupt that is used by debuggers to pause program execution. Since Netcat

obviously doesn't pause indefinitely during execution, these bytes are just filler and can be modified without worrying about affecting the program execution flow. Additionally, they are within the signature code which we need to modify. If you are using Olly, select one of these INT3 instructions (I chose the first one at 1355), and press the space bar. In the 'Assemble' text box that appears, enter 'nop' (no quotes) and click assemble:

We continue the modify the file. The hexadecimal equivalent of the INT3 instruction is CC and the hex equivalent of the NOP instruction is 90. We try to make modification with it changing INT3 instructions (they are just displayed in their hexadecimal format of 'CC'); change one of those CC's to 90 or vise varse and save the changes.