This article will demonstrate how an average PC user can create a piece of
malicious software in minutes that will be undetected by all the major
anti-malware scanning engines.
This article is for informational purposes only .
It is well-known in blackhat circles that a new piece of malware, coded from
scratch, will almost always bypass signature-based malware scanners. What is
less known is that the skill needed to do this is minimal at best - an average
user with no programming experience can cut and paste a few lines of code
together and create a undetected malicious executable in 3 easy steps.
Most anti-virus scanners rely on a database of signatures for known viruses.
Once a new virus is spread wide enough that it has been identified as malicious,
the anti-virus vendors scramble to come up with a fingerprint to identify that
strain of malware in the future. The obvious flaw in this process is that a new
piece of malware will bypass the scanners by default, until it is widespread
enough to be noticed by security researchers or picked up by a dummy node. There
is always a window of opportunity for new malware between the time of deployment.
Step 1: Commands to execute
Here we compile the DOS commands that our malware will execute into a DOS batch
file. As a simple proof of concept, let’s add a new user, disable the XP
firewall, and create a directory on the C drive.
@echo off
net user hacksafe hacksafe /add
net stop “Security Center”
net stop SharedAccess
netsh firewall set opmode mode=disable
mkdir c:\haxed
Save the above as a filename.bat
Step 2: Compile to an executable
Experienced DOS users may remember a number of utilities that were able to
convert a batch file into an executable (com or exe). These tools basically wrap
a shell call around each of our commands and bundle the whole thing up into a
tiny .exe file. One of the most well known is BAT2EXEC released by PC Magazine
in 1990.
creating our malware
Our tiny executable COM file is ready to go.
Step 3: Test and Deploy
We now have a custom executable that runs some obvoiusly malicious commands:
disabling the firewall and adding a new user. If we were to email this file to a
target, surely any modern anti-virus scanner would pick this up as a simple
batch file and alert us to the malicious code… right?
No patterns exist for this new piece of malware - it’s unrecognised by
signature-based scanners. Heuristics and sandboxing may alert to suspicious
activity, or email filtering may prevent our executable from reaching the
target, but the primary mechanism of anti-malware protection has been defeated
in a matter of seconds with little knowledge or skill on the part of the
attacker. If the target user were to run our executable, the only indication of
malicious activity would be a command prompt quickly appearing and disappearing
on the desktop.
Step 4 (Optional):
A typical malware author would take the created executable and mangle it in
various ways to make it harder to detect - using tools such as encrypters,
packers, scramblers and EXE binders. The malicious code may be bundled with a
legitimate executable, or packed with a rootkit or other remote access utility.
Example: Creating a simple dropper
A dropper is a small piece of malware designed to “drop” another peice of
malware onto a system. It usually comes in the form of a simple executable that,
when executed, retrieves a file from a hardcoded web or ftp site and executes it
(usually a rootkit or botnet suite).
