Nmap Development mailing list archives
Re: False positives on antivirus
From: Ron <ron () skullsecurity net>
Date: Thu, 28 Jan 2010 12:55:52 -0600
On Thu, 28 Jan 2010 13:43:10 -0500 Michael Pattrick <mpattrick () rhinovirus org> wrote:
On Thu, Jan 28, 2010 at 10:57 AM, Ron <ron () skullsecurity net> wrote:1. Encode the file in a simple way --> Didn't work in the simplest case, because some a/v still detects itOut of curiosity, what did you try?
I should have linked to the other thread, it was sort of off topic, but eh? I tried xor'ing every byte by a static value, which failed, spectacularly. We found a couple ways that DO work, such as by prepending a null byte to the file, replacing the 'MZ' at the start with something else, etc. But like I said, it's a matter of time before some kind of malware does the same thing and we start getting picked up again.
2. Encrypt the file properly --> No reason that it wouldn't work (though I've said that before and was very wrong ;) ) --> Dependency on OpenSSL (dependency already exists) --> Will take me awhile to implement (I'm going to be rather busy for the next month or so)I'd argue that we don't need to go as far as a dependency on OpenSSL just to trick antivirus programs. The attached file implements a simple - small - stream cipher, which should be able to trick all antiviruses. The encryption operation is the same as the decryption operations, so it should be convenient to use.
That's true, but we already have a dependency on OpenSSL (you would never get to this point without it), so it makes more sense (and requires less code) to just use one of their crypto routines.
-M
-- Ron Bowes http://www.skullsecurity.org _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- False positives on antivirus Ron (Jan 28)
- Re: False positives on antivirus Michael Pattrick (Jan 28)
- Re: False positives on antivirus Ron (Jan 28)
- Re: False positives on antivirus Fyodor (Jan 28)
- Re: False positives on antivirus Ron (Jan 29)
- Re: False positives on antivirus DePriest, Jason R. (Jan 29)
- Re: False positives on antivirus Brandon Enright (Jan 29)
- Re: False positives on antivirus Fyodor (Jan 29)
- Re: False positives on antivirus Ron (Jan 29)
- Re: False positives on antivirus Fyodor (Jan 29)
- Re: False positives on antivirus Michael Pattrick (Jan 28)
- Re: False positives on antivirus David Fifield (Feb 12)
- Re: False positives on antivirus Ron (Feb 12)
- Re: False positives on antivirus David Fifield (Mar 03)