The Trojan uses the“free kill”evading anti-virus techniques-vulnerability warning-the black bar safety net

ID MYHACK58:62200717824
Type myhack58
Reporter 佚名
Modified 2007-12-17T00:00:00


Today, talk about horses can be described as color change. Trojan indeed than the conventional virus more ruthless, monitoring your operation, devouring your privacy, destroy your data. We install the latest antivirus software and daily patch updates, and the firewall is always protected, but why also in Trojan.

Because, there is a Trojan calledfree kill it!

First of all remind everyone that thefree to killis a relative term, for the current in terms of technology, the Trojan horsefree killthe success rate is not high, in the multi-engine detection on the basis of it. But user-installed security software is relatively simple, so having a targeted production offree to killTrojans, for individual users, it is absolutefree kill.

Next we will look at the hackers is by what way to achievefree killobject.

We first make an ordinary gray pigeons Trojan server, then on the VirusTotal multi-engine system in the scan, can be found, the vast majority of antivirus engines are able to identify the Trojan.

Free to killmethod is generally divided into the encryption code, flower instructions, plus housing, modify the program entry and handmade DIY PE. As for the hand operation is not recommended, because this method of making out the program effect is good, but too complex and requires a strong Assembly language basic, and the Windows kernel has a certain awareness.

  1. Code

MaskPE containing a variety of information modules, you can easily modify the program instruction, disrupt the source code, for the use of the identification code of the virus security software is very effective. Load File after selection of an Information mode, and finally Make File.

  1. Flower instructions

Flower instruction is some of the Assembly instructions. Originally used in the Crack, but now more is introduced to the Trojan modified. This method allows the antivirus software can not properly determine the virus file of configuration. For the use of the file header to extract the characteristic codes of the virus with special lethality.

Add flower instruction method can be used in debugging tools, since we later also added a shell process, in fact, directly with super flower method of instruction modification on it, the module self-selection.

  1. The packers

In fact, currently the packers for many antivirus protection against usefulness is not large, not only due to the antivirus software itself identifies the housing capacity enhancement, more is added to the housing after the Trojan itself hurt a lot, especially some Trojan Server default has been made through the housing operation, if the secondary packers, likely causing the program to start the exception.

Popular methods of can choose some unconventional housing: for example, NsPack or Private exe Protector on. We use Private exe Protector on the service side for processing. Select the“protection and compression resources”as well as“anti-debugging and tracking”options.

  1. Entry point

Finally, modify the program entry point, its purpose and the packers are similar, is to make antivirus are not from the hack program entry point to get the source code. Modify the way you can use the FEPB, the Ollydbg or PEditor. Load after you find the“entry point”information, then the original value on the basis of adding an integer value after the Save.

Has now completedfree killprocess, re-enter the VirusTotal scan, found can be identified as a virus the antivirus engine has not much.

A few tips:

  1. Free to killafter the processing of the program is the best in a virtual machine or sandbox system to test it, because the auto-encryption mode is likely to cause a program exception. If an exception occurs, can be in operation during the replacement of the encryption module.

  2. This article mentions the method to different versions of the Trojan to modify the results are inconsistent, add the user to try.

  3. Anyfree killare impossible to do 1 0 0%, so we guard againstfree killTrojan the best way is to install the Proactive Defense software.