The Hacker Diary

A False Sense of Security : AntiVirus Part II

Previously, we touched on the concept that AV is not infallible as you would be lead to believe by advertisers. This post is the continuation of that study.

What better way to test AV then to use a well known "hacker" tool NetCat for our test?

To begin, I needed a baseline to work from. Using Virus Total I scanned the binary and took note of the results. You can view the page here.

NetCat is a tool that has had it's code ported across multiple platforms. NetCat is dubbed "The Network Swiss Army Knife" and it lives up to it reputation and then some. If you need more information about NetCat, go here. For this purpose however, all you need to know is that it is detected by at least half the anti-virus solutions that are cataloged at virus total because of it's classification as a hacker tool and this AV listing is by no means a complete list rather the most popular / visible / etc.

To test our list of AV's, I thought it would be interesting to upload solitaire (SOL.EXE) which is bundled with Windows renamed as "netcat.exe" and "nc.exe".
Before doing this however, I needed to alter the MD5 checksum of the executable so that it would do a fresh scan of the binary instead of loading the results based on an MD5 match of another users upload.

Using MD5Generator.info, I determined our virgin executables MD5 to be:
SOL.EXE - MD5 4b27277692bbbfa196e9b3013000781e

Then, using a hex editor I changed it. as you can seen in the screenshot below.

Then I checked for a new MD5.

File Upload: sol.exe

SOL.EXE - MD5 4b27277692bbbfa196e9b3013000781e - Original MD5

SOL.EXE - MD5 d8be1ecd116115decb64c318339bcbfe - New MD5

After uploading the executable, there was no detection so it's safe to say there is no file name based detection, which is a good sign because that would in my eyes completely discredit that AV product.

Switching gears, it was time to make NetCat invisible. In order to accomplish this, we must take the mindset of a nefarious individual. We need to use a packer or two so I downloaded the open source executable packer UPX to start with for two reasons. Firstly, it is open source so it is free and secondly it supports an un-packing routine to undo those packing actions on an executable. This is relevant because a good antivirus should support unpacking a known trivial packer such as UPX. For context, a packer is legitimately used to compress an executables file size. Unfortunately it can essentially mask an executables true identity.

In A False Sense of Security : AntiVirus Part III, I will conclude the series with video and screenshots of my results. Because of the comprehensive amount of information, I decided to split this series into three separate parts saving the biggest for last.

You may not expect the results.

Stay tuned and while your at it, tell me what you think.