From: Bill Stout (billbrietstout@yahoo.com)
Date: Fri May 11 2007 - 01:49:12 EDT
I found it to be surprisingly easier than I thought it should be.
For a specific program (like fgdump), each AV vendor has their own secret way to detect the program by inspecting it's bits, or in some cases, behavior. If you compiled your own version of fgdump, most likely it would not flag AV.
Once the AV community realizes your exe or script is 'malware', then it'll get flagged after the user updates their signatures. I know from experience by writing the first few versions of a security test (http://www.wilderssecurity.com/showthread.php?t=150840) with Dror Shalev. A few exploits got by AV, then once the AV community (esp. competing vendors) heard about it, they'd make their defense know about the exploit.
I found a few simple things are not protected on some PCs, .hta (hypertext application) files are allowed to run now, obfuscating scripts will bypass AV, there's a DOS command line buffer overflow which triggers DEP (c:\> %comspec% /k "dir \\?\AbcdefghijklmnopqrstuvwxyzAbcdefghijklmnopqrstuvwxyzAbcdefghijklmnopqrstuvwxyzAbcdefghijklmnopqrstuvwxyzAbcdefghijklmnopqrstuvwxyzAbcdefghijklmnopqrstuvwxyzAbcdefghijklmnopqrstuvwxyzAbcdefghijklmnopqrstuvwxyzAbcdefghijklmnopqrstuvwxyzAbcdefghijklmnopqrstuvwxyz"), etc.
The exercise made me realize that if someone wanted to get into a specific protected PC, it wouldn't be that difficult. However if someone wanted to get into every protected PC, then it the AV community makes it really difficult.
Bill Stout
(Not working anywhere at the moment)
----- Original Message ----
From: Neil <neil@horizontheory.com>
To: pen-test@securityfocus.com
Sent: Thursday, May 10, 2007 3:03:57 PM
Subject: dumping hashes on box w/ Norton AV
When I tried to run fgdump against a DC with Norton AV Enterprise
running on it, Norton AV was able to block & flag it. At the time, it
wasn't a big deal (well, it was a good thing, since that meant the
server was that much more secure); but now I'm a bit interested in what
methods could be used to get around these sorts of mechanisms.
How do you slip your tools past the AV when it flags and deletes them on
the spot?
-- Neil. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:47 EDT