signatureZero

[a_tek7]

Hi.

can anybody tell me how signatureZero work?I mean it's coding technique not tutorial.

any body has some source like that?

10x in advance.

[metr0]

I hope you do not mean that application used to hide malware from antivirus by finding the right offsets to manipulate? :X

[a_tek7]

I hope you do not mean that application used to hide malware from antivirus by finding the right offsets to manipulate? :X

yes i mean that but If it's against the rules of site No noooooooo, :laugh: and my new question:I saw a movie they hide a trojan but when they find the right offset ,make nop those offset with hexeditor .the problem is that how is it possible to make nop some parts of an exe file and still be a exe file that run correctly?

[HVC]

Having seen this video out of plain curiocity,

i think that this techique is all about determining a particular threat's AV signature via heuristics (nullify parts of the code in a planned matter, and watching the AV results, then narrowing up the boundaries till you get the exact location of the signature).

Once the location of the signature is determined, you can't just nop it, you must rewrite that part of the code in a way that will still remain functional, but will screw up AV detection (mess up the signature).

Having said that, it's a really really lame technique (or , more correctly, a technique for lamers). If you have mediocre skills, you can write your own pc pests (please don't) who dont have a known signature, not using anyone elses shiz.

Edited September 14, 2008 by HVC

[metr0]

Just had a nice answer in fast-reply but my sth disrupted my circuit... :/

Like HVC said, you cannot simply put some nop here and some nop there and still expect the file to run like it did before (except being detected by anti-virus engines). You will probably mess some code up, you'd have to analyse the offset such a program gives you.

It seems like signatureZero simply splits the malware into parts and copies them to disk - this is where an engine scans them on-the-fly -, first 100 bytes, then first 200 bytes, then... and increasing the offset. I don't think it's good to talk about such stuff on a reversing board without mentioning counter-measures. Anyway, good av heuristics will probably get the malware in the end if one simply relies on such lame blind overwriting stuff.

I was thinking about writing some essay about malware hiding techniques and what AVs could do against that, but seeing this thread I don't think it would be put to "good" use.

[a_tek7]

I was thinking about writing some essay about malware hiding techniques and what AVs could do against that, but seeing this thread I don't think it would be put to "good" use.

Dear metr0

It was just a question and I think that here is a place for improving our knowledge and asking question from my lovely friends and I didnot mean for learning lame technique to annoy other people.I ask that just for knowledge and not for misusing.I wanted to know about its code and learning it

[metr0]

No harm meant, maybe expressed myself a bit to drastic.