Lets face it, decent information on
this trade has become as
difficult as the second to last screen in level 8-4 of Super Mario Brothers... You know, the one that required running under the Hammer Brother and jumping over the
infamous lava pit of death! I am assuming in noding this that E2 can handle this sort of information. Also, not unlike an
informational suicide node may state, I believe it is important to have the information out there. So here's a
step by step 'cuz its something that everyone might as well know.
You will need ...
Begin by creating a new directory and placing your Trojan server.exe in it. Subsequently, run an AV over the directory... it should identify the executable as a computer virus.
Then use the file splitter to cut your exe into separate 1mb sections and repeat running your AV over the directory. It should, again, spot one of the files as a virus.
Feel free to /dev/null-ify the other files.
Keep right on splitting that (now 1mb) partial.exe into smaller sections 'til you get it smaller than the IQ of your average McDonald's cashier, but still large enough to trigger the antivirus.
When it arrives at about 24 bytes, delete the last byte and run your AV... then delete the next to last byte and run it again... and repeat 'til the AV fails to recognise it.
Example:
... 93 05 B4 4A CD 21 ~ Spotted as Trojan
... 93 05 B4 4A CD ~ Spotted as Trojan
... 93 05 B4 4A ~ NOT spotted as Trojan
Then replace the last byte...
... 93 05 B4 4A CD
Now lets make like the starting bytes are toenails and trim them the same way (O.K., so I was hurting for some more hard-links]. Delete them one at a time 'til your AV no longer recognises the file as a Trojan.
22 23 51 8C DB 8E C3 ... ~ Spotted as Trojan
23 51 8C DB 8E C3 ... ~ Spotted as Trojan
51 8C DB 8E C3 ... ~ Spotted as Trojan
8C DB 8E C3 ~ NOT Spotted as Trojan
Again, replace the last byte you removed.
51 8C DB 8E C3 ... 93 05 B4 4A CD
Now you should have the smallest number of bytes (maybe about 12) that the AV program will recognize as being the Trojan. Onerous Congratulations, you just found the viral signature. /Insert happy emoticon here
Now you need to find where that sequence of bytes occurs in the original .exe; lets say it is at offset 0D98:0348.
Load your server.exe into Microsoft's 'debug' program with the DOS command 'debug server.exe' and go to that offset, then press U to disassemble the bytes.
51 8C DB 8E C3 8B 1E 93 05 B4 4A CD
0D98:0348 51 PUSH CX
0D98:0349 8CDB MOV BX,DS
0D98:034B 8EC3 MOV ES,BX
0D98:034D 8B1E9305 MOV BX,[0593]
0D98:0351 B44A MOV AH,4A
0D98:0353 CD21 INT 21
Side note:
PUSH CX pushes the CX register onto the stack, and the following instruction MOV BX,DS doesn't alter CX -or- the stack... it is fairly safe to assume we can swap these two instructions and hopefully it wont make a difference to the execution of the program.
So ...
we hexedit '51 8C DB 8E C3':
0D98:0348 51 PUSH CX
0D98:0349 8CDB MOV BX,DS
0D98:034B 8EC3 MOV ES,BX
so that it becomes '8C DB 51 8E C3':
0D98:0348 8CDB MOV BX,DS
0D98:034A 51 PUSH CX
0D98:034B 8EC3 MOV ES,BX
Then save your new server.exe.
Since bytes in the signature have been switched, it should no longer register as a Trojan on your AV. Test it to make sure it still works as expected... it should if you are careful about which two instructions you switch.
Also, remember that only one byte of the signature needs to change ... so don't worry if one of the instructions you chose is partially or even completely undressed er... em... outside (getting bored at this point of noding, sorry again for the shotty writing) of the signature bytes, as long as it results in some change within the signature.
NOTES:
Not all antivirus programs use the same set of bytes for a signature, so check your new file against other popular AV programs too. You may need to check it over and over again before it becomes immune to a majority of the major AV programs.
You may also need to do the same with any supporting .DLL's that the server installs on the remote, since these normally have telltale signatures too.
Once you have a new version, just remember...
DONT post it if you want to use it! If it is widely distributed it will eventually meander onto the AV vendors lists as a "new strain."
It is O.K. to look at pornography on the internet, but
it's not O.K. if you are related to or dating the person you are looking at! Treat your customized trojan in this manner.