How to bypass Anti-Virus Systems

You can make any trojan/virus undetectable to AV Systems!
As you know , AV systems detect viruses, trojans, etc. with some methods such as file size, file-name, and the most important one: File Header. when we have a detected file (ie. trojan.exe) our AV detects it as a "backdoor/Trojan xxx". But how it does the AV system detect it? AV Software spends most of its proccess checking the file header. The AV system simply compares the file header with the ones in its database. So all we have to do is change the file header! Once we change the file header it will be different and thus not be in the AV system's database.

How to change an Executeable file header ?
Do you know anything about "ZIP "?
I mean the most common method of file comprestion. The role is that our compressor, takes a look at our file, reviews it and replaces it`s entire data, with something else (but same). I won`t explain how a file gets compressed! learn it urself ;) The thing I want to mention is that, after all of the compressing process the file's header would change!

So we`re going to compress the EXE-File! We wont change the extension to .zip or anything else. We just compress the file`s entire data and after that, we have a new header wich has some different parameters.

Introducing: UPX
Ultimate Packer for eXecutables
Copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002
UPX 1.24w Markus F.X.J. Oberhumer & Laszlo Molnar Nov 7th 2002

Usage: upx [-123456789dlthVL] [-qvfk] [-o file] file..

-1 compress faster -9 compress better
-d decompress -l list compressed file
-t test compressed file -V display version number
-h give more help -L display software license
-q be quiet -v be verbose
-oFILE write output to `FILE'
-f force compression of suspicious files
-k keep backup files
file.. executables to (de)compress

This version supports: dos/exe, dos/com, dos/sys, djgpp2/coff, watcom/le,
win32/pe, rtm32/pe, tmt/adam, atari/tos, linux/386

As you can see, it's a "Packer for eXecutables". The exact thing we need ;)

Assume we have a back-door which AV detected.

Directory of C:\

11/07/2002 02:13 PM 94,208 UPX.EXE
12/15/2003 11:50 PM 190,464 bd.exe

We are going to pack the file.
C:\>upx -9 bd.exe

If you try to learn how it stuff works, you`ll see that the parameter I used, -9. This is the comprestion rate . There are 9 rates available for you to use. UPX packed my file and as u can see, the file size has been changed! Hopefully the header too ;) We still have our BD.exe which works 100% same as the orginal BD.exe but with a different size and a changed header. 40% of the times AV systems won't detect this.

An AV System may still detect it because the AV might know both, the orginal header and the compressed header. But, if you pay attention you`ll see that most of the times AV`s have only the orginal header, not the compressed one. After all if they included the compressed header, they usually include the Max.rate compressed header! ;) yeah...not ALL possible we found a way to escape in such cases, we try different rates of UPX againts our file (BD.exe).

C:\>upx -6 bd.exe

Usually our AV won`t detect it. You should try other rates if it didn`t work. There are 9 rates to choose from, one will work for your file ;)

Decompressing an Exec File Compressed With UPX
When u get this error, when u try to UPX ur file.

C:\>upx -5 bd.exe
upx: bd.exe: AlreadyPackedException
Packed 1 file: 0 ok, 1 error.

UPX is telling you that the file you are trying to compress is already packed. In this case (executeable files) we can`t re-compress a file, but in normal caces (.zip .rar) we haven`t such problem. So what should we do?

We have a " -d " switch in UPX .
The job it does is Decompress, an already compressed file.
First you decompress your file with -d.

C:\>upx -d bd.exe

As u see, u changed the file a lot ;)
size/header changed again. It may be enough to trick the AV itself. But if AV warned again, try to compress the file with different rates. Don`t forget we have 9 rates. Now u have a 75% chance to make ur file UNDETECTED!

Introducing Morphine
You can also use a second program called Morphine. It basicly does the same thing as UPX it changes the contents of the file to make it look different but and still function the same.

Now if you use both UPX and Morphix you got a 95% chance any AV system won't detect it! I have tested this on my computer. I compressed SubSeven with both these programs and then tried to infect my computer that has Norton Anti Virus 2005 Professinal with fully update virus definitions on a windows xp machine. And it doesn't detect it!! Usualy once you move your mouse over it for a second NAV deletes it. But not this time!

You can get the two programs introduced in this paper at my website at in the downloads section.

Have fun with these progs! ;)