by Fifo

Modifying Malware To Make Them Undetectable, [video tutor]

http://rapidshare.com/files/20951367/ModifyingMalware.rar

Finding Signatures Detected In Malware, 2nd video tutor

http://www.megaupload.com/?d=AI0HNDQG


EDIT: see post below for direct links to these files and the codec required to view them - Kayaker

And your point is??

nothing just posting tutorials..
it's forbidden or?

Not forbidden, quite the contrary, encouraged. But the files that you posted, at least on the virtual machine I played them, those avi's contain only high quality audio, with excellent guitar playing, by the way.
So my question stands,
Your point is??

(I made an ASS of myself)

Let's deal with this properly shall we..

Thank you Vrane for the contribution, much appreciated.

Since files never last long on those sites, I have uploaded them to the server for ever and anon.

They both require the TechSmith Screen Capture Codec, which I have also uploaded to the server, or you can get directly from the codec site:
http://www.techsmith.com/download/codecs.asp


http://www.woodmann.com/malware/Finding Signatures Detected In Malware_Fifo.zip
(127,877Kb)

http://www.woodmann.com/malware/Modifying Malware To Make Them Undetectable_Fifo.zip
(76,223Kb)

Codec for Windows Media Player:
http://www.woodmann.com/malware/TechSmith Screen Capture Codec.zip
(159Kb)


Cheers,
Kayaker

OMG... a video codec that actually installs and works on Vista!

I apologize to Vrane.
I had not installed the CODECS inside the virtual machine, and neither windows player or nero player complained about the lack of codecs, so I thought you were playing a joke of some sort.

hehe np

naides:

You've just experienced how an old American joke originated, which goes like this:

When you "assume," you make an "ass" out of "u" and "me."



We still luv ya anyway.

Regards,

Or the Samual L. Jackson way of saying it... "when you make an assumption, you make an ass out of 'u' and 'umption'."
(see http://www.imdb.com/title/tt0116908/quotes)

That movie was recently on one of my local channels and I watched it again.

Regards,

I had a look at the "finding sigs" tutorial. The guy who made this tut seems to be an absolute beginner. There are dedicated tools for finding sigs (e.g., sigtool, girardin's offset finder, avpoffset, UK splitter, etc.). The burdensome procedure described in this tut is redundant. Also the second tut is not the real deal. It confuses "undetected" with "undetectable". Moreover, it only deals with KAV. Other scanners use different sigs. Therefore, a different (holistic) approach is required in order to make malware "stealth".

But I like the sound of the tuts. So relaxing. Wish I had more time for reversing, coding, messing with malware *sigh*

FYI: there are tuts describing how to encrypt malware in memory /w ollydbg. This is really dangerous stuff.

u published the tutor without asking me!!!!

LoL. Now it's getting funny

Is a "bad" VXer entitled to copyright protection in a reverse engineering forum?

The same copyright permissions were requested for the background music on the tutorials I believe

Sorry for bumping an extremely old topic but I can't find any info on the subject of making malware undetectable with the search function except for this topic, so I'm going to add on to it and ask what this poster means by a "holistic" approach in order to make malware undetectable (at least until runtime). Now the obvious answer would be to pack it with armadillo or something as powerful but some antiviruses produce false positives if they detect certain packer's signatures because only malware are packed with it. I'm looking for a way for someone to do it manually, aka with ollydbg and a hex editor, or even my own unpacker built right into the program (pack it with some python script, store the bytecode in a text file, put the unpacking stub in the actual .exe and paste the bytecode right after it). Something like that. Obfuscating and encrypting for the purpose of making something undetectable facinates me and I can't find much material on it (well I found a lot but it was all made by script kiddies wanting me to run their programs). Thanks in advance!