A few weekends back i was wondering how do malware evade antivirus solutions, is it really that easy ?
With that in mind i started looking at some known malware piece and randomly pick a anti malware solutions to my surprise AVs can still be tricked with old technique such as string substitution method, so today we will explore this very well known technique. For testing purpose i choose ncx as a test malware which binds itself on port 99 and when someone connects to ncx it gives command prompt of the system.
First let’s scan the default malware to check if it’s detected or not.
As it can be seen in below screenshot that ncx is detected by our antivirus
Let’s split file into small chunks, after a bit of trial and error i found that splitting into 17 bytes does not break any signature of av, the trick here is we have to keep splitting files as long as the av keeps flagging those files
On scanning split chunks two detection were made by our av i.e chunk 1 and 4 were identified as malicious
Change lower case ‘cmd’ to upper case ‘CMD’ and save it
Yes no more detection !
In sixth line of split chunk number 1 let’s change upper case ‘S’ to lower case ‘s’ and save it
Scan it again, and av no longer detects this chunk.
Finally join files back
Rename the joined file
Scan shows no more detection 🙂
And we can see on execution it is indeed listening on port 99