Recompiling Code to Bypass Detection by an Antivirus ---------------------------------------------------- By klemster | klemster@weed5.org Visit Weed5 Computer Security Group http://www.weed5.org/ for more ==================================================================== Contents -------- Recompiling Code to Bypass Detection by an Antivirus Disclaimer ==================================================================== Recompiling Code to Bypass Detection by an Antivirus Any trojan/backdoor/virus/worm, etc.. that is released is mostly detected by any antivirus within a week of it's release. This is because the antivirus companies constantly keep updating their signature database, which extracts a unique signature from the virus and detects it. Mostly, if one version of the program is detected, then all the other versions of the code are also detected. So, to make a program that is already detected by an Antivirus to bypass the detection, you will need to recompile it in a different way. I had made a keylogger called skl0g about three years ago, and it of course started getting detected by the antiviruses after it's release. Now, I decided to make a better version of the keylogger. After compiling the new code, I realised that even this was getting detected. Therefore, to figure out what signature of the program that the antivirus (Norton) was using, I opened the compiled binary file in notepad. In the data was this: \A D : \ h a c k \ s t a l l I O n s \ s k l o g \ s k l o g . v b p This is the path of the visual basic code for skl0g. So, all I did was copy the old code (the first version) to a new folder and compiled it. The same program that was detected by Norton was not detected when it was compiled in a new directory. No changes were made to the code. The only difference was that it was compiled in a new directory. Therefore, this is a very easy way to bypass the antivirus by just recompiling the code in a new directory. Please note, this is for Visual Basic code. If you're program is in other languages, try opening the compiled binary in some text-viewer and check for signatures of the program that the antivirus may be using. All you have to do is rename the value that the antiviruses use and recompile the code. For example: If you have used a file called abcdef.xyz and you can see that value in the binary file, try renaming the file to something else and recompiling the code. This paper might not be entirely correct, but it helps in many situations to try the methods. If you come up with anything else, please feel free to mail me at klemster@weed5.org ==================================================================== DISCLAIMER There is no guarantee on the accurateness of this text and this is subject to change anytime. This text is meant only for educational purposes. Following or reading this text is entirely at the choice and risk of the user. I will not be responsible directly or indirectly for any damages caused due to reading this, or abuse/misinterpretation of this paper. ==================================================================== klemster | klemster@weed5.org