Wednesday, December 1, 2010

The ineffectiveness of AV demonstrated on the new UAC 0day POC file

A few days ago, a POC of the UAC bypass 0day was published. The Zip file downloaded contained an exe file and its source code. Shortly after, my AV (Nod32) alerted regarding a malicious file found on my machine (Win32/Exploit.Agent.NAB), and pointed to the POC exe file I just downloaded. From viewing the source code it was obvious that this file was not malicious, and yet when uploaded to VirusTotal for analysing this file it got detected by 35 out of 43 AVs:



I decided to play a bit with the binary data and see what happens... :)
My method of changing the signature, so it would be undetected by AVs was to find the part in the binary which triggers the AV (the signature block) and replace hex values of 0x00 (NULL) with 0x90 (NOP) values. And so I opened a hex editor and copied shellcode parts from the binary to a separate file and uploaded it to VirusTotal until I found the part which triggered most of the AVs. After replacing the NULLs with NOPs, I verified that the file is still being executed and working and uploaded it to VirusTotal again. Only this time:


The file was only detected by 2 AVs which one of them was Nod32. A strange thing, because even after updating Nod32 on my machine to the latest signature DB version, I still don't get any alert for executing the file. So it basically got detected only by one AV, called DrWeb, which I'm not familiar with. Oh well...
You can download the undetected (until it will also get signed) POC file from here.

-Hertz

1 comment:

  1. i did not find any NULL(0x00) value in 365kb server exe file that i can replace it with NOP(0x90)?????
    i m confused where is 0x00 value? if so that y i did not find it anywhere?? using HxD hexeditor and turkojan...
    i m successfully bypass avast by changing upper case laters to lower case and it does not corrupt the exe and bypass avast...

    ReplyDelete