Okay, so can I add more comments or remove existing ones from the Trojan source code to make it undetectable ?
First let me say I don't mean to insult your intelligence if you know about what I will discuss already, so feel free to just skim this post.
Anyway, I would say the answer is yes and no. What happens is that antivirus scans for 1's and 0's looking for unique bits of code, whether or not they are malicious. The companies that write antiviruses learn what parts are unique by taking apart malware and looking for the distinct parts, much like how we use human fingerprints to identify a criminal. In fact, what they are doing is basically fingerprinting by saying "I know this program has malicious code that looks like 'y' I should look for 'y' to see if that program is somewhere on this system."
Now let's say I had something coded in a trojan that did an rm -rf type of thing, and let's say you had something that does this in pseudo-ish code:
$string1 = "this is junk to throw off antivirus";
exec(rm -rf *);
$string2 = "more junk to throw off antivirus";
which for example maps to this in binary (it probably doesn't!)
1010101010100000000000000010101010101
The antivirus companies will take apart your malware and look for a binary string that is characteristic of it, which in this case could be the series of 0's.
However, let's say that the fingerprint that they took was exactly 1010101010100000000000000010101010101. If we go back to the source code and change it to
$string1 = "this is a new string";
exec(rm -rf *);
$string2 = "more junk to throw off antivirus";
That will map to something different, say "1111111010100000000000000010101010101" and when they compare
1010101010100000000000000010101010101
and
1111111010100000000000000010101010101
The fingerprints won't match up and the antivirus won't catch it. If this happens though, the companies will modify the fingerprint to the matching parts in efforts to catch your trojan again. For example they'll compare
00000000000000010101010101
and
00000000000000010101010101
and have a match. The issue here though is the window of comparison. Antivirus companies have to juggle small enough fingerprints that catch the bad programs but large enough so that they don't alert you about normal programs running on your system.
So yes and no. You can change the fingerprint of the trojan using different strings, but if antivirus companies discover it, they'll just look for another unique characteristic of your trojan and scan for that. It is possible though if you want to change your trojan all the time because they'll need to keep changing what they're scanning. However, if it's a large trojan and you're compromising enough hosts already it may not be worth changing the fingerprint. At this point you're dabbling with polymorphic code which is hard to code well, because antivirus programs will just create a fingerprint from the code that makes it polymorphic.
Author
