Categories > WeAreDevs > Hangout >

Malicious Software


New Reply

RealNickk

Nicholas (Nick)

vip

Posts: 3863

Threads: 172

Joined: Feb, 2020

Reputation: 47

  • 2

Posted

I wrote this for anyone skeptical about downloading unsigned PE files like Roblox exploits, or pretty much any program that hasn't been signed.

 

Recently, I reinstalled Windows and started messing with testing my software on a VM to make sure my stuff works on a fresh installation of Windows, but what's annoying is that Windows Defender will flag everything that I put in the VM. Not only that, but SmartScreen will warn me when I run the software. I personally think this is BS.

 

I'm pretty sure SmartScreen warns you about any software that's unsigned, so pretty much any program you download that wasn't self-signed by you (which means other computers will think it's unsigned but your computer won't) or signed by certificate distributed by a trusted CA, will trigger SmartScreen. Thing is, you can abuse PowerShell and the Command Prompt to avoid this popup, and run PE files without needing to sign them. This is the main reason why SmartScreen is crappy and useless.

 

I think Windows Defender (in fact, any antivirus) sucks because it  just scans a hash database of known malware, so you can quite literally change one byte in the program and (depending on how well known the malware is), the antivirus will think it isn't malware anymore.

 

Some antimalware packages scan for certain code signatures for encryption or possibly malicious system calls or they might look for high entropy in the data section to detect packing like UPX and VMProtect, but if you mutate your code enough, it'll get past the antivirus. But there's ways out of that, for example copying a downloaded file to memory and running it. Some antivirus programs make themselves so sensitive that even if you mutated, it'll flag it. Thing is, they get so sensitive that normal programs — like a Hello World program in C++ — will get flagged down. 

 

You might be like, well what about heuristic analysis? That's literally running the code in a sandbox. This can be easily bypassed by running the program in the background for 10 minutes until it executes malicious code. The sandbox doesn't run long enough to catch that.

 

Now what about the Windows Firewall? This is also bullcrap because you can get past this with a STUN server. You don't even need a STUN server, because you can proxy your data through trusted domains like Discord as long as you can set up webhooks. You don't need to open any ports if you can proxy all your data through a STUN server, effectively bypassing the firewall on Windows + your NAT's firewall combined.

 

I've written malware before (NOTE: I do NOT maliciously release such malware, that's unethical), such as cookie loggers, spyware, complete PC brickers, ransomware, etc. Let me tell you that I can get past the antivirus so easily that it's kinda sad. Deadlocust made something that can convert any PE file into a batch file that antivrus programs can't detect. Never trust your antivirus, and better yet, never trust any program. If you're skeptical, don't run it. If you need to run it, run it in a VM, WITH YOUR INTERNET OFF AND WITHOUT GUEST TOOLS. If you REALLY need to use internet, run it through another router, don't use your main router. Luckily, I have reverse engineering skills, so if I absolutely need to, I can find out on my own if something may be malicious.

 

Windows 11 added a new and very strict security feature that blocks any trusted unsigned program from running. You can only turn it on at a fresh installation, and you can only turn it off once. It may block every single program that isn't signed by Microsoft, but I'm not completely sure. This will probably cause people on this platform to go crazy, and I 100% DO NOT recomend enabling that as it will be impossible to run not only your code, but ANY PROGRAM that is unsigned. Windows 11 seems to flag even WSL with that new feature, which is ironically written by Microsoft themselves, so their security feature is bugged anyways — another reason why you shouldn't use it.

 

That said, all exploits distributed by WeAreDevs are safe. The developers don't have money to pay for a code signing certificate to sign their executable with (which pretty much is a free I'm-innocent card for the antivirus). Buying certificates from a trusted CA is really expensive, and the certificates expire yearly. No one has enough time or money to invest in it.

 

I hope anyone skeptical about Roblox exploits gets something from this. I'm going to leave with this statement: the best antivirus is common sense.

https://github.com/RealNickk

check out my github i make stuff

Posts: 267

Threads: 52

Joined: Mar, 2022

Reputation: 3

  • 0

Replied

some of the information seems beneficial to malware skids.lol

Posts: 17

Threads: 0

Joined: Sep, 2022

Reputation: 0

  • 0

Replied

nice

i love content length

yea im in specal education 

RealNickk

Nicholas (Nick)

vip Mention

Posts: 3863

Threads: 172

Joined: Feb, 2020

Reputation: 47

  • 0

Replied

@ishanjit321 dont worry they're stupid

https://github.com/RealNickk

check out my github i make stuff

Posts: 17

Threads: 0

Joined: Sep, 2022

Reputation: 0

  • 0

Replied

I just read all of that

yea im in specal education 

Posts: 267

Threads: 52

Joined: Mar, 2022

Reputation: 3

  • 0

Replied

@RealNickk
now thinking about it they are like lux14

nonnyhack_er1

JJSploitOnTop

Mention

Posts: 126

Threads: 1

Joined: Apr, 2021

Reputation: 7

  • 0

Replied

@RealNickk me be like reads 3 lines gives up

https://media.discordapp.net/attachments/931204686902620181/951828563915604018/BANER.png


New Reply

Users viewing this thread:


( Members: 0, Guests: 1, Total: 1 )