|
Binders While recently attending a Desktop management conference I attended a security session. During the session, the speaker covered all the common vectors that attackers can use to infiltrate a network or system. During his presentation he glossed over the word “Binders” on his slides without much more detail. Given that I expected others in attendance to understand what he was referring too I decided to do a little research.
Just the facts…. Avoidance tools such as binders and scramblers all a malicious user can take an existing piece of Malware and make it undetectable to most AV software. These tools allow just about any skill level attacker to be able to create a Trojan or virus that would theoretically be undetectable. The reason is that by inserting such viruses or Trojans into a valid program changes the signature of the original program to such a degree most AV software would be unable to detect the payload based upon a signature. It’s this method that is allowing criminals to infect systems without having to learn something more than a simple tool. Many AV software packages will protect you from executables that have been obviously scrambled and packed. Malware authors are constantly developing new ways of changing the executables. They have access to the same AV software that consumers can purchase to use to test their executables. Signature development requires that a new Trojan or variant to be detected in order for a new signature to be developed. This delay in detection to signature to scan engines can result in unprotected systems for as long as a few days. This is enough time for the serious criminals to infect thousands of systems. The ROI for the criminal is high in either case, but the time to remediation leaves many systems exposed. Binders EXE binders (also known as joiners or wrappers) simply take executable files and roll them into a single executable. The user can determine which file will execute and if the state will be normal or hidden. The copy location of the file can be specified in the windows, system or temp directories. The action can be specified to either open/execute or copy only. Using this tool I was able without any experience to take a commonly detected security program and bind it with notepad. Thus, I created a new Trojan application, without writing a single line of code. 
The following file from winrtgen has been determined by my AV package as a Hacktool. 
I will add this to my new “notepad” 
My newly created notepad.exe has been bound into the same directory as rtdump.exe. 
Re-enabling Auto-Protect scan should find both of these as Hack tools. Sure enough, it found the same “HackTool”, but left my “notepad” alone.
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
)
Related Items:
|
Read All of Our Hot News Items 
