Getting Meterpreter Backdoor around AVG AV

So I have been trying to get meterpreter as undetected as possible by most major AV softwares and I think I have come close to succeeding. I downloaded the AVG internet security installer, and using SET (wont let you do it with ./msfencode says extra junk at end) choose option 4 to make your own back door, choose 2 (windows/meterpreter/reverse_tcp) and then choose options 16 to make your own back doored executable, please note that you will have to set the path to your legit exe in the set_config.

Code:

---

#CUSTOM EXE YOU WANT TO USE FOR METASPLOIT ENCODING, THIS USUALLY HAS BETTER AV
# DETECTION. CURRENTLY IT IS SET TO LEGIT.BINARY WHICH IS JUST CALC.EXE. AN EXAMPLE
# YOU COULD USE WOULD BE PUTTY.EXE SO THIS FIELD WOULD BE /pathtoexe/putty.exe
CUSTOM_EXE=/root/AVGInstaller.exe

---

Change the red to the path of your exe. Here is the results from Virus Total

If you can it more undetectable then please post here!

Antivirus results
AhnLab-V3 - 2010.10.10.00 - 2010.10.09 - -
AntiVir - 7.10.12.167 - 2010.10.08 - -
Antiy-AVL - 2.0.3.7 - 2010.10.10 - -
Authentium - 5.2.0.5 - 2010.10.10 - -
Avast - 4.8.1351.0 - 2010.10.10 - -
Avast5 - 5.0.594.0 - 2010.10.10 - -
AVG - 9.0.0.851 - 2010.10.10 - -
BitDefender - 7.2 - 2010.10.10 - Backdoor.Shell.AC
CAT-QuickHeal - 11.00 - 2010.10.09 - -
ClamAV - 0.96.2.0-git - 2010.10.10 - -
DrWeb - 5.0.2.03300 - 2010.10.10 - -
Emsisoft - 5.0.0.50 - 2010.10.10 - -
eSafe - 7.0.17.0 - 2010.10.07 - -
eTrust-Vet - 36.1.7901 - 2010.10.08 - -
F-Prot - 4.6.2.117 - 2010.10.10 - -
F-Secure - 9.0.15370.0 - 2010.10.10 - Backdoor.Shell.AC
Fortinet - 4.2.249.0 - 2010.10.10 - -
GData - 21 - 2010.10.10 - Backdoor.Shell.AC
Ikarus - T3.1.1.90.0 - 2010.10.10 - -
Jiangmin - 13.0.900 - 2010.10.10 - -
K7AntiVirus - 9.65.2713 - 2010.10.09 - -
Kaspersky - 7.0.0.125 - 2010.10.10 - -
McAfee - 5.400.0.1158 - 2010.10.10 - -
McAfee-GW-Edition - 2010.1C - 2010.10.10 - -
Microsoft - 1.6201 - 2010.10.10 - Trojan:Win32/Swrort.A
NOD32 - 5518 - 2010.10.09 - a variant of Win32/Rozena.AH
Norman - 6.06.07 - 2010.10.10 - -
nProtect - 2010-10-10.01 - 2010.10.10 - Backdoor.Shell.AC
Panda - 10.0.2.7 - 2010.10.10 - -
PCTools - 7.0.3.5 - 2010.10.10 - -
Prevx - 3.0 - 2010.10.10 - -
Rising - 22.68.05.00 - 2010.10.09 - -
Sophos - 4.58.0 - 2010.10.10 - -
Sunbelt - 7031 - 2010.10.10 - -
SUPERAntiSpyware - 4.40.0.1006 - 2010.10.10 - -
Symantec - 20101.2.0.161 - 2010.10.10 - -
TheHacker - 6.7.0.1.054 - 2010.10.10 - -
TrendMicro - 9.120.0.1004 - 2010.10.10 - -
TrendMicro-HouseCall - 9.120.0.1004 - 2010.10.10 - -
VBA32 - 3.12.14.1 - 2010.10.08 - -
ViRobot - 2010.9.25.4060 - 2010.10.10 - -
VirusBuster - 12.67.11.0 - 2010.10.10 - -
File info:
MD5: afc2d27e8b78b2db772a2e9fa9de42d6
SHA1: 521a2200abbef8e171a4b7eecd50b1685c22dcde
SHA256: 3830cee855ab4cbab0db125e73afcbeb6ec713fec1eea82a35 c08bee0e8d8086
File size: 4283672 bytes
Scan date: 2010-10-10 20:30:16 (UTC)

Kind of antismart on what you are doing there.

Quote:

---

Originally Posted by KMDave

Kind of antismart on what you are doing there.

---

Yeah - I remember the day I realized that it might not be a good idea to do that.

Yep, that particular usage now not going to work long ...

Not terribly smart..

Virus Total => Facepalm

I'm more of a networking guy, but I have read some articles about obfuscating executables. Why is everyone crashing down on him, and Virustotal? Did he just potentially add the MSF backdoor to all the major AV vendors' definitions?
I'd like to know what just happened.

Quote:

---

Originally Posted by Citruspers

I'm more of a networking guy, but I have read some articles about obfuscating executables. Why is everyone crashing down on him, and Virustotal? Did he just potentially add the MSF backdoor to all the major AV vendors' definitions?
I'd like to know what just happened.

---

Yes, that is just what happened. Well, not the MSF backdoor itself, that's been added for a very long time, the executable template he used as a base for the backdoor was AVG, which obfuscates the backdoor slightly. Most tutorials on this tell you to use calc.exe as a template, so this has been added a million times, but running it on VT with a new template adds this new template to the definitions.

There are services that offer the functionality of VT, and will not send the binary information to the vendors, but it costs money.

I haven't tried any obfuscation and I'm no expert on how viruses are detected but some ollydebug + reverse engineering knowledge would help you inline some patches that will change the signature that is getting detected, you just have to find out what is consistent between all of the .exe's msfencode makes and change it to something equivalent. Or don't use msfencode at all, inline the shellcode into the actual program but XOR it with a byte and have the decrypter also inlined into the program, say calc.exe.

Most online Virus Scanners send any new obfuscation mechanism to the AV vendors. There are one or two free ones that have an option "Do not send signature to AV vendors" or something like that.. but im nt takng their word for it:p and i guess most of you guys have seen it but there's a vid at securitytube about obfuscating payloads with xenocode virtualisation..originaly posted at tehchkranti..
Didnt work for me though..bitdefender caught it..in the vid the guy does the same mistake of submitting it to an online AV scan (with the Donot send option).
Securitytube Link

This answers my problem, I created a backdoor using msfencode and it worked great until I checked it using Virustotal, and bingo it never worked again.
Question 1 If I scan a new creation with my own AV, even if off line at the time, does this also get sent to to AV vendor at some time.
Question 2 If I use the new creation to test my clients machine and their AV picks it up, does it mean that all AV vendors get notified. If so one would need to create a new backdoor for every pentest carried out, am I correct?