Hiding from AV

[BigMac]

No, I literally just emailed it to myself and downloaded it to my target computer. It didn't have anything to do with an unknown website, thanks though.

The AV just seems to be smart enough to catch it at runtime. The AV is microtrend on an XP SP3 system if that helps at all.

so you downloaded it threw a webbrowser? just for testing purposes, create your payload then place it on a usb stick or cd and transfer it that way or pachage it with winrar and then email it... tftp, ftp, smb, any of these protocols work to... try to avode using your webbrowser...

[hitthemlow]

How many AV's did you try to evade with xor encrypting the entire file?

Just out of interest.

Well two points:
1) it wasnt Xor it was a mutagenic bitshift (to prevent stub flagging)
2) I uploaded it to vrus total and novirusthanks and got a 0 detection rate on the scanning.

One last point I obviously havent been clear enough with here....

THIS, WILL, ONLY, DEFEAT, SIGNATURE, SCANNING, OF, A, FILE, ON, DISK..!!!

I didnt claim it would defeat heurstics or in memory scannin (although in my defense I did make an awesome way to defeat that to involving reading them out in an awesomely wierd way.)

I'm going to weigh in and correct a couple of misconceptions (mostly on behalf of HTL, but others as well).

* PURELY Signature based scans on the file system will not detect nc.exe if it has been packed or encoded.
* However, the signature scans generally detect the stub (XOR or otherwise) that decrypts the file, and will flag them thus, decode the file and *then* detect the nc.exe.
* Multi-packs of the same file can defeat this (quite often there is no recursion on the AV scanner as part of the anti-lockup code).

First point: THank you for seeing that I have been trying to get that point across for ages.
Second: Mutagenic Custom Made Stubs ftw, Ive only had them get flagged when they are public ones.
Third: Learn to Recursion learn to recursion learn to recursion

Ok, so that covers file-system based (basics) of AV scanning.

In memory systems (a.k.a. on access scanning) works the same way - if it detects nc.exe signature IN MEMORY (i.e. while program is executing), often it will flag that and lock the system down. Having a completely encrypted binary will not stop this, as something like an XOR stub decrypts the binary and then executes it (check out the old cryptcom program for example).

One can evade an AntiVirus by decryption of "pages" of data in memory. This significantly reduces the memory access footprint that can be used for signatures (as well as being a nifty anti-debugging trick that programs such as Skype and a lot of copy protectors use). This prevents the signatures from being available for on access scanning.

Yes, I hate skype for that lol.

It gets more complex: Most AV systems implement heuristics, which search for generalised sequences of functions (i.e. this program does not match my whitelist, and decrypts pages in memory, and my setting is set to "Paranoid" so I'm going to block this now) rather than individual signatures. Heuristics are definitely the way of the future, but for now they are merely a suppliment to signature based scans. These too can be defeated (usually by matching known good decryption algo's and such).

Heuristics atm are very weak since you cannot simply block everything that COULD be used for bad, however they are getting better, as people "teach" computers to take context....
eg:
This Program connects to the inernet without permission: True
This Program makes one or system(), exece(), etc calls: True
This Program Takes no User Input: True
This Program Never shuts off: True
90% CHance of backdoor, shutting down now.

prowl3r I was just toying with something and had an idea - could you use the killav script and then restart the A/V service after the fact? If you are emulating a live attack this is what most would do anyway. Just because you're being nice doesn't mean you shouldn't be accurate.

I must be dumb, i have NEVER used the killav script, its like raising OVER 9000 flags saying something is amiss. If I think my payload will get flagged I will try to use somthing not as conspicuous and work my around the AV.

Even Tripwire can be defeated without turning it off if you are smart enough (*cough* Function Hooking *cough*)

[thorin]

OK, thorin. To satisfy your curiosity. It is not that sort of service, it is a demonstration (simulation) of real security risks. What I will do is a complete penetration (from nmap to VNC backdoor) in 15 minutes, during a meeting, for them to see how someone could easily get access to their information.

Now imagine that as soon as I execute the backdoor, the target machine AV raise an alarm and block it. Do you think they will be buying security services then ?

What I want them to see is one of their own desktops in my laptop.

Ok now I understand what you're getting at. My only remaining concern here would be that you ensure written permission etc prior to doing the demo (since you have no formal contract in place, since you're trying to sell to them).

Already have a couple of switchblade pendrives with Gonzor payloads but I prefer another approach.

Okey dokey.

[mixit]

so you downloaded it threw a webbrowser? just for testing purposes, create your payload then place it on a usb stick or cd and transfer it that way or pachage it with winrar and then email it... tftp, ftp, smb, any of these protocols work to... try to avode using your webbrowser...

Thanks, I'll try this tonight to ensure that the AV is not raising additional flags because of the browser.

Well two points:
1) it wasnt Xor it was a mutagenic bitshift (to prevent stub flagging)

Could you point me towards some info on this topic? Can anyone point me towards AV avoidance in general? Books or online tutorials would both be appreciated

And just for the curious ones (*cough cough thorin*), I'm neither a pentester, nor someone trying to hack into their neighbors computer. I just like hacking my own computer/network and gaining knowledge about computers in general while I'm at it. Some people do puzzles when they're bored, I do this. Also it's nice to know that maybe one day in the future it could help me with a job career. Again, this was mostly a disclaimer for suspicious moderators/seniors like thorin.

[imported_ecsployt]

Ok first off Bigmac, I noticed you said you were testing and uploading to virus total. NEVER upload to virus total if you want a file staying undetected or are trying to make it undetected. Virustotal send these on to many AV companies for further analysis. A FUD file sent there wont last long FUD, maybe a few days.. doubt it would even last a week without having about 9 detections. Scan on novirusthanks.com and make sure you check the 'do not distribute'. This way no AV gets it to analyse further. I know sources with way much more info on this. I currently have a crypter which when after I am pentesting, I can crypt a Poison Ivy/Bifrost RAT (pretty much anything that's detected, it'll make FUD) and install as a backdoor. Totally FUD. It'll stay FUD as long as it doesn't get uploaded to virustotal. If anyone wants more info in relation to this I can help you out if you PM me.

[prowl3r]

During the process described in this thread I found an interesting paper on the subject, by Mark Baggett. Since he wrote it, msfencode added the ability to create an EXE. Apart from that, everything there remains valid.

https://www2.sans.org/reading_room/w...udies/2134.php

Also, I finally decided to use a nice tool by Nick Harbour, presented at DEFCON 16 in August 2008, "Advanced Software Armoring and Polymorphic Kung-Fu".

Nick won the "Race to Zero" contest with some radical anti-virus evasion techniques: Mandiant researchers win Race to Zero

The scrambler-obfuscator is available here:

rnicrosoft.net - The home of Nick Harbour's tools and techniques

[imported_vvpalin]

very nice thread, one of the best ive seen in awile, thanks for all the suggestions, leaves me with a ton of research to do in the near future =]

[prowl3r]

very nice thread, one of the best ive seen in awile, thanks for all the suggestions, leaves me with a ton of research to do in the near future =]

Yeah, a hot one. It's a pity however that HitThemLow spent so much time and effort arguing but he didn't provide a link / howto for us to check his method. Useless stuff.

[hitthemlow]

well heres a basic idea: Building Your Own Executable Crypter

However you bild on it a bit, Im not sure that theres a link about exactly what I did.

[Gitsnik]

well heres a basic idea: Building Your Own Executable Crypter

However you bild on it a bit, Im not sure that theres a link about exactly what I did.

Personally, I used to decode virii way back when whale was around, so I have a fair whack of experience with polymorphic viral encoders and the like - but there is no really easy way to push all this knowledge to the world is there.

I do suggest everyone gets at least a little idea for how they work, the same principles that apply to encoders will work for shellcode and hiding payloads as well.