Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Getting Meterpreter Backdoor around AVG AV

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Dec 2009
    Posts
    8

    Lightbulb Getting Meterpreter Backdoor around AVG AV

    So I have been trying to get meterpreter as undetected as possible by most major AV softwares and I think I have come close to succeeding. I downloaded the AVG internet security installer, and using SET (wont let you do it with ./msfencode says extra junk at end) choose option 4 to make your own back door, choose 2 (windows/meterpreter/reverse_tcp) and then choose options 16 to make your own back doored executable, please note that you will have to set the path to your legit exe in the set_config.
    Code:
    #CUSTOM EXE YOU WANT TO USE FOR METASPLOIT ENCODING, THIS USUALLY HAS BETTER AV
    # DETECTION. CURRENTLY IT IS SET TO LEGIT.BINARY WHICH IS JUST CALC.EXE. AN EXAMPLE
    # YOU COULD USE WOULD BE PUTTY.EXE SO THIS FIELD WOULD BE /pathtoexe/putty.exe
    CUSTOM_EXE=/root/AVGInstaller.exe
    Change the red to the path of your exe. Here is the results from Virus Total

    If you can it more undetectable then please post here!

    Antivirus results
    AhnLab-V3 - 2010.10.10.00 - 2010.10.09 - -
    AntiVir - 7.10.12.167 - 2010.10.08 - -
    Antiy-AVL - 2.0.3.7 - 2010.10.10 - -
    Authentium - 5.2.0.5 - 2010.10.10 - -
    Avast - 4.8.1351.0 - 2010.10.10 - -
    Avast5 - 5.0.594.0 - 2010.10.10 - -
    AVG - 9.0.0.851 - 2010.10.10 - -
    BitDefender - 7.2 - 2010.10.10 - Backdoor.Shell.AC
    CAT-QuickHeal - 11.00 - 2010.10.09 - -
    ClamAV - 0.96.2.0-git - 2010.10.10 - -
    DrWeb - 5.0.2.03300 - 2010.10.10 - -
    Emsisoft - 5.0.0.50 - 2010.10.10 - -
    eSafe - 7.0.17.0 - 2010.10.07 - -
    eTrust-Vet - 36.1.7901 - 2010.10.08 - -
    F-Prot - 4.6.2.117 - 2010.10.10 - -
    F-Secure - 9.0.15370.0 - 2010.10.10 - Backdoor.Shell.AC
    Fortinet - 4.2.249.0 - 2010.10.10 - -
    GData - 21 - 2010.10.10 - Backdoor.Shell.AC
    Ikarus - T3.1.1.90.0 - 2010.10.10 - -
    Jiangmin - 13.0.900 - 2010.10.10 - -
    K7AntiVirus - 9.65.2713 - 2010.10.09 - -
    Kaspersky - 7.0.0.125 - 2010.10.10 - -
    McAfee - 5.400.0.1158 - 2010.10.10 - -
    McAfee-GW-Edition - 2010.1C - 2010.10.10 - -
    Microsoft - 1.6201 - 2010.10.10 - Trojan:Win32/Swrort.A
    NOD32 - 5518 - 2010.10.09 - a variant of Win32/Rozena.AH
    Norman - 6.06.07 - 2010.10.10 - -
    nProtect - 2010-10-10.01 - 2010.10.10 - Backdoor.Shell.AC
    Panda - 10.0.2.7 - 2010.10.10 - -
    PCTools - 7.0.3.5 - 2010.10.10 - -
    Prevx - 3.0 - 2010.10.10 - -
    Rising - 22.68.05.00 - 2010.10.09 - -
    Sophos - 4.58.0 - 2010.10.10 - -
    Sunbelt - 7031 - 2010.10.10 - -
    SUPERAntiSpyware - 4.40.0.1006 - 2010.10.10 - -
    Symantec - 20101.2.0.161 - 2010.10.10 - -
    TheHacker - 6.7.0.1.054 - 2010.10.10 - -
    TrendMicro - 9.120.0.1004 - 2010.10.10 - -
    TrendMicro-HouseCall - 9.120.0.1004 - 2010.10.10 - -
    VBA32 - 3.12.14.1 - 2010.10.08 - -
    ViRobot - 2010.9.25.4060 - 2010.10.10 - -
    VirusBuster - 12.67.11.0 - 2010.10.10 - -
    File info:
    MD5: afc2d27e8b78b2db772a2e9fa9de42d6
    SHA1: 521a2200abbef8e171a4b7eecd50b1685c22dcde
    SHA256: 3830cee855ab4cbab0db125e73afcbeb6ec713fec1eea82a35 c08bee0e8d8086
    File size: 4283672 bytes
    Scan date: 2010-10-10 20:30:16 (UTC)

  2. #2
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default AW: Getting Meterpreter Backdoor around AVG AV

    Kind of antismart on what you are doing there.
    Tiocfaidh ár lá

  3. #3
    Senior Member
    Join Date
    May 2010
    Posts
    198

    Default Re: AW: Getting Meterpreter Backdoor around AVG AV

    Quote Originally Posted by KMDave View Post
    Kind of antismart on what you are doing there.
    Yeah - I remember the day I realized that it might not be a good idea to do that.
    "Never do anything against conscience -- even if the state demands it."
    -- Albert Einstein

  4. #4
    Very good friend of the forum TAPE's Avatar
    Join Date
    Jan 2010
    Location
    Europe
    Posts
    599

    Default Re: Getting Meterpreter Backdoor around AVG AV

    Yep, that particular usage now not going to work long ...

    Not terribly smart..

  5. #5
    Junior Member roybatty's Avatar
    Join Date
    Jan 2010
    Location
    Tannhauser Gate
    Posts
    55

    Default Re: Getting Meterpreter Backdoor around AVG AV

    Virus Total => Facepalm
    I've seen things you people wouldn't believe.

  6. #6
    Member
    Join Date
    Dec 2007
    Location
    The Netherlands
    Posts
    267

    Default Re: Getting Meterpreter Backdoor around AVG AV

    I'm more of a networking guy, but I have read some articles about obfuscating executables. Why is everyone crashing down on him, and Virustotal? Did he just potentially add the MSF backdoor to all the major AV vendors' definitions?
    I'd like to know what just happened.
    Student Systems Administration and Network Engineering, second year.
    Don't PM me with questions, unless very specific. Otherwise, use the forums so everyone can potentially benefit from it.

  7. #7
    Junior Member g3ksan's Avatar
    Join Date
    Jan 2010
    Location
    Florida
    Posts
    93

    Default Re: Getting Meterpreter Backdoor around AVG AV

    Quote Originally Posted by Citruspers View Post
    I'm more of a networking guy, but I have read some articles about obfuscating executables. Why is everyone crashing down on him, and Virustotal? Did he just potentially add the MSF backdoor to all the major AV vendors' definitions?
    I'd like to know what just happened.
    Yes, that is just what happened. Well, not the MSF backdoor itself, that's been added for a very long time, the executable template he used as a base for the backdoor was AVG, which obfuscates the backdoor slightly. Most tutorials on this tell you to use calc.exe as a template, so this has been added a million times, but running it on VT with a new template adds this new template to the definitions.

    There are services that offer the functionality of VT, and will not send the binary information to the vendors, but it costs money.
    This is the sixth time we have created a thread about it... and we have become exceedingly efficient at it.

  8. #8
    Junior Member
    Join Date
    Jul 2009
    Posts
    37

    Default Re: Getting Meterpreter Backdoor around AVG AV

    I haven't tried any obfuscation and I'm no expert on how viruses are detected but some ollydebug + reverse engineering knowledge would help you inline some patches that will change the signature that is getting detected, you just have to find out what is consistent between all of the .exe's msfencode makes and change it to something equivalent. Or don't use msfencode at all, inline the shellcode into the actual program but XOR it with a byte and have the decrypter also inlined into the program, say calc.exe.

  9. #9
    Just burned his ISO
    Join Date
    Aug 2010
    Posts
    15

    Default Re: Getting Meterpreter Backdoor around AVG AV

    Most online Virus Scanners send any new obfuscation mechanism to the AV vendors. There are one or two free ones that have an option "Do not send signature to AV vendors" or something like that.. but im nt takng their word for it and i guess most of you guys have seen it but there's a vid at securitytube about obfuscating payloads with xenocode virtualisation..originaly posted at tehchkranti..
    Didnt work for me though..bitdefender caught it..in the vid the guy does the same mistake of submitting it to an online AV scan (with the Donot send option).
    Securitytube Link
    Last edited by Sp3ctr3; 11-25-2010 at 03:32 PM. Reason: Used the wrong tag in a hurry:p

  10. #10
    Just burned his ISO
    Join Date
    Feb 2010
    Location
    uk
    Posts
    23

    Default Re: Getting Meterpreter Backdoor around AVG AV

    This answers my problem, I created a backdoor using msfencode and it worked great until I checked it using Virustotal, and bingo it never worked again.
    Question 1 If I scan a new creation with my own AV, even if off line at the time, does this also get sent to to AV vendor at some time.
    Question 2 If I use the new creation to test my clients machine and their AV picks it up, does it mean that all AV vendors get notified. If so one would need to create a new backdoor for every pentest carried out, am I correct?

Page 1 of 2 12 LastLast

Similar Threads

  1. error when installing meterpreter backdoor (metsvc)
    By mia_tech in forum Beginners Forum
    Replies: 1
    Last Post: 08-24-2010, 08:58 AM
  2. metsvc / meterpreter backdoor - password protecting?
    By MrWWW in forum Beginners Forum
    Replies: 0
    Last Post: 05-08-2010, 09:20 AM
  3. Opening backdoor after getting meterpreter session
    By kazalku in forum OLD Pentesting
    Replies: 44
    Last Post: 01-21-2010, 10:27 PM
  4. How To Backdoor an OPN AP
    By Eatme in forum OLD Pentesting
    Replies: 23
    Last Post: 08-18-2009, 04:41 AM
  5. Replies: 1
    Last Post: 04-19-2009, 03:41 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •