Kind of antismart on what you are doing there.
So I have been trying to get meterpreter as undetected as possible by most major AV softwares and I think I have come close to succeeding. I downloaded the AVG internet security installer, and using SET (wont let you do it with ./msfencode says extra junk at end) choose option 4 to make your own back door, choose 2 (windows/meterpreter/reverse_tcp) and then choose options 16 to make your own back doored executable, please note that you will have to set the path to your legit exe in the set_config.Change the red to the path of your exe. Here is the results from Virus TotalCode:#CUSTOM EXE YOU WANT TO USE FOR METASPLOIT ENCODING, THIS USUALLY HAS BETTER AV # DETECTION. CURRENTLY IT IS SET TO LEGIT.BINARY WHICH IS JUST CALC.EXE. AN EXAMPLE # YOU COULD USE WOULD BE PUTTY.EXE SO THIS FIELD WOULD BE /pathtoexe/putty.exe CUSTOM_EXE=/root/AVGInstaller.exe
If you can it more undetectable then please post here!
AhnLab-V3 - 2010.10.10.00 - 2010.10.09 - -
AntiVir - 18.104.22.168 - 2010.10.08 - -
Antiy-AVL - 22.214.171.124 - 2010.10.10 - -
Authentium - 126.96.36.199 - 2010.10.10 - -
Avast - 4.8.1351.0 - 2010.10.10 - -
Avast5 - 5.0.594.0 - 2010.10.10 - -
AVG - 188.8.131.521 - 2010.10.10 - -
BitDefender - 7.2 - 2010.10.10 - Backdoor.Shell.AC
CAT-QuickHeal - 11.00 - 2010.10.09 - -
ClamAV - 0.96.2.0-git - 2010.10.10 - -
DrWeb - 5.0.2.03300 - 2010.10.10 - -
Emsisoft - 184.108.40.206 - 2010.10.10 - -
eSafe - 220.127.116.11 - 2010.10.07 - -
eTrust-Vet - 36.1.7901 - 2010.10.08 - -
F-Prot - 18.104.22.168 - 2010.10.10 - -
F-Secure - 9.0.15370.0 - 2010.10.10 - Backdoor.Shell.AC
Fortinet - 22.214.171.124 - 2010.10.10 - -
GData - 21 - 2010.10.10 - Backdoor.Shell.AC
Ikarus - T126.96.36.199.0 - 2010.10.10 - -
Jiangmin - 13.0.900 - 2010.10.10 - -
K7AntiVirus - 9.65.2713 - 2010.10.09 - -
Kaspersky - 188.8.131.52 - 2010.10.10 - -
McAfee - 5.400.0.1158 - 2010.10.10 - -
McAfee-GW-Edition - 2010.1C - 2010.10.10 - -
Microsoft - 1.6201 - 2010.10.10 - Trojan:Win32/Swrort.A
NOD32 - 5518 - 2010.10.09 - a variant of Win32/Rozena.AH
Norman - 6.06.07 - 2010.10.10 - -
nProtect - 2010-10-10.01 - 2010.10.10 - Backdoor.Shell.AC
Panda - 10.0.2.7 - 2010.10.10 - -
PCTools - 184.108.40.206 - 2010.10.10 - -
Prevx - 3.0 - 2010.10.10 - -
Rising - 22.68.05.00 - 2010.10.09 - -
Sophos - 4.58.0 - 2010.10.10 - -
Sunbelt - 7031 - 2010.10.10 - -
SUPERAntiSpyware - 220.127.116.116 - 2010.10.10 - -
Symantec - 2018.104.22.168 - 2010.10.10 - -
TheHacker - 22.214.171.124.054 - 2010.10.10 - -
TrendMicro - 126.96.36.1994 - 2010.10.10 - -
TrendMicro-HouseCall - 188.8.131.524 - 2010.10.10 - -
VBA32 - 184.108.40.206 - 2010.10.08 - -
ViRobot - 2010.9.25.4060 - 2010.10.10 - -
VirusBuster - 220.127.116.11 - 2010.10.10 - -
SHA256: 3830cee855ab4cbab0db125e73afcbeb6ec713fec1eea82a35 c08bee0e8d8086
File size: 4283672 bytes
Scan date: 2010-10-10 20:30:16 (UTC)
Kind of antismart on what you are doing there.
Tiocfaidh ár lá
Yep, that particular usage now not going to work long ...
Not terribly smart..
Virus Total => Facepalm
I've seen things you people wouldn't believe.
I'm more of a networking guy, but I have read some articles about obfuscating executables. Why is everyone crashing down on him, and Virustotal? Did he just potentially add the MSF backdoor to all the major AV vendors' definitions?
I'd like to know what just happened.
Student Systems Administration and Network Engineering, second year.
Don't PM me with questions, unless very specific. Otherwise, use the forums so everyone can potentially benefit from it.
There are services that offer the functionality of VT, and will not send the binary information to the vendors, but it costs money.
This is the sixth time we have created a thread about it... and we have become exceedingly efficient at it.
I haven't tried any obfuscation and I'm no expert on how viruses are detected but some ollydebug + reverse engineering knowledge would help you inline some patches that will change the signature that is getting detected, you just have to find out what is consistent between all of the .exe's msfencode makes and change it to something equivalent. Or don't use msfencode at all, inline the shellcode into the actual program but XOR it with a byte and have the decrypter also inlined into the program, say calc.exe.
Most online Virus Scanners send any new obfuscation mechanism to the AV vendors. There are one or two free ones that have an option "Do not send signature to AV vendors" or something like that.. but im nt takng their word for it and i guess most of you guys have seen it but there's a vid at securitytube about obfuscating payloads with xenocode virtualisation..originaly posted at tehchkranti..
Didnt work for me though..bitdefender caught it..in the vid the guy does the same mistake of submitting it to an online AV scan (with the Donot send option).
Last edited by Sp3ctr3; 11-25-2010 at 03:32 PM. Reason: Used the wrong tag in a hurry:p
This answers my problem, I created a backdoor using msfencode and it worked great until I checked it using Virustotal, and bingo it never worked again.
Question 1 If I scan a new creation with my own AV, even if off line at the time, does this also get sent to to AV vendor at some time.
Question 2 If I use the new creation to test my clients machine and their AV picks it up, does it mean that all AV vendors get notified. If so one would need to create a new backdoor for every pentest carried out, am I correct?