Getting Meterpreter Backdoor around AVG AV

[Sp3ctr3]

Far as i know, no AV does that automatically. Most have an option of manually submitting a sample. Doing that automatically isn't legal i suppose (client privacy). If you really wanna obfuscate the signature try the manual way. In this example they used a hex editor to change the netcat signature

ChangingNetcatsFileSig

Once read about a guy who supposedly got NC through an AV by changing one line of TEXT in the program back in 2000.

[pentest09]

Hi Fellaz,
heres the deal virus total no, no i had a totally undetectable payload for over 9 months and then posted the encoding scheme and guess what, 3 days later ESET and others got it. So i created another and picked the following:

The exe used in the template matters first of AVG knows the package sig i guess of a lot of common used exes so its down to finding an exe thats not that common.
I have used netcat just for the exe to encode and pick very random shikata_ga_nai in a certain way took many practice encoding and its totally undetectable.

I test on vm machines with snapshots using the top 20 Avs Fully uptodate and they bypass all and are working .

So try try try again until u find one and Dont give out the file for it to get its signature all over the gaff remember virus total sends the files to AV vendors.

I have a payload up to now working 100% FUD for over 4 months after my first one was trashed.

Kind Regards Dee

[sLiPpErY]

novirusthanks == Good
virustotal == Bad for everyone..

[iproute]

One thing to bear in mind when trying to get payloads past a/v. When using msfpayload to generate, sometimes it is better to start with windows/shell/reverse_tcp or some other small simpler payload rather than something like meterpreter. The less data in the executable, the more difficult it will be for many A/Vs to identify any signature. Uncommon EXEs also help when backdooring. If you use the -k option to keep your template exe working, remember to use the EXITFUNC=thread option to make sure you do not lose your session when the template exe is closed.

[r00tb0ss]

The problem I have actually found now is that getting a meterpreter shell around AVG 2011 identity protection. The actual AVG resident shield does not pick up my meterpreter backdoored exe but as soon as I upload to my test XP box and try to use a command like hashdump, AVG 2011 Identity protection picks it up as malware. Anyone else experiencing this yet? Any ideas around this? I believe it will be hard to get around considering it is not going by signatures, just file behavior.

[iproute]

hashdump requires escalated privileges. What user is your session running as? use getuid first to find out. If you do need to escalate privileges, try a different method.

Code:

meterpreter  > getsystem -h
Usage: getsystem [options]

Attempt to elevate your privilege to that of local system.

OPTIONS:

    -h        Help Banner.
    -t <opt>  The technique to use. (Default to '0').
		0 : All techniques available
		1 : Service - Named Pipe Impersonation (In Memory/Admin)
		2 : Service - Named Pipe Impersonation (Dropper/Admin)
		3 : Service - Token Duplication (In Memory/Admin)
		4 : Exploit - KiTrap0D (In Memory/User)


meterpreter  > getsystem -t 4
...got system (via technique 4).
meterpreter  > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter  >

Once you are able to escalate privileges, kill all the AVG services and processes. Once the AVG services and processes have been killes you will be able to dump the hashes successfully. Vivek demostrates disabling AVG in the metasploit megaprimer video series. He spends some good time on the topic.

[r00tb0ss]

I was actually running the meterpreter shell as SYSTEM. I also tested on a windows 7 box with AVG 2011 free addition. My meterpreter shell on the windows 7 box was SYSTEM privileges also, and I didn't even get a chance to kill off the AVG before the identity protection popped up with malware detected. So what it all comes down to is I do not have no issues what so ever with getting the meterpreter backdoored exe file past AVG 2011 antivirus signatures. It is the actual AVG identity protection that I am unable to get around. Note that the AVG identity protection is picking up my backdoored meterpreter shell as Rozena.AH Category: Packed.

[iproute]

If you try a shell as a payload, will the session stay open?

[r00tb0ss]

I believe that I have found a solution to avoid the AVG 2011 Identity protection. After I ran the backdoored.exe file on my test windows 7 box, the first thing I did was run the command "getsystem" in msfconsole. Then I ran "run service_permissions_escalate" which in return created my backdoored.exe as a service with SYSTEM privileges and opened a new session. So I closed out my current meterpreter session and opened my new session and all was good. Hashdump worked without any notifications from AVG! Thanks for your help and input iproute