Results 1 to 9 of 9

Thread: MSF & AntiVirus

  1. #1
    Member
    Join Date
    Jan 2006
    Posts
    90

    Default MSF & AntiVirus

    Hi all

    Been messing with the framework over the past few days.

    In all of the tutorials I have found so far (including the one on Offensive Security) people talk about using msfpayload and msfencode to create a trojan.

    However no matter how much I encode, my AV still finds it. I'm using McAfee VSE 8.8.

    I have tried with

    windows/meterpreter/reverse_tcp
    windows/vncinject/reverse_tcp
    windows/shell/reverse_tcp
    windows/shell_reverse_tcp

    Each non-encoded and encoded with 2 encoders 10 times each.

    The last one apparently should bypass AV becuase it only contains enough code to execute the connection, with the rest of the code sent by the attacking machine after it establishes.

    However, after dumping the file on my Windows box and scanning it, it gets picked up every single time.

    Am I doing something wrong, or has AV just come along since these guides? Is there a new method?

  2. #2
    Good friend of the forums zimmaro's Avatar
    Join Date
    Mar 2010
    Location
    milano
    Posts
    407

    Default Re: MSF & AntiVirus

    Quote Originally Posted by hongman View Post
    Hi all

    Been messing with the framework over the past few days.

    In all of the tutorials I have found so far (including the one on Offensive Security) people talk about using msfpayload and msfencode to create a trojan.

    However no matter how much I encode, my AV still finds it. I'm using McAfee VSE 8.8.

    I have tried with

    windows/meterpreter/reverse_tcp
    windows/vncinject/reverse_tcp
    windows/shell/reverse_tcp
    windows/shell_reverse_tcp

    Each non-encoded and encoded with 2 encoders 10 times each.

    The last one apparently should bypass AV becuase it only contains enough code to execute the connection, with the rest of the code sent by the attacking machine after it establishes.

    However, after dumping the file on my Windows box and scanning it, it gets picked up every single time.

    Am I doing something wrong, or has AV just come along since these guides? Is there a new method?
    hi
    if you can help take a look:
    http://www.backtrack-linux.org/forum...ight=script+aV ####THE BEST(the author is one of my idols) ####
    http://www.backtrack-linux.org/forum...ad.php?t=48236 ####some av's detect####
    http://www.backtrack-linux.org/forum...ad.php?t=48283 ####no comment ######
    http://www.backtrack-linux.org/forum...ad.php?t=48283 ####no comment ######
    bye

  3. #3
    Member
    Join Date
    Jan 2006
    Posts
    90

    Default Re: MSF & AntiVirus

    Thank you!!

  4. #4
    Member
    Join Date
    Jan 2006
    Posts
    90

    Default Re: MSF & AntiVirus

    So I have read the guides, done some other research and ended up with an EXE file which passes all 42 vendors tests at Virustotal

    I'm now trying to piggyback this onto another file type so that it looks a bit more innocent, i.e jpg or .txt or something.

    What is a good tool for this? All the encoding and obfuscating has been done, just need somethign to bind the files together.

  5. #5
    Very good friend of the forum TAPE's Avatar
    Join Date
    Jan 2010
    Location
    Europe
    Posts
    599

    Default Re: MSF & AntiVirus

    If your file passes all 42 at VIRUSTOTAL now, it sure as shit
    wont in a week or two's time now you've sent it to them ...

    Have a look at this idea using a game as a trigger;
    http://adaywithtape.blogspot.com/201...etasploit.html

  6. #6
    Member
    Join Date
    Jan 2006
    Posts
    90

    Default Re: MSF & AntiVirus

    Hi Tape

    Do they actually manually analyse the file then if it comes back clean? I imagine they have thousands of files submitted everyday...and its not like I am continually submitting the same file or actually releasing it into the wild

    Anyways - I did read your blog already. However I specifically want to avoid binding the payload to an exe, and I also dont need to encode it anymore.

  7. #7
    Very good friend of the forum TAPE's Avatar
    Join Date
    Jan 2010
    Location
    Europe
    Posts
    599

    Default Re: MSF & AntiVirus

    Actually, now you mention it, not sure how that would work..
    keep a record of creation / submission date and check with your local
    AV if it stays undetectable see how long it takes.

    Would be interesting to hear..

  8. #8
    Member
    Join Date
    Jan 2006
    Posts
    90

    Default Re: MSF & AntiVirus

    OK - I will try on a weekly basis and let you know

    Still interested if anyone else knows of a way though?

  9. #9
    Senior Member ShadowMaster's Avatar
    Join Date
    Jul 2011
    Location
    /root
    Posts
    189

    Default Re: MSF & AntiVirus

    There is a popular exe that will join them, but I don't recommend using it. The detection ration shoots up from 0-5/43 to 39/43 due to the joining methods. The static joining signature cannot be changed and is easily detected. Anyway, in regards to how the vendors scan the files, they automate disassembly to an extreme extent, unless they find something interesting, which they then manually disassemble. So, given time, they will detect anything you send.
    Try this though. It may help you. https://www.youtube.com/watch?v=OX5NMILiDG0

    Also, two encoders with 10 passes each is a strange extreme. I recommend using 3-5 with 4-6 passes.
    World Domination is such an ugly phrase. I prefer the term World Optimization.

Similar Threads

  1. Antivirus Evasion
    By blackhawk2292 in forum BackTrack 5 General Topics
    Replies: 1
    Last Post: 03-21-2012, 07:24 AM
  2. come aggirare l'antivirus???
    By sgress in forum Supporto Software
    Replies: 2
    Last Post: 01-15-2011, 12:53 AM
  3. Antivirus bypass
    By pentest09 in forum BackTrack Videos
    Replies: 9
    Last Post: 09-28-2010, 09:37 PM
  4. [ask] antivirus on backtrack
    By tirto in forum OLD Newbie Area
    Replies: 8
    Last Post: 12-10-2009, 09:47 PM
  5. Antivirus
    By asymptote in forum OLD Newbie Area
    Replies: 4
    Last Post: 03-11-2008, 08:06 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •