war6763 Posted December 11, 2012 Posted December 11, 2012 Hey everyone! I tried the Reverse Shell payload on a computer running Windows 7 x64 and Kaspersky 2012. Everything was going well up until the binary was compiled. Kaspersky was able to detect it and clean it!! Anyone else run into this issue? Quote
Xcellerator Posted December 12, 2012 Posted December 12, 2012 As is often the case with binary dropping onto machines, AVs tend to pick them up. You should try looking into metasploit and building your own meterpreter/shell spawning binaries. There are many different methods to hide your binaries, encryption, EXE templates, custom shell code, Hyperion to name a few. You'll probably need to find your own, because most people tend to keep their methods to themselves for precisely this reason - making them public results to patches to stop them working.. :/ For a quick fix, try out Hyperion, and run it through VirusTotal to see who picks it up.. Quote
Sud0x3 Posted December 14, 2012 Posted December 14, 2012 (edited) As is often the case with binary dropping onto machines, AVs tend to pick them up. You should try looking into metasploit and building your own meterpreter/shell spawning binaries. There are many different methods to hide your binaries, encryption, EXE templates, custom shell code, Hyperion to name a few. You'll probably need to find your own, because most people tend to keep their methods to themselves for precisely this reason - making them public results to patches to stop them working.. :/ For a quick fix, try out Hyperion, and run it through VirusTotal to see who picks it up.. Why would you run it through virus total? Pick the target anti virus, install it in a virtual machine with full updates, run executable This way the signatures of your executable are not sent to the anti virus companies for analysis Edit: unless you are planning something malicious like infecting hundreds of machines with a binary, this method should work fine. Edited December 14, 2012 by Sud0x3 Quote
Xcellerator Posted December 15, 2012 Posted December 15, 2012 If you know the antivirus on the target machine, then yeah fine, use a VM. However, if you don't know, then VirusTotal is really your only option. Besides, if you're good enough, surely you could get the detection rate to 0? ;-) Quote
Pwnd2Pwnr Posted December 15, 2012 Posted December 15, 2012 Kaspersky is planning on releasing an entire OS... yessir. Quote
Sud0x3 Posted December 16, 2012 Posted December 16, 2012 If you know the antivirus on the target machine, then yeah fine, use a VM. However, if you don't know, then VirusTotal is really your only option. Besides, if you're good enough, surely you could get the detection rate to 0? ;-) If your good enough you should be able to determine what anti virus is installed on a machine :) regardless i dont think you get my point, virus total use submitted information to improve anti virus solutions. There are other online malware scanners that do not share thier infomation with anyone. You should really check one of those out for the future. Here is an extract taken from virustotal.com When you submit a file to VirusTotal for scanning, we may store it and share it with the anti-malware and security industry (normally the companies that participate in VirusTotal receive files containing virus samples that their engines do not detect and are catalogued as malware by at least one other engine). The samples can be analysed by automatic tools and security analysts to detect malicious code and to improve antivirus engines. Quote
Xcellerator Posted December 16, 2012 Posted December 16, 2012 Hmmm.. I see what you mean. I think I need to find another online malware scanner. :/ Kinda defeats the point of custom shellcode designed to EVADE antivirus if you only end up submitting it to them... xD Quote
illwill Posted December 17, 2012 Posted December 17, 2012 Hey everyone! I tried the Reverse Shell payload on a computer running Windows 7 x64 and Kaspersky 2012. Everything was going well up until the binary was compiled. Kaspersky was able to detect it and clean it!! Anyone else run into this issue? i made the reverse exe like 7 yrs ago im pretty sure every av detects it Quote
Karit Posted December 24, 2012 Posted December 24, 2012 When you submit a file to VirusTotal for scanning, we may store it and share it with the anti-malware and security industry (normally the companies that participate in VirusTotal receive files containing virus samples that their engines do not detect and are catalogued as malware by at least one other engine). The samples can be analysed by automatic tools and security analysts to detect malicious code and to improve antivirus engines. Reading that if it is marked clean by all of them it won't get submitted. To me it reads as if some detect and some don't it gets submitted to others to improve their filters. They aren't exactly going to look at every clean results as that would be high and people could DOS the process by uploading tons of clean files and thus diluting the bad files. Stuxnet lasted so long in the wild as its infection was small and the AV companies did have it sitting in their backlog but because its infection was limited to one organisation it was more likely to be a custom app rather than a virus according to their probability system for files to investigate. But if there are others who don't resubmit stuff it is most probably the best to go with them. Quote
overwraith Posted December 24, 2012 Posted December 24, 2012 (edited) On Stuxnet... Uncle Sam: You didn't see nuthin... (Hands AV company exec a wad of cash) AV Exec: We didn't like Iran anyway... Edited December 24, 2012 by overwraith Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.