Jump to content

[Question] Kaspersky 2012 Detects Reverse Shell Payload

war6763

By war6763
in Classic USB Rubber Ducky

 Share

Recommended Posts

Xcellerator Newbie

Xcellerator

Posted
Posted

As is often the case with binary dropping onto machines, AVs tend to pick them up. You should try looking into metasploit and building your own meterpreter/shell spawning binaries. There are many different methods to hide your binaries, encryption, EXE templates, custom shell code, Hyperion to name a few. You'll probably need to find your own, because most people tend to keep their methods to themselves for precisely this reason - making them public results to patches to stop them working.. :/

For a quick fix, try out Hyperion, and run it through VirusTotal to see who picks it up..

Link to comment
Share on other sites
Sud0x3 Newbie

Sud0x3

Posted
Posted (edited)

As is often the case with binary dropping onto machines, AVs tend to pick them up. You should try looking into metasploit and building your own meterpreter/shell spawning binaries. There are many different methods to hide your binaries, encryption, EXE templates, custom shell code, Hyperion to name a few. You'll probably need to find your own, because most people tend to keep their methods to themselves for precisely this reason - making them public results to patches to stop them working.. :/

For a quick fix, try out Hyperion, and run it through VirusTotal to see who picks it up..

Why would you run it through virus total?

Pick the target anti virus, install it in a virtual machine with full updates, run executable

This way the signatures of your executable are not sent to the anti virus companies for analysis

Edit: unless you are planning something malicious like infecting hundreds of machines with a binary, this method should work fine.

Edited by Sud0x3
Link to comment
Share on other sites
Sud0x3 Newbie

Sud0x3

Posted
Posted

If you know the antivirus on the target machine, then yeah fine, use a VM. However, if you don't know, then VirusTotal is really your only option. Besides, if you're good enough, surely you could get the detection rate to 0? ;-)

If your good enough you should be able to determine what anti virus is installed on a machine :) regardless i dont think you get my point, virus total use submitted information to improve anti virus solutions. There are other online malware scanners that do not share thier infomation with anyone. You should really check one of those out for the future.

Here is an extract taken from virustotal.com

When you submit a file to VirusTotal for scanning, we may store it and share it with the anti-malware and security industry (normally the companies that participate in VirusTotal receive files containing virus samples that their engines do not detect and are catalogued as malware by at least one other engine). The samples can be analysed by automatic tools and security analysts to detect malicious code and to improve antivirus engines.

Link to comment
Share on other sites
illwill Newbie

illwill

Posted
Posted

Hey everyone! I tried the Reverse Shell payload on a computer running Windows 7 x64 and Kaspersky 2012. Everything was going well up until the binary was compiled. Kaspersky was able to detect it and clean it!!

Anyone else run into this issue?

i made the reverse exe like 7 yrs ago im pretty sure every av detects it

Link to comment
Share on other sites
Karit Newbie

Karit

Posted
Posted

When you submit a file to VirusTotal for scanning, we may store it and share it with the anti-malware and security industry (normally the companies that participate in VirusTotal receive files containing virus samples that their engines do not detect and are catalogued as malware by at least one other engine). The samples can be analysed by automatic tools and security analysts to detect malicious code and to improve antivirus engines.

Reading that if it is marked clean by all of them it won't get submitted. To me it reads as if some detect and some don't it gets submitted to others to improve their filters. They aren't exactly going to look at every clean results as that would be high and people could DOS the process by uploading tons of clean files and thus diluting the bad files.

Stuxnet lasted so long in the wild as its infection was small and the AV companies did have it sitting in their backlog but because its infection was limited to one organisation it was more likely to be a custom app rather than a virus according to their probability system for files to investigate.

But if there are others who don't resubmit stuff it is most probably the best to go with them.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...