Antivirus Bypass: Friendly Reminder to Never Upload Your Samples to VirusTotal
For many of you, this is common knowledge. But I still regularly see comments posted here and elsewhere asking, "This <AV bypass> doesn't work, because when I upload my payload to VirusTotal...."
It's a totally understandable beginner mistake. After all, it seems like a clever thing to do. There are even a lot of otherwise perfectly nice tutorials out there that encourage you to upload your file to check it.
Years ago, VirusTotal DID have an option that would allow you to scan without distributing the file -- but then the AV companies fought to have that option removed.
This has never been a secret. VT's About page spells this out quite clearly:
So you upload your custom payload and only 4 out of the 57 AVs flagged it? That's pretty impressive! Nice job! Unfortunately, you just auto-generated a report that will be sent to 53 antivirus product makers.
If You Are Using Someone Else's Tool, You Are Making It Less Likely to Work in the Future, Ruining It for Everyone
"So what? It's just a practice file and I'd only be hurting myself."
AV companies aren't always detecting a payload signature -- they're often detecting the method used to hide it. Every time you upload a test payload, you're helping them along.
To demonstrate this, I broke my own rule (the only time, I swear!!)
First, I took a completely harmless EXE that happened to be sitting on my Kali desktop: accesschk, from Sysinternals. I uploaded it to VT:
Then I ran it through msfvenom with 100 iterations of x86/shikata_ga_nai. I did not embed a payload or otherwise alter it.
I uploaded my msfvenom-encoded (but harmless) EXE:
Veil-Evasion was released in 2013. Chris Truncer, one of its creators, announced its release on his personal blog. At the very top, he posted this plea:
Aaaannnndddd a few days later someone posted this comment:
And even now it's not hard to find numerous Veil tutorials that end with the demonstrator uploading their payload to VirusTotal:
But most importantly, when developers who are generously providing their scripts completely free of charge, go so far as to post a message in bright bold letters:
You should respect it.
Just like every other website, VirusTotal tracks its visitors. And if you're trying to get a payload past AV, you'll be uploading a file, checking it, tweaking it, re-uploading it, rinse, repeat, etc. etc. That's not exactly the behavior of a typical user.
One researcher was able to watch as a team of hackers tested their new malware. We shouldn't be surprised if others are watching as well. From Wired, Sept. 2014:
Just because a payload isn't caught on VT, doesn't mean that AV won't kill it as soon as it executes.
VT uses pure signature-based detection. But almost every AV out there has at least some manner of sandboxing or heuristic detection. This means that the AV might still detect your payload based on how the program behaves.
- The absolute best thing you can do is find out what AV your target uses, download a free trial, and install it on a VM to test. (Make sure you check the settings. Most will automatically report viruses they catch -- but you can turn that off).
- There are several scanning sites out there that claim they never distribute files to AV companies or anywhere else. But there isn't a good way to verify this, so beware.
- Do this instead: How to Safely Check Veil Payloads Against VirusTotal
Or... upload to VirusTotal anyway. If you're using your own encoding and obfuscation techniques (and not, for example, Veil). Maybe you're using a file splicer and a Hex editor to manually alter a signature. Then by all means, use VT if you want.
Yes, the file's signature will be distributed. But it'll take days or weeks before the signature is pushed out to users. If this is a one-off file you intend to use on a single target within the next few days, then you should be fine. Just don't be a jerk.