Antivirus Bypass: Friendly Reminder to Never Upload Your Samples to VirusTotal

Jul 26, 2015 08:02 PM
Jul 26, 2015 08:04 PM
635734674397919241.jpg

For many of you, this is common knowledge. But I still regularly see comments posted here and elsewhere asking, "This <AV bypass> doesn't work, because when I upload my payload to VirusTotal...."

It's a totally understandable beginner mistake. After all, it seems like a clever thing to do. There are even a lot of otherwise perfectly nice tutorials out there that encourage you to upload your file to check it.

Years ago, VirusTotal DID have an option that would allow you to scan without distributing the file -- but then the AV companies fought to have that option removed.

VirusTotal (And Other Online Scanners) Hand Everything Over to Antivirus Companies

This has never been a secret. VT's About page spells this out quite clearly:

635734689251411882.jpg

So you upload your custom payload and only 4 out of the 57 AVs flagged it? That's pretty impressive! Nice job! Unfortunately, you just auto-generated a report that will be sent to 53 antivirus product makers.

:(

If You Are Using Someone Else's Tool, You Are Making It Less Likely to Work in the Future, Ruining It for Everyone

"So what? It's just a practice file and I'd only be hurting myself."

AV companies aren't always detecting a payload signature -- they're often detecting the method used to hide it. Every time you upload a test payload, you're helping them along.

To demonstrate this, I broke my own rule (the only time, I swear!!)

First, I took a completely harmless EXE that happened to be sitting on my Kali desktop: accesschk, from Sysinternals. I uploaded it to VT:

635735108323417737.jpg

0/0 -- no surprise there

Then I ran it through msfvenom with 100 iterations of x86/shikata_ga_nai. I did not embed a payload or otherwise alter it.

635735105928232056.jpg

I uploaded my msfvenom-encoded (but harmless) EXE:

635735107474847824.jpg

20/55 flagged it!

Respect the Developers Who Shared Their Code with You

Veil-Evasion was released in 2013. Chris Truncer, one of its creators, announced its release on his personal blog. At the very top, he posted this plea:

635734690697636419.jpg

Aaaannnndddd a few days later someone posted this comment:

635734691471753660.jpg

Thanks, alex!!.

And even now it's not hard to find numerous Veil tutorials that end with the demonstrator uploading their payload to VirusTotal:

635734696152846042.jpg

But most importantly, when developers who are generously providing their scripts completely free of charge, go so far as to post a message in bright bold letters:

635734700690887802.jpg

You should respect it.

VirusTotal Is Watching You

Just like every other website, VirusTotal tracks its visitors. And if you're trying to get a payload past AV, you'll be uploading a file, checking it, tweaking it, re-uploading it, rinse, repeat, etc. etc. That's not exactly the behavior of a typical user.

One researcher was able to watch as a team of hackers tested their new malware. We shouldn't be surprised if others are watching as well. From Wired, Sept. 2014:

635734709692638119.jpg

It's No Guarantee

Just because a payload isn't caught on VT, doesn't mean that AV won't kill it as soon as it executes.

VT uses pure signature-based detection. But almost every AV out there has at least some manner of sandboxing or heuristic detection. This means that the AV might still detect your payload based on how the program behaves.

What to Do Instead

  • The absolute best thing you can do is find out what AV your target uses, download a free trial, and install it on a VM to test. (Make sure you check the settings. Most will automatically report viruses they catch -- but you can turn that off).
  • There are several scanning sites out there that claim they never distribute files to AV companies or anywhere else. But there isn't a good way to verify this, so beware.

Or... upload to VirusTotal anyway. If you're using your own encoding and obfuscation techniques (and not, for example, Veil). Maybe you're using a file splicer and a Hex editor to manually alter a signature. Then by all means, use VT if you want.

Yes, the file's signature will be distributed. But it'll take days or weeks before the signature is pushed out to users. If this is a one-off file you intend to use on a single target within the next few days, then you should be fine. Just don't be a jerk.

Just updated your iPhone? You'll find new Apple Intelligence capabilities, sudoku puzzles, Camera Control enhancements, volume control limits, layered Voice Memo recordings, and other useful features. Find out what's new and changed on your iPhone with the iOS 18.2 update.

Comments

No Comments Exist

Be the first, drop a comment!