Metasploit Framework Executable Encoding
Upcoming SlideShare
Loading in...5

Metasploit Framework Executable Encoding



A school project. How well does Metasploit encode its executables? I'm putting it to the test against 10 different antivirus programs. This is just the proposal; the finished version should be done in ...

A school project. How well does Metasploit encode its executables? I'm putting it to the test against 10 different antivirus programs. This is just the proposal; the finished version should be done in a month or so.



Total Views
Views on SlideShare
Embed Views



12 Embeds 43 22 7 3 2 2 1 1 1 1 1 1 1



Upload Details

Uploaded via as OpenOffice

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Metasploit Framework Executable Encoding Metasploit Framework Executable Encoding Presentation Transcript

  • Metasploit Payload Encoding and Antivirus Detection
  • Research Question
    • How well does Metasploit’s executable encoding prevent detection by antivirus software?
  • Hypothesis & Null Hypothesis
    • Shikata na Gai encoding scheme will result in the lowest number of detections by antivirus software, because it utilizes a polymorphic engine.
    • There is no statistical difference between antivirus detection of executables that have been encoded using Metasploit
  • Introduction
    • Rationale
      • War between antivirus software and malware programmers
      • What is Metasploit?
      • How well are we protected from malware?
      • Negative affects of malware
      • Can a simple encoding scheme render AV useless?
      • What about more advanced encoders?
      • How well can AV software defend against easily accessable encoders provided by the Metasploit framwork?
  • Terms
    • Malware
      • Any file that does things to a computer that a view does not want it to, or is not aware o
    • MD5
      • Method of creating a ”fingprint” for a file. Unique to EVERY file (3.4 * 10^38 combinations possible)
    • Binary file
      • An executable program's file
    • Sandbox
      • Virtual area that is completely separated from the host computer
  • Terms Continued
    • Compile
      • To turn readable code into an executable file
    • Encryption + Decryption
      • Encryption turn information into seemingly random information, using a key (like a password). Decryption reverses this
    • Exploit
      • To take advantage of a programer's mistakes. Can make a computer execute programs. Aka- vulnerability, 0day
    • TCP/IP
      • Protocol that the Internet mainly works on
    • Virtual Machine
      • Program used to emulate (simulate) an entire computer
  • Background: How AV Works
    • 2 main methods of detection:
      • File signature
      • Heuristics
  • File Signatures
    • Most common method
    • Algorithm or static signature
      • Ex/ MD5 or look for suspitious behavior
    Person using AV to scan a file Compare signature of file to a database with known signatures Does it match the signature of a known virus? Compute a signature from the unknown file Unkown file Database of file signatures
  • File Signature Scanning
    • Benefits:
      • Easy to implement
      • Not resource intensive
    • Limitations
      • Useless against new threats
  • Heuristic Scanning Scan the file Person using AV Run it in a sandbox Monitor system calls & activity and relay info to a risk analysis engine Does it look suspicious? Unknown file Unknown file Risk analysis engine
  • Heuristic Scanning
    • Benefits:
      • Can detect new malware
      • Doesn't rely on a signature database
    • Limitations:
      • False positives
      • Resource intensive
  • How To Avoid Detection
    • Polymorphism
      • Functional portion of code is encrypted
      • Decrypted on runtime
      • Change encryption/decryption key each time run
    • Metamorphism
      • Each time malware replicates, change itself
    • Oligomorphism
      • Similar to polymorphism
      • Chooses decryptor from set of key combinations
  • Polymorphism hwfeidedwefef dfewfewfewfe grvervklmwefwe welkfimj eifcjm cwif jioregio mg wwoijmgeirojg r Encrypted portion Encryption + decryption engine with key Bla bla key=10 If (decrypted) { EvilStuff(); } Bla bla key=10 Decrypt the main code run Do evil things to the computer If (decrypted) { EvilStuff(); } Bla bla key=10 If (decrypted) { EvilStuff(); } Bla bla key=10 Change the encrytion + decryption engine, And change the key Kjlkmdckldklcm Sdclknmewnge Sdklmroivnslkw Kmewvionjrewg Wenmgrerjnkng spowgnjrekjwe Bah bah key=11 Encrypt the main code with new key and engine
  • Metamorphism 0x74 0x68 0x69 0x73 0x20 0x69 0x73 0x20 0x70 0x77 0x6e 0x7a 0x6f 0x72 0x20 0x63 0x6f 0x64 Virus (hex view) Runs and does evil stuff void main() { EvilFunction(); } void main() { EvilFunction(); UselessFunction(); } Takes its own source code and adds stuff A useless piece is added (like a NOP slide) Recompiled with new code 0x7a 0x6f 0x6d 0x67 0x20 0x64 0x69 0x73 0x20 0x69 0x00 0x00 0x00 0x00 0x00 0x73 0x20 0x6e A new binary is produced
  • Oligomorphism welkfimj eifcjm cwif jioregio mg wwoijmgeirojg r [engine] key=??? Encrypted portion Decryptor/Key Pieces If (decrypted) { EvilStuff(123); } key=a+c/b If (decrypted) { EvilStuff(321); } key=b+c^d If (decrypted) { EvilStuff(213); } key=b%2 +c A B C D
  • Metasploit Itself
    • Exploit framwork
    • Ruby
    • Exploits + payloads
    • >1mil annual downloads
    • Constantly updated with wild exploits
    • Can produce standalone trojan binaries
  • In this study...
    • Reverse TCP Payload
      • Reverse= victim connects to attacker
      • TCP= done over Internet
    • All information for connection hard encoded in executable
    Connection! Unknowing victim Evil hacker
  • Variables
    • Independent:
      • Type of encoder used
    • Dependent:
      • Whether or not the malware is detected by AV
  • Controls
    • Positive:
      • Unencoded executable
    • Negative Control:
      • A file known to be benign
      • ” hello world” program in C compiled on clean Ubuntu install
    • Constants:
      • Environment scan is performed is identical
      • Snapshot feature on Vmware
    • Same version of AV
      • All 2011
    • All AV updated to most recent virus definitions
    • Same version & installation of Metasploit used
  • Controls and More
    • Same exploit & payload
    • Same reverse TCP information (IP, port) used
    • All encodings were done on the same original executable
    • Replicates
      • Scans repeated 5 times each trial to ensure accuracy
  • Data Collection
  • Analysis
    • Is there statistical difference between encoders?
    • Chi Square Test
  • References Instruction set reference manual. (1999). Intel architecture software developer's manual . Retrieved February 3, 2011, from Glossary - securelist . (2011). Retrieved from Metasploit express user guide. (2010). Rapid7 , (3.5.1), Retrieved from Metasploit framework . (2010). Retrieved from Munro, J. (2002, July 10). Antivirus research and detection techniques . Retrieved from,2845,1154648,00.asp Static application data. (2008). Uninformed, 9 . Retrieved from