As a Security Professional you need the power to penetrate into any machine but antivirus softwares always get in your way , in this article we will explain in detail how to obfuscate and embed your malware into a antivirus Software to hide it from antivirus softwares.
First Why using antivirus to hide our malware ?
Hiding a malware inside an antivirus software is a clever idea , users always remove the old antivirus software before upgrading to new one which give you a great chance that your malware may never scanned and it will run without any problems . if there is an antivirus it will scan the file for suspicious code but antivirus softwares have this malicious behavior cause they need to access and maintain system files so it may let the program run cause the false positive of AV software behavior .
another thing that users always search for cracked versions of commercial AV so they may ignore the warning of AV cause they know cracks has malicious behavior .
How AV Catch Malwares ?
1) Signature based Detection : calculate the hash for the file then compare it with known malware hashes .
2) heuristic-based detection : run the program in sandbox environment and analyze it for suspicious behavior .
How Code Inject work ?
injecting a code in legitimate Windows Executable File depends on the free space in .text section which called ( Code Cave ) , Tools like (SHELLTER) use this technique to bypass AV by storing malware payload in Code Cave then redirect the execution at some point in the legitimate program to the address of payload .
it sound like easy technique but the algorithm is not that simple and SHELLTER use polymorphic and other algorithms to hide the injected payload .
what we going to do in the video tutorial :
1) get AVG antivirus installer from here
2) get SHELLTER ( AV evasion tool ) from here
3) we will inject reverse TCP Meterpreter into AVG installer .
4) we will test the new malware in Win7 virtual machine (with AVG installed in the system ) .
Lets watch the video :
Proof of Concept :
Leave a Reply
Your email is safe with us.