Tuesday, November 18, 2014

I Piss on your AV

I did this sometime last year, and was successful at bypassing the majority of Antivirus vendors. To re visit the topic again a year later, and to see if AV vendors are any better at detection. I thought I would document my finding and share them with my FB people.

I will use Kali Linux to generate malicious code which will then be compiled into an EXE or executable file, which will go undetected by AVG.

 Scenario: A windows user downloads a file (P2P, torrent files etc...) off internet. Thinking he /she is protected because of antivirus. Un- known to the user the file he /she is downloading has been backdoored and will ultimately gave an attacker full control over their computer.

Goal: To show everyday internet users who 'nothing is for free' on the internet!! 

I am using two systems to demo this:

 1. Kali Linux - IP address 172.16.110.10  A.K.A. "Attacker"

 2. Windows 7 with AVG Pro - IP address 172.16.110.15 (highlighted in white below)  "A.K.A. Victim"


Victim computer


Take note of the Virus Database Version. It has been updated to today's date Nov 18, 2014.


Attacking computer






Now I will simulate on the Victim computer, downloading this file.







The malicious is now downloaded onto the Victim's computer.





Now lets use AVG to scan our EXE file!





AVG says the file is 'clean'




Back on the Attacking computer, note the white cursor in bottom left corner of the above pic. This basically shows that the Attacking computer is waiting for a connection.


So at this point the Victim double-clicks on the malicious EXE 'pissOnAV.exe'


As a result of the victim user double-clicking on 'pissOnAV.exe' you can see above that the Attacking computer has received a connection from the Victim computer.







 The above pic shows highlighted in white the IP address of my Attacking machine. This demonstrates, that I am infact using that computer.

 In the same pic, on the bottom portion you can see I have control over the Victims computer. Note the IP address 172.16.110.15 (victim computer) 











To demonstrate exactly what has happened you can see above I wrote the text  "I PISS ON your AV"
into a file called 'note.txt'

 Lets go back to our Victim machine to see this materialize.





So there you have it AV sucks! Hope someone enjoyed this post ;)

To expand upon yesterday's post I will demo, the concealment of the EXE to look and act as a legitimate file.

 I choose to use Safari for Windows.

 


So I have backdoored Safari and even when you view the details about the file, it appears legit.

Again I scan the file with AVG, and again the file is clean.


The victim user double-clicks on the Safari executable, and it installs as it normally would.


Safari installs correctly and is usable.

 On the Attacking machine we will see the same connection as before.

Above note the connection being made from Attacker 172.16.110.10, Victim 172.16.110.15



Above highlighted in white is Attacking IP address 172.16.110.10, below is the Attacker accessing the Victims computer, due to the malicious executable Safari.


On the Attacking system while in control of the Victim computer I write "You have just installed a backdoored version of Safari" into a text file called new.safari.hack.txt




Back on the Victim computer we see the text file new.safari.hack.txt, which was written on the Desktop from the Attacker computer.
This method is especially prevalent when someone is offering a usually PAID program for FREE...Nothing on the internet is FREE!!
Posted by at No comments:
Subscribe to: Posts (Atom)