Archive for May, 2009

 

Creating and Hiding Payload

May 23, 2009 in Security

In this case I will show you how to use FastTrack, which uses Metasploits payload generator, to create malicious payload and why anti-virus fails.

Lets first use Backtrack 4 and fast track to create the payload.  Click the Generator on the left hand side and start going through the process [figure 1].

1

Once you finish going through the executable payload generator, it will save the malicious file as payload.exe.  I grabbed that payload and did a little analysis on it.  Since I encoded the payload in avoid_uft8_tolower, I wasn’t able to run strings against it to gain any insight into the file.  I dropped this exe file on my windows box to do a little malware analysis.  I ran Regshot, Processmon, and ollydbg to see if there was anything else malicious in the file (other than what I had configured).  All in all it looked pretty clean to me.

2

Now that we have our payload, we can take an additional step to hide this from antivirus or from unsuspecting users.  In this case, I will show you this using iexpress, which is built in with Windows.

IExpress is a technology designed to simplify creation of a setup program. Using the step-by-step IExpress Wizard, you can create self-extracting files that automatically run the setup program contained inside. The setup program can be an .inf file or an executable program. IExpress technology automatically removes the setup files after installation, saving the user time and frustration.  -http://technet.microsoft.com/en-us/library/dd346760.aspx

Go to run: iexpress and go through the setup.

4[figure 4]

Create new self extracting file
Extract file and run an installation command
No Prompt
Do not display license

Under packaged files add both the malicious payload.exe and another executable to hide your file.  In this case we will use calc.exe

5[figure 5]

Install program [calc.exe] and post install command [payload.exe]
Hidden
Name the new executable and selection only option: Hide File Extraction Progress
Finish

Lets look at the properties of these two files.  The original payload.exe and the new hidden payload called best_calc.exe

In this figure [figure 6], we can see that best_calc.exe shows that it was made by Microsoft.  ooOo…

6

Now when I put up a listener on my linux box and open up best_calc.exe on my windows box and the close the calc.exe, we get:

7

Shell!!!!

Lastly, I put this file against Virustotal.com to see which antivirus companies could detect this:

drum roll please…

6/39 detected this as suspicious…  Not too bad!
8