Techniques for the manipulation of malicious payloads to improve evasion

Pierluigi Paganini January 24, 2017

Security researchers at the iSwatlab have conducted an analysis of a few methods for the creation of some malicious payloads or shellcodes.

This work compares some infamous methods for the creation of malicious payloads or shellcodes. These payloads must be used to create a remote connection between the victim’s machine and the attacker’s machine that wants to listen and, once a connection is successfully established, obtain sensitive information or make an attack to that user. Their creation was made by using some free tools, running on a Kali Linux machine, that are:

  • Metasploit
  • Veil framework
  • TheFatRat

This comparison is made according to the capability of malicious payloads in bypassing default security systems available on Windows machines and antivirus systems on the market, looking for a way to obtain a payload that manages to be invisible simultaneously to several security systems. Security systems embedded on Windows that have been used and tested for this work are:

  • Windows Defender
  • Windows Firewall
  • Windows SmartScreen

Online scanners have been also used, which perform a check of created files using multiple antivirus engines simultaneously. Scanners then used in this work were:

  • OPSWAT Metadefender
  • Scan4you/Poison Scanner

For each of the used tools, the following table shows the best results obtained by malicious payload creation. Remember that to obtain a good result means being able to bypass Windows security systems (denoted as “Yes” or “No” in the table) and some online scanners (denoted in the table by the number of antivirus solutions which recognize malicious payload on the total number of executed antivirus).

malicious payloads manipulation

(* – Windows SmartScreen can block malicious payload if it is downloaded from the Internet; otherwise, Windows SmartScreen not considers it as malicious)

malicious payloads manipulation

In this report, configured systems for payloads production and testing will be briefly introduced, as well as, to show and to discuss the results from different methodologies trying to create a FUD (fully undetectable) backdoor.

Enjoy the report!

About the Author Prof Corrado Aaron Visaggio

aaron-visaggioCorrado Aaron Visaggio is an assistant professor of Software Security of the MsC in Computer Engineering at the University of Sannio, Italy. He obtained the PhD in computer engineering aWashingsity of Sannio (Italy). His research interests include malware analysis, software security,code assessment, and data privacy. He is the author of more than 70 papers published in international journals, international and national conference proceedings, and books. 
He is responsible of the ISWATLAB a laboratory on Software Security research at the University of Sannio. 
He is member of the CINI CyberSecurity Lab. member of the CINI CyberSecurity Lab. member of the CINI CyberSecurity Lab. 
He is member of the European CyberSecurity Organization at EU.member of the European CyberSecurity Organization at EU.member of the European CyberSecurity Organization at EU.
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – malicious payloads, malware)

[adrotate banner=”13″]

you might also like

leave a comment