Techniques for the manipulation of malicious payloads to improve evasion

Security researchers at the iSwatlab have conducted an analysis of a few methods for the creation of some malicious payloads or shellcodes.

This work compares some infamous methods for the creation of malicious payloads or shellcodes. These payloads must be used to create a remote connection between the victim’s machine and the attacker’s machine that wants to listen and, once a connection is successfully established, obtain sensitive information or make an attack to that user. Their creation was made by using some free tools, running on a Kali Linux machine, that are:

Metasploit
Veil framework
TheFatRat

This comparison is made according to the capability of malicious payloads in bypassing default security systems available on Windows machines and antivirus systems on the market, looking for a way to obtain a payload that manages to be invisible simultaneously to several security systems. Security systems embedded on Windows that have been used and tested for this work are:

Windows Defender
Windows Firewall
Windows SmartScreen

Online scanners have been also used, which perform a check of created files using multiple antivirus engines simultaneously. Scanners then used in this work were:

OPSWAT Metadefender
Scan4you/Poison Scanner

For each of the used tools, the following table shows the best results obtained by malicious payload creation. Remember that to obtain a good result means being able to bypass Windows security systems (denoted as “Yes” or “No” in the table) and some online scanners (denoted in the table by the number of antivirus solutions which recognize malicious payload on the total number of executed antivirus).

(* – Windows SmartScreen can block malicious payload if it is downloaded from the Internet; otherwise, Windows SmartScreen not considers it as malicious)

In this report, configured systems for payloads production and testing will be briefly introduced, as well as, to show and to discuss the results from different methodologies trying to create a FUD (fully undetectable) backdoor.

Enjoy the report!

About the Author Prof Corrado Aaron Visaggio

Corrado Aaron Visaggio is an assistant professor of Software Security of the MsC in Computer Engineering at the University of Sannio, Italy. He obtained the PhD in computer engineering aWashingsity of Sannio (Italy). His research interests include malware analysis, software security,code assessment, and data privacy. He is the author of more than 70 papers published in international journals, international and national conference proceedings, and books.

He is responsible of the ISWATLAB a laboratory on Software Security research at the University of Sannio.

He is member of the CINI CyberSecurity Lab. member of the CINI CyberSecurity Lab. member of the CINI CyberSecurity Lab.

He is member of the European CyberSecurity Organization at EU.member of the European CyberSecurity Organization at EU.member of the European CyberSecurity Organization at EU.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – malicious payloads, malware)

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.