Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Re: my handler has been p0wned

From: Civ <framework () 8thdaytech com>
Date: Wed, 16 Mar 2011 17:38:01 -0700
From the VT TOS.

"... When you submit a file to VirusTotal for scanning, we may store it
and share it with the anti-malware and security industry (normally the
companies that participate in VirusTotal receive the samples that their
engines do not detect and are catalogued as malware by at least one
other engine). The samples can be analysed by automatic tools and
security analysts to detect malicious code and to improve antivirus
engines. ..." http://www.virustotal.com/terms.html

An Av vendor could be examining your "unknown" submission, thus
responsible for a connection or two to your handler. I have observed
this in the past. Stay away from VT if you are concerned at all about
keeping your exe from being detected by AVs before deployment.

Submit the hash of your file instead.

On 03/16/2011 08:57 AM, al1c3andb0b wrote:

On 03/16/2011 03:54 PM, Nicolas Krassas wrote:

Did you upload your "testing" files to any of the av scanning sites ?
eg. virustotal ?

Yes I did, and with various payloads, but not during these tests (anyway
I've stopped using these sites), and most often I've used private
addresses (not even sure I've ever used my public IP once).

But I'm not sure to understand your point: you mean one may download my
test payload from VirusTotal, execute it, the stager reaches my handler,
that in turn start sending stages. The payload may fail to execute or
has no "visible" consequence, so I only see "sending stages" messages in
msfconsole.
Though this could be possible, I think it's pretty improbable, as this
implies:
- one day I've uploaded a staged payload to VirusTotal, containing my
public IP and targeting the port 8080
- Bob has downloaded this payload, with the intent to execute it: why,
as this makes Bob the victim? Do you rather think about researchers
doing a survey, or some kind of official services that try to identify
potential attackers through the VirusTotal database ?
- The payload, on Bob platform, fails to execute OR the payload has no
visible consequence
- One day, I expose my host (DMZ), and start the _appropriate_
metasploit handler
- This very same day, Bob tries to execute my payload

Another nice story, but don't think that's what happened to me.




_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: