Metasploit mailing list archives
Re: my handler has been p0wned
From: Civ <framework () 8thdaytech com>
Date: Wed, 16 Mar 2011 17:38:01 -0700
From the VT TOS.
"... When you submit a file to VirusTotal for scanning, we may store it and share it with the anti-malware and security industry (normally the companies that participate in VirusTotal receive the samples that their engines do not detect and are catalogued as malware by at least one other engine). The samples can be analysed by automatic tools and security analysts to detect malicious code and to improve antivirus engines. ..." http://www.virustotal.com/terms.html An Av vendor could be examining your "unknown" submission, thus responsible for a connection or two to your handler. I have observed this in the past. Stay away from VT if you are concerned at all about keeping your exe from being detected by AVs before deployment. Submit the hash of your file instead. On 03/16/2011 08:57 AM, al1c3andb0b wrote:
On 03/16/2011 03:54 PM, Nicolas Krassas wrote:Did you upload your "testing" files to any of the av scanning sites ? eg. virustotal ?Yes I did, and with various payloads, but not during these tests (anyway I've stopped using these sites), and most often I've used private addresses (not even sure I've ever used my public IP once). But I'm not sure to understand your point: you mean one may download my test payload from VirusTotal, execute it, the stager reaches my handler, that in turn start sending stages. The payload may fail to execute or has no "visible" consequence, so I only see "sending stages" messages in msfconsole. Though this could be possible, I think it's pretty improbable, as this implies: - one day I've uploaded a staged payload to VirusTotal, containing my public IP and targeting the port 8080 - Bob has downloaded this payload, with the intent to execute it: why, as this makes Bob the victim? Do you rather think about researchers doing a survey, or some kind of official services that try to identify potential attackers through the VirusTotal database ? - The payload, on Bob platform, fails to execute OR the payload has no visible consequence - One day, I expose my host (DMZ), and start the _appropriate_ metasploit handler - This very same day, Bob tries to execute my payload Another nice story, but don't think that's what happened to me. _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Re: my handler has been p0wned al1c3andb0b (Mar 16)
- Re: my handler has been p0wned Civ (Mar 16)
- <Possible follow-ups>
- Re: my handler has been p0wned Nikhil Mittal (Mar 18)
- Re: my handler has been p0wned Jeffs (Mar 18)
- Re: my handler has been p0wned Nikhil Mittal (Mar 18)
- Re: my handler has been p0wned 5.K1dd (Mar 18)
- Re: my handler has been p0wned Jeffs (Mar 18)