PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

McAfee AV bypass for Metasploit payloads

From: rick.hayes at gmail.com (Rick Hayes)
Date: Wed, 30 Dec 2009 10:20:39 -0500
I may be off base here, but I've found that 3-4 passes of shikata ga nai
works well.  Unfortunately, when I do the 10 passes it seems to be found
more often than not.  If it's still being detected I usually try to run it
through PEScrambler (http://www.rnicrosoft.net/tools/PEScrambler_v0_1.zip)
and that tends to work well.

On Tue, Dec 29, 2009 at 11:21 AM, David Porcello <
DPorcello at vermontmutual.com> wrote:


Hi all,

I'm doing an in-house pen-test and I'm having a heck of a time building an
msfpayload executable that evades McAfee AV detection. I've tried all the
techniques in Metasploit Unleashed (section 08 / Antivirus Bypass),
including the windows/shell/reverse_tcp method that's only detected by 3 out
of 32 major AV engines (unfortunately McAfee being one of them). I even
tried a simple windows/exec payload to net stop the AV services, but that's
caught as well. McAfee's detecting all of these as "Downloader-BQQ".

Anyone have any other tricks?

Thanks in advance!
dave.

NOTICE: The information contained in this e-mail and any attachments is
intended solely for the recipient(s) named above, and may be confidential
and legally privileged. If you received this e-mail in error, please notify
the sender immediately by return e-mail and delete the original message and
any copy of it from your computer system. If you are not the intended
recipient, you are hereby notified that any review, disclosure,
retransmission, dissemination, distribution, copying, or other use of this
e-mail, or any of its contents, is strictly prohibited.

Although this e-mail and any attachments are believed to be free of any
virus or other defects, it is the responsibility of the recipient to ensure
that it is virus-free and no responsibility is accepted by the sender for
any loss or damage arising if such a virus or defect exists.
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com





-- 
Thanks,

Rick Hayes
CISSP, GSEC, GIPS, GCFA, GSLC, CCNP, CCSP

InfoSec Daily Podcast: http://www.isdpodcast.com
iTunes Keywords: InfoSec Daily
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091230/7b0d0d6b/attachment.htm
Previous By Date Next
Previous By Thread Next

Current thread: