Techniques for Anti Virus evasion

There are strategies to improve the chances of evading a target's AV. The overall strategy is to try to develop a backdoor that is unique as possible. Writing your own backdoor from scratch will be the most successful.

A protected, or "encrypted" envelope around malware is a common strategy. However, AV's will sometimes flag the envelope and assume the contents is malware, which sometimes happens with UPX. As of 2015, Veil-Evasion has become my preferred envelope used to evade signature anti-virus software.

In order to evade the antivirus solution, first you need to understand how the antivirus flag your particular backdoor. First method the AV engine use is its vast set of malicious file signatures to search for particular patterns and signatures in an executable. In case of Metasploit, the AV solutions have signatures for the default exe template (data/template/template_x86_windows.exe) and any executable you generate using this default template will be flagged by the AV regardless of the actual shellcode in it. An easy way to overcome this problem will be to generate your shellcode separately and then create a custom exe and embed the shellcode in it. Bypassing the shellcode is easy using the shikata_ga_nai encoder since it is a polymorphic encoder that generates different shellcode each time.

The next technique the AV engine use is the sandbox where your backdoor will be executed for a very short period of time and its behaviour will be analysed at runtime. It will look for signs such as allocating an RWX memory block or establishing a reverse connection. An easy way to bypass this is to use a dummy loop or code blocks that executes till the sandbox timer expires without performing any malicious task.

Finally, modern AV engines have multiple components such as separate module for network traffic, web, email etc. Since meterpreter is a staged payload where the first stager download the second stage meterpreter DLL file, if the connection through which the DLL is transferred is not encrypted, the second stage DLL will be detected regardless of whether you have bypassed the AV in the first stage or not. You can use the reverse or bind HTTPS meterpreter to bypass this restriction.

I have used Veil on a few occasions and it is an easy way to bypass AV. The only limitation is the increase in size due to the full python interpreter that needs to be embedded with the EXE. Veil can do its work using native exe's as well without requirement for the python interpreter but the code size is still increased due to the encryption and decryption routine. If size is not a problem, you can use Veil. However, in certain environments (such as embedded devices or IDS file size signatures) where size is really a big constraints, you have to craft a custom backdoor from the scratch yourself.

Apart from using One interesting framework I came to like Veil. It's a framework which assists in generating payloads and binaries specifically designed to evade anti-virus software. It's available in the Kali repository.