This work compares some infamous methods for the creation of malicious payloads or shellcodes. These payloads must be used to create a remote connection between the victim’s machine and the attacker’s machine that wants to listen and, once a connection is successfully established, obtain sensitive information or make an attack to that user. Their creation was made by using some free tools, running on a Kali Linux machine, that are:
This comparison is made according to the capability of malicious payloads in bypassing default security systems available on Windows machines and antivirus systems on the market, looking for a way to obtain a payload that manages to be invisible simultaneously to several security systems. Security systems embedded on Windows that have been used and tested for this work are:
Online scanners have been also used, which perform a check of created files using multiple antivirus engines simultaneously. Scanners then used in this work were:
For each of the used tools, the following table shows the best results obtained by malicious payload creation. Remember that to obtain a good result means being able to bypass Windows security systems (denoted as “Yes” or “No” in the table) and some online scanners (denoted in the table by the number of antivirus solutions which recognize malicious payload on the total number of executed antivirus).
(* – Windows SmartScreen can block malicious payload if it is downloaded from the Internet; otherwise, Windows SmartScreen not considers it as malicious)
In this report, configured systems for payloads production and testing will be briefly introduced, as well as, to show and to discuss the results from different methodologies trying to create a FUD (fully undetectable) backdoor.
About the Author Prof Corrado Aaron Visaggio
(Security Affairs – malicious payloads, malware)