Got Too Many Shells?

Since the release of Metasploit 4.9, have you, the dedicated and resourceful penetration tester, been having is problem with being too successful at skipping past the defender's detection efforts? Are you getting too many shells? Maybe you're getting a little embarrassed for the IT guys who are wondering what the heck just happened to their anti-virus protections.

If that's the case, I have some good news! As of today, April 1, 2014, Metasploit is pleased to announce an entirely new feature for penetration testers: Anti-Virus Attraction!

Anti-Virus Attraction

Turns out, we're just too darn evasive for many-to-most AV solutions. So, in order to level the playing field between the penetration testers and the AV vendors, Metasploit Framework has extended the payload encoders and the executable generators to be a little less evasive by including some easy-to-detect data in our payloads. Well, a lot less.

After several high level meetings and some deep-dive research in the field of malware detection, we've come up with a plan to address this too-successful problem. As of today, we now ship both the generic/eicar payload encoder (which works across all platforms) and the EXE::EICAR static executable generator (Windows-only).

Detection: Not Quite 100%

I'm pretty pleased with the results. Check out our VirusTotal hit rate:

As you can see, 49 out of 51 of malware detection solutions successfully pick up EICAR. We're working on ensuring those last two are able to detect Metasploit as well -- if you know anyone over there, you might drop them a line and ask how you can help.


The usage is straightforward. For example, here's how to encode any given payload to EICAR-compliance using the command line tool msfvenom:

Note the size reduction, by the way -- the encoded payload is merely 68 bytes, which is 227 bytes smaller. A 77% savings in payload size is nothing to sneeze at!

Generating a Windows EXE for any compatible Windows exploit is similarly easy -- just set the EXE::EICAR or MSI::EICAR option to true, and you'll be using the new static executable generator instead of the souped up dynamic one.

Note, while these payloads and binaries are quite real and quite functional, actually using these will certainly ruin any chance of actually getting a working shell, since the EICAR test file standard does not allow for any kind of useful extension for functional requirements like opening network sockets. Oh well, it's a sacrifice.

So, if you've been having a good a run you just have too many shells, and you feel like you need to throw a bone to defenders, give the EICAR transforms a whirl. This new feature is available today in the Metasploit Framework as of Pull Request #3168, and will be coming soon in an update of Metasploit Pro and Community editions -- in the meantime, download your free 7-day trial of Metasploit Pro today.

If you happen to be more interested in AV evasion (how lame!) than AV attraction (yay!), join AV black belt ninja Dave Maloney on his free webcast "Evading Anti-Virus Solutions with Dynamic Payloads in Metasploit Pro":