A school project. How well does Metasploit encode its executables? I'm putting it to the test against 10 different antivirus programs. This is just the proposal; the finished version should be done in a month or so.

1. Metasploit Payload Encoding and Antivirus Detection

4. There is no statistical difference between antivirus detection of executables that have been encoded using Metasploit

6. What is Metasploit?

7. How well are we protected from malware?

8. Negative affects of malware

9. Can a simple encoding scheme render AV useless?

10. What about more advanced encoders?

11. How well can AV software defend against easily accessable encoders provided by the Metasploit framwork?

15. Heuristics

20. Heuristic Scanning Scan the file Person using AV Run it in a sandbox Monitor system calls & activity and relay info to a risk analysis engine Does it look suspicious? Unknown file Unknown file Risk analysis engine

23. Resource intensive

25. Decrypted on runtime

27. Chooses decryptor from set of key combinations

28. Polymorphism hwfeidedwefef dfewfewfewfe grvervklmwefwe welkfimj eifcjm cwif jioregio mg wwoijmgeirojg r Encrypted portion Encryption + decryption engine with key Bla bla key=10 If (decrypted) { EvilStuff(); } Bla bla key=10 Decrypt the main code run Do evil things to the computer If (decrypted) { EvilStuff(); } Bla bla key=10 If (decrypted) { EvilStuff(); } Bla bla key=10 Change the encrytion + decryption engine, And change the key Kjlkmdckldklcm Sdclknmewnge Sdklmroivnslkw Kmewvionjrewg Wenmgrerjnkng spowgnjrekjwe Bah bah key=11 Encrypt the main code with new key and engine

29. Metamorphism 0x74 0x68 0x69 0x73 0x20 0x69 0x73 0x20 0x70 0x77 0x6e 0x7a 0x6f 0x72 0x20 0x63 0x6f 0x64 Virus (hex view) Runs and does evil stuff void main() { EvilFunction(); } void main() { EvilFunction(); UselessFunction(); } Takes its own source code and adds stuff A useless piece is added (like a NOP slide) Recompiled with new code 0x7a 0x6f 0x6d 0x67 0x20 0x64 0x69 0x73 0x20 0x69 0x00 0x00 0x00 0x00 0x00 0x73 0x20 0x6e A new binary is produced

30. Oligomorphism welkfimj eifcjm cwif jioregio mg wwoijmgeirojg r [engine] key=??? Encrypted portion Decryptor/Key Pieces If (decrypted) { EvilStuff(123); } key=a+c/b If (decrypted) { EvilStuff(321); } key=b+c^d If (decrypted) { EvilStuff(213); } key=b%2 +c A B C D

32. Ruby

33. Exploits + payloads

34. >1mil annual downloads

35. Constantly updated with wild exploits

36. Can produce standalone trojan binaries

43. Same version & installation of Metasploit used

45. Same reverse TCP information (IP, port) used

47. Data Collection

49. Chi Square Test

50. References Instruction set reference manual. (1999). Intel architecture software developer's manual . Retrieved February 3, 2011, from http://download.intel.com/design/PentiumII/manuals/24319102.PDF Glossary - securelist . (2011). Retrieved from http://www.securelist.com/en/glossary?letter=72#gloss189210535 Metasploit express user guide. (2010). Rapid7 , (3.5.1), Retrieved from www.metasploit.com/documents/express/UserGuide.pdf Metasploit framework . (2010). Retrieved from http://www.rapid7.com/products/metasploit-framework.jsp Munro, J. (2002, July 10). Antivirus research and detection techniques . Retrieved from http://www.extremetech.com/article2/0,2845,1154648,00.asp Static application data. (2008). Uninformed, 9 . Retrieved from http://uninformed.org/index.cgi?v=9&a=3&p=11