I also probably off base but I think Polypack does this quite well. I have not had time to play with it yet but "Farther John" gave us the link in a SANS Webcast.
http://polypack.eecs.umich.edu/ HTH Duncan 2009/12/30 Rick Hayes <[email protected]> > I may be off base here, but I've found that 3-4 passes of shikata ga nai > works well. Unfortunately, when I do the 10 passes it seems to be found > more often than not. If it's still being detected I usually try to run it > through PEScrambler (http://www.rnicrosoft.net/tools/PEScrambler_v0_1.zip) > and that tends to work well. > > On Tue, Dec 29, 2009 at 11:21 AM, David Porcello < > [email protected]> wrote: > >> Hi all, >> >> I'm doing an in-house pen-test and I'm having a heck of a time building an >> msfpayload executable that evades McAfee AV detection. I've tried all the >> techniques in Metasploit Unleashed (section 08 / Antivirus Bypass), >> including the windows/shell/reverse_tcp method that's only detected by 3 out >> of 32 major AV engines (unfortunately McAfee being one of them). I even >> tried a simple windows/exec payload to net stop the AV services, but that's >> caught as well. McAfee's detecting all of these as "Downloader-BQQ". >> >> Anyone have any other tricks? >> >> Thanks in advance! >> dave. >> >> NOTICE: The information contained in this e-mail and any attachments is >> intended solely for the recipient(s) named above, and may be confidential >> and legally privileged. If you received this e-mail in error, please notify >> the sender immediately by return e-mail and delete the original message and >> any copy of it from your computer system. If you are not the intended >> recipient, you are hereby notified that any review, disclosure, >> retransmission, dissemination, distribution, copying, or other use of this >> e-mail, or any of its contents, is strictly prohibited. >> >> Although this e-mail and any attachments are believed to be free of any >> virus or other defects, it is the responsibility of the recipient to ensure >> that it is virus-free and no responsibility is accepted by the sender for >> any loss or damage arising if such a virus or defect exists. >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > > -- > Thanks, > > Rick Hayes > CISSP, GSEC, GIPS, GCFA, GSLC, CCNP, CCSP > > InfoSec Daily Podcast: http://www.isdpodcast.com > iTunes Keywords: InfoSec Daily > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- Duncan Alderson | Zeb3dee webantix.net | clamtech.co.uk
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
