Anti-Virus Detection and Warnings

In this article we will look at how Anti-Virus detection and counter detection. We will also look at how to bypass UAC warnings.

Payloads created by redpill Hacker does not contain viruses. Anti-Virus software however not only detects viruses but also spy programs like key loggers. redpill Hacker has different types of payloads - some contain key loggers while others perform different tasks. It is important that you understand how detection work to minimize detection and to help you choose the correct payload for the job.

User Account Control (UAC)

During and before the good old days of Windows XP, installing spy programs and key loggers was a walk in the park. Since Windows 7 (or Vista) Microsoft started using UAC. UAC is not virus detection but does cause a similar problem in that the user gets a warning and the program is prevented from running (if the user chooses the default option).

There are some tasks that require elevated security in Windows and to perform these tasks you need to run an application with elevated security. When this happens, the dreaded UAC message will pop-up.

Bypass UAC

If the target select 'No', the installation will fail. To get pass this warning you have one of two options:

Option 1: Use a Lightweight Payload

To avoid the UAC message from coming up at all, redpill Hacker uses lightweight payloads. These payloads are designed to bypass the UAC warning message and also have a very low Anti-Virus detection rate. Unlike the heavyweight payloads that perform multiple tasks and keep on running even after the computer was restarted, lightweight payloads perform a very specific task (like secretly 'collecting' documents from the target computer) and only run once.

Option 2: Use Social Engineering

If you really need to use a heavyweight payload (program that installs a key logger that also performs various other tasks and keeps on running even if a computer is restarted), then you can use social engineering to convince the target to allow the program to run once the UAC message comes up. Click here to read the article on social engineering.

Anti-Virus Detection

Anti-Virus companies / programs basically detect spy software (and viruses) in three ways:

1. Virus Definition Database

Comparing the file against a library of known viruses and malware - This method can only detect known viruses and spy programs.

2. Heuristic Analysis

Anti-Virus companies use heuristic analysis to detect new viruses and spy software that is new or new variants. In short, anti-virus software that use this method will run he program in a controlled virtual system (sandbox testing) or decompile the suspected program and analyze the source code before releasing it into the real system. The anti-virus software will use profiling to make an 'educated guess' to decide if the unknown program is a virus or malware. Obviously this method will lead to a lot of false-positives.

3. Wisdom of the Crowd

If with the above method, the Anti-Virus program cannot decide if it is malware, it will just submit info about the program. Each time the program runs on another computer, more of if it's behaviour and what it is used for is known. Using this data and heuristic analysis methods, anti-virus companies can very quickly make a verdict about a suspected file.

Other methods of detection

In addition to the above, some anti-virus companies and browsers have very strict policies. Norton for instance will mark a file as a potential threat and remove it just because it is not a known file (a file that is commonly downloaded and used). With that setting in an Anti-virus system like Norton, your only option would be to convince the target to add your program to the list of allowed programs (White List).

Some browsers like Chrome will also do the same. If a file is not known and not often downloaded (like your newly created payload), it will warn the user that it is a potential threat and ask the user if he really wants to download the file. Again, all you can do is use social engineering to convince the target to download it.

How redpill Hacker reduces the detection rate

redpill Hacker uses various counter detection methods to reduce the Anti-Virus detection rate of all the detection methods. These include:

  • Giving each customer a unique edition (build) to avoid detection via anti-virus definition databases
  • Using concepts unique to redpill including code fogging where procedures are complicated and 'clouded' using generated random code.
  • Code obfuscation and string encryption
  • Each installation (even of the same payload) will be different using different filenames, locations, folder names, etc.
  • Using lightweight payloads that perform very specific tasks and avoid high risk behavior like hooking on to the keyboard.
  • Various other secret techniques.

At the end of the day however, there are still some high risk tasks that needs to be performed - especially by heavyweight payloads. Although redpill hacker will attempt to hide and mask some of these tasks, some Anti-Virus packages will run thorough sandbox testing and/or detect suspected behavior within the code.

The methods redpill Hacker use will get it past most Anti-Virus packages, but not all. redpill regularly run tests against the top 43 anti-virus packages.

Heavyweight payloads gets detected by 9 out of 43 (20% detection rate):

Anti Virus Detection

Lightweight payloads gets detected by 1 out of 43 (2% detection rate):

Anti Virus Detection

What you can do to reduce the detection rate

If your payload is detected with 'Wisdom of the Crowd', then it is possible that the Anti-Virus company could find a common fingerprint within your payloads. This fingerprint will then be added to the virus definition databases. If this happens, then the detection rate of all your payloads will drastically increase. It will even affect computers that are already being monitored and that installed successfully.

If this does happen you will need to request a clean rebuild of your redpill Hacker from redpill. They will charge a fee for this. There are however a lot you can do to avoid this. In short, you need to reduce your payloads exposure to Anti-Virus scans. You can do this by:

  • Following the install instructions of redpill Hacker on this wegbsite so that all your payloads are created in a safe folder. When emailing your payloads you need to disable your real time protection to avoid unnecessary scans.
  • Choose your targets carefully – don't just send out a payload blindly to a huge list and hope for the best.
  • When attacking a list of targets, use a multi-phase attack (there are multi phase attack templates available in redpill Hacker). You basically establish initial contact and gain trust before emailing the payload. That way a payload is only delivered if you are already sure the target will run it.
  • Use ZIP files, links or Payload websites to reduce direct exposure. Note that some Anti-Virus will scan the file inside the zip file and also the file at the link destination.
  • Never let a friend use your redpill Hacker – never give them a copy. Even if you install on another computer, it is still your unique build that is being installed. If your friend uses his copy in a way that increases his detection, it will also increase your detection even if you don't use yours at all.
  • Don't 'test' your detection rate using multi-scan sites. These sites scan your payload against every Anti-Virus package and this greatly and unnecessarily increase your exposure.
For more information on how to limit your exposure, read Multi-Phase Attack and Payload Websites