WTFBBQAV! or AV FAIL!

As a part of a well-known-kick-ass-course I’m taking right now I had to backdoor an executable of my choice with a certain payload.

The executable I chose was the Putty SSH client, mainly because it’s widespread and the fact that is contained in just one .exe
The choice about the payload was pretty clear… one metasploit generated reverse tcp shell to go, please! :)

After sucessfully backdooring <– is this even a verb? our beloved SSH client I thought: “man, every antivirus in the world is going to catch this little puppet…”, so I submitted it to virustotal.

Here are the results:

Antivirus Version Last update Result
AhnLab-V3 2011.01.18.00 2011.01.17
AntiVir 7.11.1.241 2011.01.25
Antiy-AVL 2.0.3.7 2011.01.25
Avast 4.8.1351.0 2011.01.25 Win32:Hijack-GL
Avast5 5.0.677.0 2011.01.25 Win32:Hijack-GL
AVG 10.0.0.1190 2011.01.25
BitDefender 7.2 2011.01.25 Backdoor.Shell.AC
CAT-QuickHeal 11.00 2011.01.25
ClamAV 0.96.4.0 2011.01.25
Commtouch 5.2.11.5 2011.01.25 W32/Rozena.B.gen!Eldorado
Comodo 7495 2011.01.25
DrWeb 5.0.2.03300 2011.01.25
Emsisoft 5.1.0.1 2011.01.25
eTrust-Vet 36.1.8117 2011.01.24
F-Prot 4.6.2.117 2011.01.24 W32/Rozena.B.gen!Eldorado
F-Secure 9.0.16160.0 2011.01.25 Backdoor.Shell.AC
Fortinet 4.2.254.0 2011.01.24
GData 21 2011.01.25 Backdoor.Shell.AC
Ikarus T3.1.1.97.0 2011.01.25
Jiangmin 13.0.900 2011.01.24
K7AntiVirus 9.78.3635 2011.01.24 Riskware
Kaspersky 7.0.0.125 2011.01.25
McAfee 5.400.0.1158 2011.01.25
McAfee-GW-Edition 2010.1C 2011.01.25
Microsoft 1.6502 2011.01.25 Trojan:Win32/Swrort.A
NOD32 5816 2011.01.25
Norman 6.06.12 None.. W32/Swrort.A
nProtect 2011-01-18.01 2011.01.18
Panda 10.0.2.7 2011.01.24
PCTools 7.0.3.5 2011.01.25
Prevx 3.0 2011.01.25
Rising 23.42.00.06 2011.01.24
Sophos 4.61.0 2011.01.25
SUPERAntiSpyware 4.40.0.1006 2011.01.25
Symantec 20101.3.0.103 2011.01.25
TheHacker 6.7.0.1.119 2011.01.24
TrendMicro 9.120.0.1004 2011.01.25 Mal_Xed-21
TrendMicro-HouseCall 9.120.0.1004 2011.01.25 Mal_Xed-21
VBA32 3.12.14.3 2011.01.24
VIPRE 8189 2011.01.25
ViRobot 2011.1.25.4274 2011.01.25
VirusBuster 13.6.162.0 2011.01.24
Additional information
MD5: 8ea25860c59a0577f9b3fb28efbdc9ed
SHA1: 94a3cafc73aae27dde47cd29f0d22be89659bc89
SHA256: e25cb3295de57065437dd9aa701dceaf9485a00bffc2598a5a78bc6d4ccec6d4
File size: 458752 bytes
Scan date: 2011-01-25 11:58:58 (UTC)

Only 28.6% of the main AV vendors marked this file as a threat.

Hmmm… WFTBBQAV!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s