[framework] meterpreter detected by virus software
Paul Criscuolo
pcriscuolo at gmail.com
Tue Oct 9 00:22:57 CDT 2007
On a recent engagement, Symantec Antivirus detected the dll injection
that meterpreter uses. I was able to exploit different boxes with a
variety of exploits and used the reverse tcp meterpreter as the
payload. The dll injection completed successfully, but as soon as I
attempted to load a module, usually the priv in version 3 revision
5140, it just hung.
I attempted to kill the antivirus with the killav command, but no
love. I had to create a username and password after dropping into a
command shell and then manually killing the antivirus processes. Has
anyone else seen this? I am a little confused as to how the AV
detected it. Any suggestions on how to get around this by maybe
modifying the payloads before an engagement?
Any help is appreciated.
More information about the framework
mailing list