Hi all,
I have been watching this ‘bad habit’ that I am going to discuss about, happening very often so it’s time to talk about it.
I have noticed that people tend to use Shellter with the same executables, even when this is not required as I explain later on.
Someone uploads a demo video infecting ‘putty.exe’, then everyone uses that.
Next day someone uploads a video infecting the setup program of ‘Winrar’ and then everyone uses that.
It’s one thing using the same executables for creating videos for educational and demonstration purposes and another using those all the time on VirusTotal and other online multi-AV scanners.
I hate to ruin this for you, but by always using the same executables with Shellter, AV vendors create better heuristics for those specific legitimate executables that you infect.
This is not really effective against Shellter itself but in some cases might fit the purpose, and make things worse for yourself when you really need to convince someone to execute a specific ‘legitimate’ application that you have infected.
Unless you are in a Red Team or similar engagement and you want to convince the target users to execute a specific binary that they normally trust, and so you have enabled ‘Stealth mode’ as well to keep its originally functionality, you should avoid infecting always the same executables of popular applications.
This is a really bad idea, and the sooner you realize it the better for you.
In other words, don’t ruin the creativity of Shellter by blindly following what other people do. Be creative for yourself as well!
Find some executables that do the job and use those for generic pentesting purposes where doesn’t really matter what executable you have infected as long as it goes passed the AV.
Cheers,
kyREcon