Windows Defender Reports Virus in Downloaded ZIP File about wstg HOT 12 CLOSED

Very few AVs on VirusTotal also flag it: https://www.virustotal.com/gui/file-analysis/ZDdiYWFlMTM1YmEyYWQyNDkzM2ZiNTE3N2Y3MjVlNjg6MTU2MzQwOTE3Ng==/detection
https://www.virustotal.com/gui/file/2c38b233b56f2e566c90c32315335dab1fca9e0fbd64323a0666efcddd912d4f/detection

There's a good possibility that overzealous web browser protection or corporate proxies would also mark the samples as malware. (The resource hogging types that also install their root certificate to decrypt TLSv1.2.)

We could obvuscate the samples like this?

<?php
if(isset($CENSORED)){
echo "<pre>";
$cmd = ($CENSORED);
system($cmd);
echo "</pre>";
die;
}
?>

Replace $CENSORED with $_REQUEST['cmd']

Transforms (base64 encoding, nonprintable character or similar) won't help either, because AV can detect that (I know by experience when someone imported a "font" that had real malware in it...). Also other AV like triggering on anything that looks like obvuscation.

from wstg.

We can create a list of system commands that can be run, and put in there the variable of that list, which should appear to be safe. What do you think?

from wstg.

Yup I noticed that the other day too. The content in question does include benign source code for an example web backdoor.

from wstg.

Feel free to review the content on GitHub and understand the reason it is a False Positive from defender.

https://github.com/OWASP/OWASP-Testing-Guide-v5/blob/master/document/4%20Web%20Application%20Security%20Testing/4.11%20Business%20Logic%20Testing/4.11.9%20Test%20Upload%20of%20Malicious%20Files%20(OTG-BUSLOGIC-009).md#webshell-backdoor

(It’s a markdown file, the code isn’t executed unless you extract the snippet and place it on (or in) an appropriately configured execution environment.)

from wstg.

Fair enough, but if this is a false positive then it should be explicitly mentioned that one would be generated since it is impossible to determine if the code snippet is what is being detected or if the file itself has been truly been altered to include a virus.

It would be a clever trick for an actual hacker to infect a file that would be easily dismissed as a false positive.

from wstg.

Yup, just trying to give you options until it can be addressed somehow.

from wstg.

I like the idea of using $CENSORED as suggested, however, I need to review the content/context. We might be able to link elsewhere for code/samples ... or use a pseudo code block instead of real code.

from wstg.

I can confirm that my own Windows Defender only flags the following file:

OWASP-Testing-Guide-v5\document\4 Web Application Security Testing\4.11 Business Logic Testing\4.11.9 Test Upload of Malicious Files (OTG-BUSLOGIC-009).md

We can therefore try different combinations of "censoring" or obfuscating such that the code sample isn't functional without modification.

I haven't tried a full exploit, but I definitely can see why the AV would flag it... theoretically if you compromised a machine that had Git and PHP, you could theoretically get the server to execute the shellcode, similar to how you can dump shellcode into a log file or other upload and get the server to execute it. (I did that in a pentest exercise.)

I don't like the idea of linking because the thing we are linking to would be flagged by "web protection", or the linked material could simply be removed.

Hopefully the AV is only triggering on the string "REQUEST['cmd']", so maybe "REQUEST['aprogramthatisnotashellinanyos']"?

from wstg.

So much for the censored idea...

This is being detected as well

<?php
if(isset($_REQUEST['censored'])){
    echo "<pre>";
    $cmd = ($_REQUEST['censored']);
    system($cmd);
    echo "</pre>";
    die;
}
?>

https://www.virustotal.com/gui/file-analysis/YzM0MjY1MGI2YzE0ZjMzMTliZmY3M2U1ZWRlMzU1Zjg6MTU2MzU4MTkyMw==/detection

Now that I look at the code, it's probably because it the AV doesn't like a PHP with system( [something that can execute] ). I'll try swapping "system" for a censoring term.

from wstg.

Hmm pesky bugger... it also doesn't like

<?php @eval($_POST['password']);?>

from wstg.

I removed one of the three engine detections when I replaced system and eval with CENSORED, but unfortunately Windows Defender still calls it out, as Yorcirekrikseng instead of Chopper.

https://www.virustotal.com/gui/file-analysis/NGE0NGI2ZWM1YzZhNmJhNjA1YzI3MDdhZDVjYmJkMmQ6MTU2MzU4NDMzMg==/detection

I'm going to assume some malware actually base64 encodes or otherwise obvuscates the "system" and "eval" in case dumber systems try to filter it out of uploads, so Defender is using a different pattern.

from wstg.

The pull request is for specifically the issue mentioned, which is Windows Defender (Microsoft's scanner) detecting the page as malware. Note that with the "CENSORED" strings I added, the code is no longer syntactically correct, and setting a server up to be dumb enough to execute the .md files will not result in a webshell behaviour.

from wstg.