n00bz Network

So I have a family member who loves malware however it is not like us who like to research and understand it.  He likes to goto websites ("I never went to that site.") and click every link possible as fast as he can.

As a result, he has a great collection of malware. 

He has gotten every version of FakeAV known.  Here is how I use Metasploit to remove it.

Step 1:  Generate a windows meterpreter executable and rename it "explorer.exe".  Most malware do not allow any AV or Malwarebytes to run.  Renaming the file "explorer.exe" will allow it to get through on the malware's whitelist.

Step 2: Run our executable on the infected machine and connect back/bind to the meterpreter session.  Since Meterpreter does not touch disk and injects itself into memory this is a great way to get a foothold onto the machine. 

Step 3: Escalate to SYSTEM.  Windows 7 is no longer a problem thanks to @Dave_Rel1k and @KevinMitnick UACBypass.  I love this script/post exploit module.  Go to @Derbycon!

Step 4: Reward yourself... I recommend Crown Royal with a splash of Ginger Ale.  YMMV

Step 5: Now that you are SYSTEM, type "ps".  Some of these things are not like the other.  Some of these things just don't belong.

Step 6: Identify the PID number next to the rouge processes and "kill ####"

Step 7: At this point, you should have broken the hold on the system that the malware had.  Install http://www.malwarebytes.org/mbam-download.php 

Step 8: Run some scans and remove the naughty objects.  I also recommend something AV/Malware Related... McAfee, Microsoft Security thingy, anything....  Check NSSLabs for some recommendations.

Step 9: Give the computer back to your family member and wait till next week when he finds a new site that he didn't visit and runs a file he never ran!

@mubix shared a link with me earlier this morning.  Security Bulletin - VSE 8.7 and earlier Metasploit payload attack

After my research and loss of faith in Anti-Virus technology, I decided to look at this further.

Let's look at the Bulletin. 

McAfee is aware of a publicly disclosed attack that could disable VSE running on a customer’s machine.

There was an update to the Metasploit Framework on Christmas Eve that added a script from Mert SARICA that silently kills McAfee VirusScan as well as some other fun options.  This was in revision 11411.

This isn't an attack but something an attacker could do once you click on that email link that promised you a gazillion dollars from some guy who needs your help transferring his dead cat's fortune out of a war torn condominium complex. 

This attack is not a standalone attack, but acts as a payload to be chained via another attack.

Once again, at this point you are owned and Game Over already!

  The attack was disclosed in a public tool.

While this is a Metasploit script, the only tool I see is the one who QA'ed the DAT file (6209).

Mitigating Factors

• McAfee has released a DAT file (6209) which detects the Metasploit plug-in used to run this attack.

Updated to the latest version!

I am protected....  NOT! WTF?

The target machine is Windows XP Pro SP3... Fresh install, OS patched, installed McAfee AV and updated.

I generated a meterpreter executable and copied it to the desktop.  Great On-Access Protection!

I ran the executable and now I have a session.  Let's list the processes running.

I found with a pid of 916 we have McShield.exe.

Running as an Administrator, I run the script.  This will upload an executable to the target and add it to the exclusion list.  I am going to choose to kill McAfee all together. 

It should be noted that McTray.exe was also killed so we don't get the tray icon.  However on the target machine, the user would only see the tray icon silently disappear. We can confirm that McAfee is McGone by looking at the process list. 

We now have full control of the target machine however probably don't want it since it has been owned and now has the Zeus Trojan. 

On a reboot, McAfee is back however it requires a reboot.  Trying to load McAfee again before the reboot results in a notification of ownage!

Let's recap the timeline.

Script was added 12/24: Merry Christmas

Security Bulletin was issued 12/30: Happy New Year

On 1/5 the scipt still kills McAfee AV

How can you protect yourself?  Do you load Symantec?

Watch Mubix uninstall Symantec's SEP. 

http://www.room362.com/blog/2010/11/16/silently-uninstall-sep.html

All of this was released in 2010 and prior.  I can't wait to see what 2011 brings.

Welcome to 2011, the year of the #FAIL... again.

UPDATE 01/06/2010

It looks like the virusscan_bypass.rb scipt had a bug that caused the termination of the McShield Icon and the error box.  The script has been updated. 

Download the latest revision here: 11478

I grabbed it this morning and tested it out.

We have our process list before running the script.

We run the script as the local administrator.

Now we check the process list again.

Now for the sweep.  Show me the Shield!  Survey says: