Search n00bz.net

Entries in McAfee (6)

Friday
Mar112011

Using Metasploit to remove Malware

So I have a family member who loves malware however it is not like us who like to research and understand it.  He likes to goto websites ("I never went to that site.") and click every link possible as fast as he can.

As a result, he has a great collection of malware. 

He has gotten every version of FakeAV known.  Here is how I use Metasploit to remove it.

 

Step 1:  Generate a windows meterpreter executable and rename it "explorer.exe".  Most malware do not allow any AV or Malwarebytes to run.  Renaming the file "explorer.exe" will allow it to get through on the malware's whitelist.

Step 2: Run our executable on the infected machine and connect back/bind to the meterpreter session.  Since Meterpreter does not touch disk and injects itself into memory this is a great way to get a foothold onto the machine. 

Step 3: Escalate to SYSTEM.  Windows 7 is no longer a problem thanks to @Dave_Rel1k and @KevinMitnick UACBypass.  I love this script/post exploit module.  Go to @Derbycon!

Step 4: Reward yourself... I recommend Crown Royal with a splash of Ginger Ale.  YMMV

Step 5: Now that you are SYSTEM, type "ps".  Some of these things are not like the other.  Some of these things just don't belong.

Step 6: Identify the PID number next to the rouge processes and "kill ####"

Step 7: At this point, you should have broken the hold on the system that the malware had.  Install http://www.malwarebytes.org/mbam-download.php 

Step 8: Run some scans and remove the naughty objects.  I also recommend something AV/Malware Related... McAfee, Microsoft Security thingy, anything....  Check NSSLabs for some recommendations.

Step 9: Give the computer back to your family member and wait till next week when he finds a new site that he didn't visit and runs a file he never ran!

 

 

Friday
Jan212011

McAf.ee Link Shortner

@DaveMarcus did NOT pay me to write this.

If you are a twitter addict like me, you use a link shortner.  The list of link shortners are long.  Bit.ly, TinyURL, even Google has their very own goo.gl!

However...

The problem is we don't know what we are clicking on.  You don't know that bit.ly/blah isn't sending you the latest serving of malware.  I have kicked around the idea that this is a great attack vector. Looks like I was not the only one.

http://www.zdnet.com/blog/security/twitter-worm-hits-googl-redirects-to-fake-anti-virus/7938

Cyber thugs are using Google's link shortener to trick users into viewing malicious content with FakeAV.

I just cleaned a co-workers home netbook after they clicked the evil goo.gl link. 

Note: http://www.malwarebytes.org/ is a great resource for removing.  I also used Metasploit to kill the tasks because the malware prevented Malwarebytes/AV from running.

I like to beat up on the AV vendors but the truth is there is a lot of malware out there and the best way to protect yourself is to not allow it to get on your machine in the first place.

Enter mcaf.ee! http://mcaf.ee/

McAfee has a link shortener that uses their Global Threat Intelligence database to check the links to identify if they are safe or malicious. 

They have a plug in for FireFox and Chrome.

If you use a twitter client, add this to other services to use mcaf.ee as your link shortener. 

 http://mcaf.ee/api/shorten?input_url=%@&format=text

I added it to Tweetdeck today as my default link shortener.

 

I use Twitterrific on my iPad and iPhone.  McAf.ee isn't available for that app so if you see the bit.ly from me, you know why.

Wednesday
Jan052011

virusscan_bypass.rb: Now with a lame security bulletin

@mubix shared a link with me earlier this morning.  Security Bulletin - VSE 8.7 and earlier Metasploit payload attack

After my research and loss of faith in Anti-Virus technology, I decided to look at this further.

 

Let's look at the Bulletin. 

McAfee is aware of a publicly disclosed attack that could disable VSE running on a customer’s machine.

There was an update to the Metasploit Framework on Christmas Eve that added a script from Mert SARICA that silently kills McAfee VirusScan as well as some other fun options.  This was in revision 11411.

This isn't an attack but something an attacker could do once you click on that email link that promised you a gazillion dollars from some guy who needs your help transferring his dead cat's fortune out of a war torn condominium complex. 

This attack is not a standalone attack, but acts as a payload to be chained via another attack.

Once again, at this point you are owned and Game Over already!

  The attack was disclosed in a public tool.

While this is a Metasploit script, the only tool I see is the one who QA'ed the DAT file (6209).

Mitigating Factors

  • McAfee has released a DAT file (6209) which detects the Metasploit plug-in used to run this attack.

 

Updated to the latest version!

I am protected....  NOT! WTF?

 

The target machine is Windows XP Pro SP3... Fresh install, OS patched, installed McAfee AV and updated.

I generated a meterpreter executable and copied it to the desktop.  Great On-Access Protection!

I ran the executable and now I have a session.  Let's list the processes running.

I found with a pid of 916 we have McShield.exe.

Running as an Administrator, I run the script.  This will upload an executable to the target and add it to the exclusion list.  I am going to choose to kill McAfee all together. 

It should be noted that McTray.exe was also killed so we don't get the tray icon.  However on the target machine, the user would only see the tray icon silently disappear. We can confirm that McAfee is McGone by looking at the process list. 

We now have full control of the target machine however probably don't want it since it has been owned and now has the Zeus Trojan. 

On a reboot, McAfee is back however it requires a reboot.  Trying to load McAfee again before the reboot results in a notification of ownage!

Let's recap the timeline.

Script was added 12/24: Merry Christmas

Security Bulletin was issued 12/30: Happy New Year

On 1/5 the scipt still kills McAfee AV

 

How can you protect yourself?  Do you load Symantec?

Watch Mubix uninstall Symantec's SEP. 

http://www.room362.com/blog/2010/11/16/silently-uninstall-sep.html

All of this was released in 2010 and prior.  I can't wait to see what 2011 brings.

Welcome to 2011, the year of the #FAIL... again.

 

UPDATE 01/06/2010

It looks like the virusscan_bypass.rb scipt had a bug that caused the termination of the McShield Icon and the error box.  The script has been updated. 

Download the latest revision here: 11478

I grabbed it this morning and tested it out.

We have our process list before running the script.

We run the script as the local administrator.

Now we check the process list again.

Now for the sweep.  Show me the Shield!  Survey says:

 

Tuesday
Dec142010

McAfee iPad app

Now I can take @davemarcus everywhere!

 

Friday
Aug202010

This Celeb Gossip Site is safe says McAfee

 

This week it was revealed that Cameron Diaz has something funky going on with her.  It is malware.  I enjoy gossip.  Who doesn't?  This is why bad guys hook malware to them.  McAfee has a program called SiteAdvisor.  Well this past week it flagged a blog called ImNotObsessed.com as problematic.  I had wrote about it earlier this week. 

Vera is the site owner.  She makes her living blogging.  For her, her husband, and their 2 kids, the family of sites is their sole source of income. 

I heard the story and I told Vera, the site owner, to contact me and I would get it to the people who as @rodsoto says, "are the man!"

Well I want to thank Ryan over at McAfee for getting it to the right people.  As of today, ImNotObsessed.com is marked safe

So if you want some gossip that is safe for work and malware free, check out ImNotObsessed.com.

If not, visit anyway because she has lost so much of her traffic that she spent years building up due to this.