October 31st, 2004, 01:18 PM
Ok quick question if someone had access to your machine (remote or local) would it be possible for them to remove specific virus definitions from your av.
Example someone has a basic RAT installed on your system which is not picked up by your AVP but they want to upload another well known RAT program which would be detected - could they access your AVP fils and remove the specific definition for that RAT?
I know alot of people will be saying "what would be the point next update will replace definition"
but have just came across a tool which disables updates for major AVP - which was not picked up by AVG (with latest definitions)
so someone could run it on my machine blocking any updates then remove whatever definitions they wished and install anything they like on machine. And because AVP is still running as normal (just minus certain definitions) I would be none the wiser.
so is it possible?
October 31st, 2004, 01:42 PM
It would only require the disabling of some of the AV services.. and the core Process (assuming windows here)..
D/L the new RAT/Trojan ..Install.. now you just need to disable the AV .. several Virus have done this.. Yaha being one member of that family.. Once running the virus allows the AV (I have seen this with NAV) to appear to be runniing.. .. but it won be updating..
Now if your placing a RAT.. weeeeelllll. why not just emulate the AV.. the odd fake find and the user has a false sence of security..
Or this.. the defs are in a data file usuely in the AV Program Folder.. I,M sure you could find what your after in there.. edit the data file.. poof .. knackerd av def file..
probably easier said than done.. have never played in that part of the park..
[gloworange]the original Und3rtak3r [/gloworange]
October 31st, 2004, 01:47 PM
I understand what you mean - but if someone just disabled process's or shut down the AVP then I would be more likly to notice than if AVP was seemingly running as normal but with just fewer definitions.
October 31st, 2004, 01:49 PM
sorry edited my post while you were replying.. just having a look at AVG right now..
OK..In AVG there are three files that are updated that appear to be the DATA file in question
miniavi.avg appears to be the sucker. dunno what NAV uses..
AVG also has a UPDATE folder .. could use this and a couple of others to detect if there is a problem with the main data file..
[gloworange]the original Und3rtak3r [/gloworange]
October 31st, 2004, 02:33 PM
As you know you can get viruii whih exploits out-of-date definitions by disabling antivirus (e.g. W32.HLLW.Deadhat). However, deleting individual or a number of definitions? Yes - it's possible - rare but possible.
I know in the past virii has implemented Payload Triggers (coded virii triggers which are set to kill/change something on a specific date) to delete specific (say 10 records) definitions from AV software - but leave the actual software intact.
Examples of this include W97M.Nobody, an MS Word script virus and W97M.Ortant@mm
These viruses are quite old though.
These days however such payload triggers are rare. I'm not sure they would still work unless the trojan could breach your AV THEN delete the definitions for other viruses.
# Now if I ever needed inspiration,
Right about now where I lose my patience,
October 31st, 2004, 04:09 PM
It is theoretically possible, but highly improbable. They would have to understand the signature file and spoof it perfectly.............these things do defend themselves...........like the checksum or whatever doesn't check out? IMHO it would be easier to write something new that escaped detection, than to screw the signature files.......
Maybe Trend Micro's "Housecall" or Panda's "Online Scan"...............you see that if you ran one of those it would find the "old" virus and tip you off................so it would not even be a good move to try to mess with the resident AV?
just my thoughts
November 1st, 2004, 05:43 AM
This is just off the top of my head, and I am by no means an expert. But I believe the def’s are stored in cache .... thus if one were to replace the def. file they would have to restart the service somehow ( trick into rebooting? ) to activate the new def.
Then they would have to also change the auto update to load from another server ... all the while using the same “ file checking scheme” of the def file ( not necessarily checksum, possibly including encryption ) that the individual program uses.( Like nihil said, “these things do defend themselves.” )
In my opinion it would be easier to shut down the AV and spoof the icon and service to make one believe the AV is running.
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
November 1st, 2004, 06:04 AM
You might be able to accomplish this with ClamAV, although I am having trouble with it. It is explained at the bottom of this doc:
The tool ported to windows gives me nix errors, so I'm SOL.
I think you should be able to unpack, edit, and pack the def's back. It says it is for Clam DB maintainers, but I think you might be able to do it too. Worst case scenario, you can add a filter in ClamWin.conf to skip that filename, although you would have to have permissions to do so.
C:\Program Files\ClamWin\defs>"C:\Program Files\ClamWin\bin\sigtool" --unpack-cu
rrent "C:\Documents and Settings\All Users\.clamwin\db\daily.cvd"
ERROR: Can't open CVD file /usr/local/share/clamav/C:\Documents and Settings\All
edit: I thought you needed to remove an entry for your own purpose. Post edited for blackhat perspective.
November 1st, 2004, 09:50 AM
Soda~ has an excellent point there. most AVs have the option to ignore nominated file types. I would only notice that when I ran a manual scan.
It would require you to restart the AV product though.