Results 1 to 9 of 9

Thread: Removing definitions

  1. #1

    Removing definitions

    Ok quick question if someone had access to your machine (remote or local) would it be possible for them to remove specific virus definitions from your av.

    Example someone has a basic RAT installed on your system which is not picked up by your AVP but they want to upload another well known RAT program which would be detected - could they access your AVP fils and remove the specific definition for that RAT?

    I know alot of people will be saying "what would be the point next update will replace definition"

    but have just came across a tool which disables updates for major AVP - which was not picked up by AVG (with latest definitions)

    so someone could run it on my machine blocking any updates then remove whatever definitions they wished and install anything they like on machine. And because AVP is still running as normal (just minus certain definitions) I would be none the wiser.

    so is it possible?

    v_Ln

  2. #2
    Junior Member
    Join Date
    Oct 2001
    Posts
    29
    It would only require the disabling of some of the AV services.. and the core Process (assuming windows here)..
    D/L the new RAT/Trojan ..Install.. now you just need to disable the AV .. several Virus have done this.. Yaha being one member of that family.. Once running the virus allows the AV (I have seen this with NAV) to appear to be runniing.. .. but it won be updating..
    Now if your placing a RAT.. weeeeelllll. why not just emulate the AV.. the odd fake find and the user has a false sence of security..

    dat help?

    Or this.. the defs are in a data file usuely in the AV Program Folder.. I,M sure you could find what your after in there.. edit the data file.. poof .. knackerd av def file..

    probably easier said than done.. have never played in that part of the park..
    [gloworange]the original Und3rtak3r [/gloworange]


  3. #3
    I understand what you mean - but if someone just disabled process's or shut down the AVP then I would be more likly to notice than if AVP was seemingly running as normal but with just fewer definitions.

    v_Ln

  4. #4
    Junior Member
    Join Date
    Oct 2001
    Posts
    29
    sorry edited my post while you were replying.. just having a look at AVG right now..

    OK..In AVG there are three files that are updated that appear to be the DATA file in question

    miniavi.avg appears to be the sucker. dunno what NAV uses..

    AVG also has a UPDATE folder .. could use this and a couple of others to detect if there is a problem with the main data file..




    [gloworange]the original Und3rtak3r [/gloworange]


  5. #5
    Hey valhallen,

    As you know you can get viruii whih exploits out-of-date definitions by disabling antivirus (e.g. W32.HLLW.Deadhat). However, deleting individual or a number of definitions? Yes - it's possible - rare but possible.

    I know in the past virii has implemented Payload Triggers (coded virii triggers which are set to kill/change something on a specific date) to delete specific (say 10 records) definitions from AV software - but leave the actual software intact.

    Examples of this include W97M.Nobody, an MS Word script virus and W97M.Ortant@mm

    These viruses are quite old though.

    These days however such payload triggers are rare. I'm not sure they would still work unless the trojan could breach your AV THEN delete the definitions for other viruses.
    # Now if I ever needed inspiration,
    Right about now where I lose my patience,

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Val,

    It is theoretically possible, but highly improbable. They would have to understand the signature file and spoof it perfectly.............these things do defend themselves...........like the checksum or whatever doesn't check out? IMHO it would be easier to write something new that escaped detection, than to screw the signature files.......

    Maybe Trend Micro's "Housecall" or Panda's "Online Scan"...............you see that if you ran one of those it would find the "old" virus and tip you off................so it would not even be a good move to try to mess with the resident AV?

    just my thoughts

  7. #7
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    This is just off the top of my head, and I am by no means an expert. But I believe the def’s are stored in cache .... thus if one were to replace the def. file they would have to restart the service somehow ( trick into rebooting? ) to activate the new def.

    Then they would have to also change the auto update to load from another server ... all the while using the same “ file checking scheme” of the def file ( not necessarily checksum, possibly including encryption ) that the individual program uses.( Like nihil said, “these things do defend themselves.” )

    In my opinion it would be easier to shut down the AV and spoof the icon and service to make one believe the AV is running.
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  8. #8
    You might be able to accomplish this with ClamAV, although I am having trouble with it. It is explained at the bottom of this doc:

    http://www.clamav.net/doc/0.80/signatures.pdf

    The tool ported to windows gives me nix errors, so I'm SOL.
    C:\Program Files\ClamWin\defs>"C:\Program Files\ClamWin\bin\sigtool" --unpack-cu
    rrent "C:\Documents and Settings\All Users\.clamwin\db\daily.cvd"
    ERROR: Can't open CVD file /usr/local/share/clamav/C:\Documents and Settings\All
    Users\.clamwin\db\daily.cvd
    I think you should be able to unpack, edit, and pack the def's back. It says it is for Clam DB maintainers, but I think you might be able to do it too. Worst case scenario, you can add a filter in ClamWin.conf to skip that filename, although you would have to have permissions to do so.

    edit: I thought you needed to remove an entry for your own purpose. Post edited for blackhat perspective.

  9. #9
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Soda~ has an excellent point there. most AVs have the option to ignore nominated file types. I would only notice that when I ran a manual scan.

    It would require you to restart the AV product though.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •