Metasploit and Social Engineering Toolkit: Kill Antivirus (eg. AVG2012)

Metasploit is packaged with killav script, but this script only kills avgrsx.exe which will respawn after the process is terminated. AVG has a program known as watchdog: avgwdsvc.exe which ensures the terminated AVG process is respawned again; seriously this makes killing antivirus difficult. The AVG IDS agent program cannot be terminated by any privileges which I think is great….

Reference: http://www.coresec.org/2011/12/05/disabling-antivirus-during-pen-testing/

In this lab the attacker spawned a meterpreter using Aurora memory exploit (MS10 002)

Victim unwittingly clicked on a spoofed link which downloaded stagers and stages payloads onto victim's machine.

Spawn a command prompt

A command prompt was spawned by attacker, the cmd.exe was running as a hidden process. Channel 1 was created for attacker to access victim's shell.

Understand the AV process in the tasklist

Filter the process to find out related avg processes.

avgwdsvc.exe is the watchdog, I have modified the killav.rb script but could not kill AVG, because the watchdog could not be terminated. Watchdog will respawn the terminated process again.

Disable the AV by renaming them

C:\WINDOWS\system32>cd\Program Files
cd\Program Files

C:\Program Files>cd AVG\avg2012
cd AVG\avg2012

C:\Program Files\AVG\AVG2012>dir avg*.exe
dir avg*.exe
Volume in drive C has no label.
Volume Serial Number is A0E9-830F

Directory of C:\Program Files\AVG\AVG2012

08/02/2011 06:08 AM 498,016 avgcfgex.exe
12/02/2011 03:16 AM 849,248 avgcmgr.exe
02/20/2012 12:38 PM 4,033,376 avgcremx.exe
08/15/2011 06:21 AM 337,760 avgcsrvx.exe
11/11/2011 02:30 AM 2,526,048 avgdiagex.exe
11/28/2011 01:18 AM 669,536 avgdumpx.exe
10/10/2011 06:23 AM 973,664 avgemcx.exe
10/12/2011 06:25 AM 4,433,248 AVGIDSAgent.exe
08/02/2011 06:08 AM 146,272 avglscanx.exe
01/24/2012 05:24 PM 5,781,344 avgmfapx.exe
11/28/2011 01:19 AM 1,229,664 avgnsx.exe
11/28/2011 01:18 AM 616,288 avgntdumpx.exe
09/08/2011 08:53 PM 743,264 avgrsx.exe
08/02/2011 06:08 AM 967,520 avgscanx.exe
01/17/2012 08:24 PM 669,024 avgsrmax.exe
01/12/2012 11:06 AM 9,125,728 AVGTBInstall.exe
01/24/2012 05:24 PM 2,416,480 avgtray.exe
01/24/2012 05:24 PM 4,200,800 avgui.exe
08/02/2011 06:09 AM 192,776 avgwdsvc.exe
08/02/2011 06:09 AM 705,192 avgwsc.exe
20 File(s) 41,115,248 bytes
0 Dir(s) 753,119,232 bytes free

Rename all those programs which are process needed by AV.

Surprisingly the watchdog program can be renamed…the AVG IDS agent on the other hand could not be renamed.

Kill the AV tasks

Kill all the processes related to AVG. Because everything was renamed, the AV no longer able to spawn any task again and hence once terminated they are all dead.

The antivirus no longer able to provide real time monitoring service.

To re-enable the AV realtime monitoring mode, rename the renamed files back to their original filename then reboot the OS.

Lesson learned.

The purpose of this post is to create security awareness to people who think having firewall and antivirus installed provides a 100% guaranteed that no attacks can be achieved on their system. Yes and no. Yes if the attack is a directly coming from untrusted zone to trusted zone (victim’s machine). No, because attackers love to use social engineering method to tempt, dupe and intimidate victim into “helping” attacker to bypass firewall and antivirus protection. The attacker could go this far to disable the AV was because the victim clicked a link received from unknown sources, which the browser showed a google mail page which looked legitimate in fact while the page was loaded stagers and stages payload were already uploaded to victim’s machine. Further harm was done due to victim unwittingly trusted the link. The responsibility does not lie with firewall and antivirus as these cannot prevent attack that unwittingly originated from within (i.e. the victim).

Advertisements
This entry was posted in Security, Vulnerability Assessment and Pentest and tagged , , , , , , , , , , , . Bookmark the permalink.

5 Responses to Metasploit and Social Engineering Toolkit: Kill Antivirus (eg. AVG2012)

  1. MapEndo says:

    Hello,
    Thanks a lot for the post.I have a question? I have tried the same method with the Java applet in SET in Windows 7.The alarm is triggered but I am able to have a meterpreter session.Later I cannot kill all the AVG processes because an administrator privilege is necessary . I cannot run the bypassuac script because of the AV and without the UAC disable I cannot to anything. DO you have any ideas to solve it?
    Of course everything is done in a VM lab

  2. cyruslab says:

    I have not tried this yet…I just got a win7 vm which I will try….hopefully I can give you an answer.

  3. MapEndo says:

    No it is not what I was asking for.My question was about the AV Evasion, I am unable to evade the AVG and the bypass UAC script cannot run due to AVG. So I thought you found a workaround.

    Thanks

  4. cyruslab says:

    I was wondering how many times have you encoded the payload with shikata ganai? If you encoded 4 times with shikata ganai then AVG2012 can detect it. I will try installing AVG2012 on Win7 and see…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s