Metasploit is packaged with killav script, but this script only kills avgrsx.exe which will respawn after the process is terminated. AVG has a program known as watchdog: avgwdsvc.exe which ensures the terminated AVG process is respawned again; seriously this makes killing antivirus difficult. The AVG IDS agent program cannot be terminated by any privileges which I think is great….
In this lab the attacker spawned a meterpreter using Aurora memory exploit (MS10 002)
Spawn a command prompt
Understand the AV process in the tasklist
avgwdsvc.exe is the watchdog, I have modified the killav.rb script but could not kill AVG, because the watchdog could not be terminated. Watchdog will respawn the terminated process again.
Disable the AV by renaming them
C:\Program Files>cd AVG\avg2012
C:\Program Files\AVG\AVG2012>dir avg*.exe
Volume in drive C has no label.
Volume Serial Number is A0E9-830F
Directory of C:\Program Files\AVG\AVG2012
08/02/2011 06:08 AM 498,016 avgcfgex.exe
12/02/2011 03:16 AM 849,248 avgcmgr.exe
02/20/2012 12:38 PM 4,033,376 avgcremx.exe
08/15/2011 06:21 AM 337,760 avgcsrvx.exe
11/11/2011 02:30 AM 2,526,048 avgdiagex.exe
11/28/2011 01:18 AM 669,536 avgdumpx.exe
10/10/2011 06:23 AM 973,664 avgemcx.exe
10/12/2011 06:25 AM 4,433,248 AVGIDSAgent.exe
08/02/2011 06:08 AM 146,272 avglscanx.exe
01/24/2012 05:24 PM 5,781,344 avgmfapx.exe
11/28/2011 01:19 AM 1,229,664 avgnsx.exe
11/28/2011 01:18 AM 616,288 avgntdumpx.exe
09/08/2011 08:53 PM 743,264 avgrsx.exe
08/02/2011 06:08 AM 967,520 avgscanx.exe
01/17/2012 08:24 PM 669,024 avgsrmax.exe
01/12/2012 11:06 AM 9,125,728 AVGTBInstall.exe
01/24/2012 05:24 PM 2,416,480 avgtray.exe
01/24/2012 05:24 PM 4,200,800 avgui.exe
08/02/2011 06:09 AM 192,776 avgwdsvc.exe
08/02/2011 06:09 AM 705,192 avgwsc.exe
20 File(s) 41,115,248 bytes
0 Dir(s) 753,119,232 bytes free
Surprisingly the watchdog program can be renamed…the AVG IDS agent on the other hand could not be renamed.
Kill the AV tasks
To re-enable the AV realtime monitoring mode, rename the renamed files back to their original filename then reboot the OS.
The purpose of this post is to create security awareness to people who think having firewall and antivirus installed provides a 100% guaranteed that no attacks can be achieved on their system. Yes and no. Yes if the attack is a directly coming from untrusted zone to trusted zone (victim’s machine). No, because attackers love to use social engineering method to tempt, dupe and intimidate victim into “helping” attacker to bypass firewall and antivirus protection. The attacker could go this far to disable the AV was because the victim clicked a link received from unknown sources, which the browser showed a google mail page which looked legitimate in fact while the page was loaded stagers and stages payload were already uploaded to victim’s machine. Further harm was done due to victim unwittingly trusted the link. The responsibility does not lie with firewall and antivirus as these cannot prevent attack that unwittingly originated from within (i.e. the victim).