I just upgraded Avast! Free on a PC in my network to version 20.1.2397, a process that required a restart. After the update and reboot were done, I thought nothing more of it until I happened to go to another PC on the LAN (this one protected by BitDefender Free) and saw an alert in the Notification Area. This is what the alert said: The network address (which I have obscured) for the source of the "Web threat" corresponds to the computer running Avast. Anybody have insight into what may be going on here? Did Avast Free try to attack the network, or is BitDefender being overly sensitive here?
in short - you have SMB v1 active https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 is that windows 10? then you dont need avast or bitdefender crap. https://www.wilderssecurity.com/thr...-support-windows-7.425586/page-2#post-2895309
Thank you, that was interesting. Both PCs involved are Windows 7, and both of them have the patch KB4012212 installed, which I thought was supposed to plug this hole. Maybe I misunderstood, and so in addition to that patch one also needs to manually disable SMB v1 ? But a (possibly) more interesting question is, why would BitDefender decide that its PC was attacked by the other PC running Avast when Avast got upgraded to the newest version?
My best guess is the PC you installed Avast on was never patched via applicable Win update for CVE-2017-0143. It also appears the DoublePulsar backdoor is installed on it. Appears the installation of Avast on the PC has triggered the DoublePulsar backdoor for some unknown reason. One possibility is whatever AV you were using previously was keeping the backdoor from activating. When that was uninstalled and prior to the Avast installation, the backdoor activated. Your immediate concern is to apply the applicable Win update for CVE-2017-0143 to the Avast resident PC plus all your network PC's for that matter, or uninstall SMBv1 if your network doesn't required it. Appears Avast can remove the DoublePulsar backdoor by running a boot-time scan: https://help.avast.com/en/av_free/17/hns/hns-doublepulsar-infection.html .
That's what has me scratching my head: the Avast PC does have the SMB v1 patch installed. Prior to Avast 20.1, that PC had the previous version of Avast Free installed on it. It was an Avast-to-Avast upgrade. In light of recent disclosures about privacy issues with Avast, I've been meaning to replace Avast with something else on that computer anyway. I'll go in and verify whether SMB v1 is indeed disabled.
Remember that the delivery mechanism for the DoublePulsar backboor is EternalBlue. EternalBlue is a worm. Therefore, every device on the network must be patched. Just one unpatched device will allow EternalBlue to spread to other devices on the network. What has happened in the past was installations had some forgotten a Win XP device connected to the internal network that allowed EternalBlue to access other network devices. It all depends on how Avast does upgrades on its free version. It could be in reality an uninstall of old version and install of new.
smb v1 is only needed when connecting to win xp, that dont own smb v2 or higher. smb v2/3 is available since vista. the everlasting solution for win7 and antivirus is Defender+MSE. this combination still gets updates while win7 got vulnerable since patchday in feb. (only the patch for the bad patch for the desktop image arrived)
I stand corrected. EternalBlue is a SMBv2 exploit. EternalRomance is the SMBv1 exploit: https://www.dionach.com/blog/do-you-wannacry-a-taste-of-smb-exploitation/ As noted above, SMB through ver. 3 can be exploited if their respective patches have not been applied. Only Win OS ver. 10 -EDIT- appears unpatched Win 10 can also be exploited: https://www.csoonline.com/article/3199976/nsas-ethernalblue-exploit-ported-to-windows-10.html, and Server 2012+ are not vulnerable to SMB exploiting -EDIT- To cut down on the confusion, the vers. of SMB used is OS dependant: https://www.itprotoday.com/windows-server/checking-your-smb-version The above means if your OS is 2000 or XP, you will be attacked using a SMB v1 exploit. If you're using Vista or Win 7, you will be attacked using a SMB v1 or 2 exploit. Finally if you're using Win 8+, you could be attacked using a SMB v1, 2, or 3 exploit. Bottom line - removing SMBv1 does not guarantee you couldn't be exploited on Vista+ on an unpatched system. This also means all available SMB patches must be applied to be fully protected against known SMB exploits.
Thank you @Brummelchen and @itman for the information and follow-up, much appreciated. I had the PC in question spend much of the day today getting scanned by various AV applications (online and offline): Avast full-system scan, Avast pre-boot scan, Emsisoft Emergency Kit, Trend Micro Rescue Disk, G Data Boot Medium. The computer turned up clean on all of them. I'm wondering if it may have been a false positive on BitDefender's part, somehow triggered when the new Avast version tried to see the rest of the local network (?).
Well, that is entirely possible but still the detection is a bit odd. AV products detect network based CVE exploits usually in their IDS or equivalent protection modules. In other works, this is a network detection based on protocol being used, ports being employed, and inbound network traffic being analyzed. For the most part, false positives in regards to network based CVE detection's are quite rare. Your best place to resolve this would be in the BitDefender forum. I assume BitDefender offers no direct tech support for their free products. You could also post in the Avast forum since installation of their product has apparently triggered this behavior. There is a DoublePulsar checker over at Github that will check for its presence on a device or the entire network: https://github.com/countercept/doublepulsar-detection-script . Unfortunately its written in Python. Eset has an EternalBlue exploit checker that will verify that a device has been patched against the exploit: https://support.eset.com/en/kb6481-...ndows-vulnerabilities-are-patched#eternalblue .
Cool, thanks for the links and info. Running the Python script is above my pay grade, but I did launch the ESET tool. The Avast PC checked out as being safe from this vulnerability. I'll go into the Avast forum and see if anyone else has reported this behavior.
One other thing I forgot to mention. DoublePulsar is a backdoor. It could have been installed prior to the PC being patched. The presence of a backdoor does not necessarily mean that it is actively being used externally. Detection of any backdoor is extremely hard to accomplish using conventional security software. There have been cases where a backdoor has remained in the dormant state for months and even years until some attacker discovered its presence and exploited it.
The PC with Avast on it seldom surfs the Web (going mostly to a single, specific website that's rated "safe"), and in any case there aren't any sensitive files on it. Could this backdoor be used to attack other PCs on the network without security software on those other PCs knowing about it? How about if those PCs have the patch for DoublePulsar?
To begin, there is no patch per se for DoublePulsar. Here's a detailed analysis of DoublePular: https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html . The last conclusion paragraph says it all:
I will say this in regards to any PC where the DoublePulsar backdoor is installed. The above Countercept linked Python script appears to in reality only detect DoublePulsar's presence. Per this Reddit discussion: https://www.reddit.com/r/AskNetsec/...o_completely_remove_a_doublepulsar_need_help/ , the only way to fully get rid of it is to reformat and reinstall the OS. Which BTW is the long established procedure when any backdoor is suspected.
Two questions: 1) Could this backdoor be used to attack other PCs on the network without security software on those other PCs knowing about it? 2) The Avast PC from which the BitDefender PC claimed to see a DoublePulsar attack attempt, has checked out in the following ways: a) It had the KB4012212 patch installed in 2017; b) It passed ESET's EternalBlue exploit checker; c) It came up clean on a variety of both online and offline or pre-boot scans with Avast, EEK, Trend Micro, and G Data. So, bottom line: with respect to DoublePulsar, is there anything to be concerned about regarding the Avast PC?
The purpose of a backdoor is to allow an attacker to download of malicious software. In the case of the DoublePulsar backdoor, that software would run at System privileges. Additionally, the DoublePulsar backdoor would allow the attacker to do whatever he wished via remote connection. So I would say the answer to your question is yes. Again the answer to your question is yes if the DoublePulsar backdoor is installed on the Avast PC. You need to 100% verify that the DoublePulsar is not installed on the Avast PC. Additionally, there are multiple versions of DoublePulsar. For example, Petya used a re-engineered version called DoublePulsar ver. 2: https://blog.checkpoint.com/2017/07...2-analyzing-petyas-doublepulsarv2-0-backdoor/ . I believe the Proofpoint DoublePulsar checker will only detect the original Shadow Brokers version.
Finally, the NSA exploits were being used long before the SMB patch was made available by Microsoft: https://www.zdnet.com/article/chine...sa-malware-a-year-before-shadow-brokers-leak/
To make matters worse, a security researcher developed a user mode DoublePulsar POC here: https://blog.f-secure.com/doublepulsar-usermode-analysis-generic-reflective-dll-loader/ . I "played" with this one a while back; even conversing with the developer. This puppy is as effective in many ways as the original kernal mode DoublePulsar.
Here's my recommendation on how to proceed. Uninstall Avast on this PC. Run it's cleaner to get rid of all traces of it. Run temporarily whatever default Microsoft security protection for the OS ver. you have installed. After uninstalling and cleaning out all remnants of Avast if you are still receiving BitDefender alerts about DoublePulsar on the PC, assume you are indeed infected. Your only solution in this case is to reformat and reinstall the OS. If BitDefender no longer detects DoublePulsar from this PC, the issue is somehow related to this Avast upgrade you performed. You can then install Avast fresh. If the BitDefender DoublePulsar detection reappears, assume it is related to Avast in some way. Probably a false positive, but no guaranty there. Since this is a paid ver. of Avast, your solution lies with Avast tech support.
Also for reference, DoublePulsar is far from the only kernel mode backdoor created. All that needs to exist to get nailed by such is a Win kernel mode vulnerability; for example; https://business-review.eu/tech/bac...perating-system-found-by-kaspersky-lab-199862 Here's Kaspersky's detailed analysis of this: https://securelist.com/new-win32k-zero-day-cve-2019-0859/90435/ . Note the vulnerability was in win32K.sys; a kernel mode OS driver. Also in the Kaspersky article are references to other recent 0-day OS vulnerabilites. -EDIT- An example of malware that exploited this was Sodin ransomware: https://securelist.com/sodin-ransomware/91473/ Bottom line - many OS vulnerabilities are discovered by AV researches as a result of an actual malware incident, silently reported to and patched by Microsoft, and don't hit the web mainstrean reporting services. So I think it's reasonable to state that a hidden backdoor can exist on a system w/o detection.
OK, uninstalled Avast using their cleaner in Safe Mode, then rebooted. There was no DoublePulsar alert on the BitDefender PC. Took the opportunity to leave Avast uninstalled on that computer and to replace it with BitDefender, which I'd been intending to do anyway. Ran a system scan with BD and the computer came up clean. I'm satisfied that that computer doesn't have DoublePulsar on it. Thanks very much for all your help.
Interesting Microsoft TechNet discussion here: https://answers.microsoft.com/en-us...l/ec137d30-f0de-40a9-b93a-92da9241296c?page=3 on how remnants of Avast can lay dormant for some time and persist even after an upgrade to Win 10.