Did Avast attack BitDefender?

Discussion in 'other anti-malware software' started by JEAM, Mar 1, 2020.

  1. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    434
    I just upgraded Avast! Free on a PC in my network to version 20.1.2397, a process that required a restart.

    After the update and reboot were done, I thought nothing more of it until I happened to go to another PC on the LAN (this one protected by BitDefender Free) and saw an alert in the Notification Area. This is what the alert said:

    Avast vs BD.png

    The network address (which I have obscured) for the source of the "Web threat" corresponds to the computer running Avast.

    Anybody have insight into what may be going on here? Did Avast Free try to attack the network, or is BitDefender being overly sensitive here?
     
  2. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    3,220
  3. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    434
    Thank you, that was interesting.

    Both PCs involved are Windows 7, and both of them have the patch KB4012212 installed, which I thought was supposed to plug this hole. Maybe I misunderstood, and so in addition to that patch one also needs to manually disable SMB v1 ? :doubt:

    But a (possibly) more interesting question is, why would BitDefender decide that its PC was attacked by the other PC running Avast when Avast got upgraded to the newest version?
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,910
    Location:
    U.S.A.
    My best guess is the PC you installed Avast on was never patched via applicable Win update for CVE-2017-0143. It also appears the DoublePulsar backdoor is installed on it.

    Appears the installation of Avast on the PC has triggered the DoublePulsar backdoor for some unknown reason. One possibility is whatever AV you were using previously was keeping the backdoor from activating. When that was uninstalled and prior to the Avast installation, the backdoor activated.

    Your immediate concern is to apply the applicable Win update for CVE-2017-0143 to the Avast resident PC plus all your network PC's for that matter, or uninstall SMBv1 if your network doesn't required it. Appears Avast can remove the DoublePulsar backdoor by running a boot-time scan: https://help.avast.com/en/av_free/17/hns/hns-doublepulsar-infection.html .
     
  5. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    434
    That's what has me scratching my head: the Avast PC does have the SMB v1 patch installed. :confused:

    Prior to Avast 20.1, that PC had the previous version of Avast Free installed on it. It was an Avast-to-Avast upgrade.

    In light of recent disclosures about privacy issues with Avast, I've been meaning to replace Avast with something else on that computer anyway.

    I'll go in and verify whether SMB v1 is indeed disabled.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,910
    Location:
    U.S.A.
    Remember that the delivery mechanism for the DoublePulsar backboor is EternalBlue. EternalBlue is a worm. Therefore, every device on the network must be patched. Just one unpatched device will allow EternalBlue to spread to other devices on the network.

    What has happened in the past was installations had some forgotten a Win XP device connected to the internal network that allowed EternalBlue to access other network devices.

    It all depends on how Avast does upgrades on its free version. It could be in reality an uninstall of old version and install of new.
     
  7. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    3,220
    smb v1 is only needed when connecting to win xp, that dont own smb v2 or higher. smb v2/3 is available since vista. the everlasting solution for win7 and antivirus is Defender+MSE. this combination still gets updates while win7 got vulnerable since patchday in feb. (only the patch for the bad patch for the desktop image arrived)
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,910
    Location:
    U.S.A.
    I stand corrected. EternalBlue is a SMBv2 exploit. EternalRomance is the SMBv1 exploit:
    https://www.dionach.com/blog/do-you-wannacry-a-taste-of-smb-exploitation/

    As noted above, SMB through ver. 3 can be exploited if their respective patches have not been applied. Only Win OS ver. 10 -EDIT- appears unpatched Win 10 can also be exploited: https://www.csoonline.com/article/3199976/nsas-ethernalblue-exploit-ported-to-windows-10.html, and Server 2012+ are not vulnerable to SMB exploiting

    -EDIT- To cut down on the confusion, the vers. of SMB used is OS dependant:
    https://www.itprotoday.com/windows-server/checking-your-smb-version

    The above means if your OS is 2000 or XP, you will be attacked using a SMB v1 exploit. If you're using Vista or Win 7, you will be attacked using a SMB v1 or 2 exploit. Finally if you're using Win 8+, you could be attacked using a SMB v1, 2, or 3 exploit. Bottom line - removing SMBv1 does not guarantee you couldn't be exploited on Vista+ on an unpatched system. This also means all available SMB patches must be applied to be fully protected against known SMB exploits.
     
    Last edited: Mar 2, 2020
  9. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    434
    Thank you @Brummelchen and @itman for the information and follow-up, much appreciated. :thumb:

    I had the PC in question spend much of the day today getting scanned by various AV applications (online and offline): Avast full-system scan, Avast pre-boot scan, Emsisoft Emergency Kit, Trend Micro Rescue Disk, G Data Boot Medium. The computer turned up clean on all of them. I'm wondering if it may have been a false positive on BitDefender's part, somehow triggered when the new Avast version tried to see the rest of the local network (?).
     
    Last edited: Mar 3, 2020
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,910
    Location:
    U.S.A.
    Well, that is entirely possible but still the detection is a bit odd. AV products detect network based CVE exploits usually in their IDS or equivalent protection modules. In other works, this is a network detection based on protocol being used, ports being employed, and inbound network traffic being analyzed. For the most part, false positives in regards to network based CVE detection's are quite rare.

    Your best place to resolve this would be in the BitDefender forum. I assume BitDefender offers no direct tech support for their free products. You could also post in the Avast forum since installation of their product has apparently triggered this behavior. There is a DoublePulsar checker over at Github that will check for its presence on a device or the entire network: https://github.com/countercept/doublepulsar-detection-script . Unfortunately its written in Python. Eset has an EternalBlue exploit checker that will verify that a device has been patched against the exploit: https://support.eset.com/en/kb6481-...ndows-vulnerabilities-are-patched#eternalblue .
     
  11. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    434
    Cool, thanks for the links and info.

    Running the Python script is above my pay grade, but I did launch the ESET tool. The Avast PC checked out as being safe from this vulnerability.

    I'll go into the Avast forum and see if anyone else has reported this behavior.
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,910
    Location:
    U.S.A.
    One other thing I forgot to mention.

    DoublePulsar is a backdoor. It could have been installed prior to the PC being patched. The presence of a backdoor does not necessarily mean that it is actively being used externally. Detection of any backdoor is extremely hard to accomplish using conventional security software. There have been cases where a backdoor has remained in the dormant state for months and even years until some attacker discovered its presence and exploited it.
     
  13. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    434
    The PC with Avast on it seldom surfs the Web (going mostly to a single, specific website that's rated "safe"), and in any case there aren't any sensitive files on it.

    Could this backdoor be used to attack other PCs on the network without security software on those other PCs knowing about it? How about if those PCs have the patch for DoublePulsar?
     
  14. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    4,872
    Location:
    USA still the best. But getting worse!
    Thanks for the Eset link.
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,910
    Location:
    U.S.A.
    To begin, there is no patch per se for DoublePulsar.

    Here's a detailed analysis of DoublePular: https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html . The last conclusion paragraph says it all:
     
    Last edited: Mar 5, 2020
  16. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,385
    Location:
    USA
    TY for the exploit checker, itman. :thumb:
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,910
    Location:
    U.S.A.
    I will say this in regards to any PC where the DoublePulsar backdoor is installed.

    The above Countercept linked Python script appears to in reality only detect DoublePulsar's presence. Per this Reddit discussion: https://www.reddit.com/r/AskNetsec/...o_completely_remove_a_doublepulsar_need_help/ , the only way to fully get rid of it is to reformat and reinstall the OS. Which BTW is the long established procedure when any backdoor is suspected.
     
  18. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    434
    Two questions:

    1) Could this backdoor be used to attack other PCs on the network without security software on those other PCs knowing about it?

    2) The Avast PC from which the BitDefender PC claimed to see a DoublePulsar attack attempt, has checked out in the following ways:
    a) It had the KB4012212 patch installed in 2017;
    b) It passed ESET's EternalBlue exploit checker;
    c) It came up clean on a variety of both online and offline or pre-boot scans with Avast, EEK, Trend Micro, and G Data.​

    So, bottom line: with respect to DoublePulsar, is there anything to be concerned about regarding the Avast PC?
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,910
    Location:
    U.S.A.
    The purpose of a backdoor is to allow an attacker to download of malicious software. In the case of the DoublePulsar backdoor, that software would run at System privileges. Additionally, the DoublePulsar backdoor would allow the attacker to do whatever he wished via remote connection. So I would say the answer to your question is yes.
    Again the answer to your question is yes if the DoublePulsar backdoor is installed on the Avast PC.

    You need to 100% verify that the DoublePulsar is not installed on the Avast PC.

    Additionally, there are multiple versions of DoublePulsar. For example, Petya used a re-engineered version called DoublePulsar ver. 2: https://blog.checkpoint.com/2017/07...2-analyzing-petyas-doublepulsarv2-0-backdoor/ . I believe the Proofpoint DoublePulsar checker will only detect the original Shadow Brokers version.
     
    Last edited: Mar 5, 2020
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,910
    Location:
    U.S.A.
    Finally, the NSA exploits were being used long before the SMB patch was made available by Microsoft:
    https://www.zdnet.com/article/chine...sa-malware-a-year-before-shadow-brokers-leak/
     
    Last edited: Mar 5, 2020
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,910
    Location:
    U.S.A.
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,910
    Location:
    U.S.A.
    Here's my recommendation on how to proceed.

    Uninstall Avast on this PC. Run it's cleaner to get rid of all traces of it. Run temporarily whatever default Microsoft security protection for the OS ver. you have installed.

    After uninstalling and cleaning out all remnants of Avast if you are still receiving BitDefender alerts about DoublePulsar on the PC, assume you are indeed infected. Your only solution in this case is to reformat and reinstall the OS.

    If BitDefender no longer detects DoublePulsar from this PC, the issue is somehow related to this Avast upgrade you performed. You can then install Avast fresh. If the BitDefender DoublePulsar detection reappears, assume it is related to Avast in some way. Probably a false positive, but no guaranty there. Since this is a paid ver. of Avast, your solution lies with Avast tech support.
     
    Last edited: Mar 6, 2020
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,910
    Location:
    U.S.A.
    Also for reference, DoublePulsar is far from the only kernel mode backdoor created. All that needs to exist to get nailed by such is a Win kernel mode vulnerability; for example;
    https://business-review.eu/tech/bac...perating-system-found-by-kaspersky-lab-199862

    Here's Kaspersky's detailed analysis of this: https://securelist.com/new-win32k-zero-day-cve-2019-0859/90435/ . Note the vulnerability was in win32K.sys; a kernel mode OS driver. Also in the Kaspersky article are references to other recent 0-day OS vulnerabilites.
    -EDIT- An example of malware that exploited this was Sodin ransomware: https://securelist.com/sodin-ransomware/91473/

    Bottom line - many OS vulnerabilities are discovered by AV researches as a result of an actual malware incident, silently reported to and patched by Microsoft, and don't hit the web mainstrean reporting services. So I think it's reasonable to state that a hidden backdoor can exist on a system w/o detection.
     
    Last edited: Mar 8, 2020
  24. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    434
    OK, uninstalled Avast using their cleaner in Safe Mode, then rebooted. There was no DoublePulsar alert on the BitDefender PC.

    Took the opportunity to leave Avast uninstalled on that computer and to replace it with BitDefender, which I'd been intending to do anyway. Ran a system scan with BD and the computer came up clean.

    I'm satisfied that that computer doesn't have DoublePulsar on it. Thanks very much for all your help. :thumb: :thumb:
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,910
    Location:
    U.S.A.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.