nod32 vulnerability

Discussion in 'ESET NOD32 Antivirus' started by blin, Dec 22, 2011.

Thread Status:
Not open for further replies.
  1. blin

    blin Registered Member

    Joined:
    May 22, 2008
    Posts:
    13
    Win7 Ultimate x64 Free

    NOD32 business x64

    I visited a website today using IE9 (eset staff can pm me for a link) and got delivered a payload somehow - I didn't bother to analyse how.

    the trojan disabled nod32, and installed it's user mode exe c:\program files (x86)\lp\1cc.exe. nod32 detected the trojan trying to access the web and blocked those attempts. It also detected the trojan exe itself (after it had executed), but not before the trojan had broken nod32.

    nod32 still appeared to "work", but I received the "application protocols will not function" error, I believe the software had tampered with the eset driver at this stage.

    I managed to remove the user mode portion of the trojan by suspending the process in procexp, then deleting it, but I couldn't be sure at that stage, that a kernel mode payload hadn't been delivered, so I took it off the web, flashed the bios, reformatted, and that was that.

    I think it's worth someone from eset taking a look at the virus, I haven't had this happen in a long time.
     
  2. dwomack

    dwomack Eset Staff Account

    Joined:
    Mar 2, 2011
    Posts:
    588
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,375
    It's not a vulnerability. Once malware is run with admin rights, it can do virtually anything, no matter what security solution is installed. If the malware is still undetected (otherwise ESET wouldn't have allowed it to execute unless you had the signature db outdated or protection disabled), submit it to ESET for perusal.
     
  4. blin

    blin Registered Member

    Joined:
    May 22, 2008
    Posts:
    13

    I've got to disagree Marcos.

    NOD32 was up to date, im sure of that.

    I didn't click any links, or run any malware myself, the exe managed to download itself, and run itself without any user intervention other than opening the web page, it also managed to manipulate/break the eset driver - either directly (im assuming your IRPs are encrypted or protected in some form) so im guessing it was through the registry or direct file manipulation rather than an IRP to stop the driver. It had to do something fairly nifty to break the filter driver - thats what i found a bit hard to swallow.

    If i'd run an exe and it had done that - I would have deserved everything i'd gotten.

    thanks dwomack - i've sent them/you the url
     
    Last edited: Dec 22, 2011
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,375
    Ok, but even having security software up to date does not guarantee 100% protection against threats. What level of UAC do you use to minimize the risk of infection?
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I'm actually more interested to know if the URL in question exploited a bug in IE9?

    Also, to be able to disable Nod32, it had to execute itself as an administrator. This also begs questions like: Was it an exploit making use of privilege escalation?

    Also, were you running as an administrator (UAC disabled)? If you were, and you only use an antimalware application, then you're asking for trouble.
     
  7. gugarci

    gugarci Registered Member

    Joined:
    Mar 30, 2009
    Posts:
    288
    Location:
    Jersey
    Sorry to hear that. Is you OS up to date with it's patches? Also what about your browser plug-in, Java & Flash?
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Great questions. It's very important to keep track of outdated applications. Using something like Secunia PSI is a great way to keep up.
     
  9. blin

    blin Registered Member

    Joined:
    May 22, 2008
    Posts:
    13
    yes everything is up to date, all patched e.t.c e.t.c

    the killer is probably that uac was off, but having said that, i'd also be interested to know the exploit that allowed a page visit with no clicks to silently download, extract, install, and run a payload.

    It's all been reformatted and sorted now, and I took the machine off the web as soon as the popups started flying so i'm not too worried, there must be a buffer overrun exploit in IE9 or something.
     
  10. Sacles

    Sacles Registered Member

    Joined:
    Dec 8, 2004
    Posts:
    372
    Location:
    Belgique
    Hello,

    blin, do you use the HIPS of NOD32?

    The best protection is obtained with the the setting "Interactive mode " (to use after "Learning mode").

    Warning: the setting "Learning mode" can only be used with a PC without infection.

    A HIPS is only a tool to protect your computer, not to find infections.

    You should also know, after the learning period, what you need to block or allow. See for yourself if you can do that.
     
  11. piranha

    piranha Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    623
    Location:
    Laval, Qu?bec, Canada
    so dont blame NOD32 AV only !!!



    business AV is still v4, no HIPS
     
  12. Sacles

    Sacles Registered Member

    Joined:
    Dec 8, 2004
    Posts:
    372
    Location:
    Belgique
    Hello,

    Sorry, I had not seen that.
     
Thread Status:
Not open for further replies.