Friday, March 19, 2010

Uh oh! Trojan!

Apparently you cant trust anyone these days.  Including me it seems ;).

In my second exploit tutorial I talked about how to exploit a vulnerability in BigAnt Server 2.52, and I provided a link to the vulnerable application from the Exploit-DB.  On the 27th of February, I noticed that the Exploit-DB download link for the vulnerable application had been removed, with no explanation as to why, so in order to allow people to follow along with the tutorial I found my own copy of the installer that I had myself retrieved from the Exploit-DB, and I made it available to people.

Now I have found out that that this installer includes an added little "bonus", in the form of a Trojan that gets installed as soon as you run the installer (and before you actually install BigAnt Server).

The Trojan runs as both a fake Adobe Update Manager as well as a fake Microsoft Office Startup Agent.  Both processes monitor the other and will restart each other if the process is stopped for any reason.  In order to successfully kill them you can create a batch file which uses taskkill command to stop and then the del command to delete the underlying executables.  Doing it manually via Task Manager and then trying to delete the file in Windows Explorer  wont work, as the program will get restarted before you can delete the file on disk.  I will post a more detailed post in a little while going over in more detail how to remove and (for the brave and interested) how to analyse these files to determine what they do.

If you have already installed this version of BigAnt, either from the Exploit-DB or the version that I provided, you can remove the Trojan files using the method described above.  SysInternals Process Explorer will show you the running processes and you can track down the exact file location from there and kill and delete them via a batch script in order to catch them before one restarts the other.  There are also startup entries in the Registry that start the Trojan files along with the system, but if you delete the executables there will be nothing for those registry entries to start. 

I had actually noticed this Trojan myself after finishing the BigAnt exploit (and Im quoting most of the removal instructions above from memory), however I do so many questionable things on that test system I didnt link it to the BigAnt installer.  I just removed it, with the intention of maybe making a blog entry about it at some later date, and moved on.

So what is the lesson to take away from this?  Beware of things you download from the Internet essentially, especially when visiting computer security related sites.  Im guessing that while the Exploit-DB people take reasonable care in submissions they receive, that they don't perform detailed analysis of submitted files beyond maybe a virus scan (and even now the virus scanner I use did not pick up any problem with the installer itself).   And I didn't perform any additional checks on the file myself, because I was only ever using it on a test virtual machine which I had sandboxed, so I was already treating it as untrusted.


Its not only files that come from security sites you can't trust either.  Seemingly legitimate programs as well as scripts you find on the Internet  and definitely some of the public exploits you may find could all be hazardous to your computer's health. So, when testing out any software from an untrusted location on the Internet, always run it in a sandboxed environment first.

No comments:

Post a Comment