VB.NET sub to get rid of ESET 8 quietly (even with self-defense enabled)

[Nikos751]

VB.NET sub to get rid of ESET 8 quietly (even with self-defense enabled)

Today I was browsing the web, and accidentally found this interesting blog post here.
The author says:
"So I recently found a way to completely remove ESET Smart Security 8 by just executing a single command. In my opinion it's very unsafe to use an antivirus that can be uninstalled so easy and without warning. *Note that it does not matter if self-defense is enabled or not*.
...In order to show you how serious it is I made a simple crypter that first uninstalls ESET and then decrypts and runs the backdoor
..
-rat server executable is converted to a string
-this string gets encrypted with AES
-this string goes to the end of the stub file
-stub goes to the target machine and uninstalls eset
-stub reads itself and decrypts the server string
-stub recreates the server executable from the string
-stub runs the rat server now that ESET is uninstalled"

So, the first thing I thought was to share this with you, MT members

 

[MTUser]

Report it on ESET forums and wait for official feedback

 

[yigido]

Video is from the blogpost, did you see the detection's power ?

 

[hjlbx]

Use AppGuard, NoVirusThanks Exe Radar Pro or VooDooShield - and the above malicious script will not work.

Easy, simple fix... but I expect most users will think: "How could ESET allow this to happen... ?"

Nowadays, in the face of a never-ending supply of malwares, an anti-executable is absolutely essential. AEs as primary protection and virtualization as by-pass\physical system protection.

You gotta hand it to Comodo as they got that basic principle - AE\LV - figured out.

It is just that CIS' anti-executable functionality and capabilities are not enabled by default.

 

[kiric96]

looking at the code itself it seems that it is a silent uninstall, so this is not a vulnerability but a valid way of uninstall, the problem here may be that the user is not aware that "this" is happening in the background...

 

[Enju]

Something like this still works? I'm amazed...
I remember using a simple AV-uninstall batch script in 2006 or 7 to accomplish this kind of task but that it is still working is incredible, shows how "secure" signature based security software really is.

 

[Deleted member 178]

-this string gets encrypted with AES

most AVs are vulnerable to any encrypted malwares.

 

[Nikos751]

most AVs are vulnerable to any encrypted malwares.

How possible is to get infected by encrypted malware?

 

[Deleted member 178]

to be very simple, AVs detect malwares by hash or by its code. by encrypting them (a technique called "obfuscation"), you hide those infos into binary code. So the malware goes unnoticed by most AVs.

surely our guys from the malware hub can explain this better than me

 

[jamescv7]

Well encrypted tool are always a problem for such AV to detect them since the hashes, DNA, and other informations are changed therefore it strictly depends on user intervention component such as HIPS or BB.

 

[soccer97]

Yikes this is concerning. I hope ESET updates their components and this is carefully factored in and actually implemented into version 9. I still believe that ESET is an excellent and lightweight product.

 

[cruelsister]

This really shouldn't be a shocker. ESET has never been very good against even the simplest of Scriptors.