PC Media Antivirus (PCMAV) is an antivirus made by famous Indonesia computer magazine PCMedia . PCMAV is quite popular in 2006 since many virus creators in Indonesia actively spread a computer virus and infecting most computers in Indonesia. At that time some people start to claim a special anti-virus to detect Indonesia computer viruses, some of which are popular such as SmadAV, PC Media Antivirus (PCMAV), and AnsAV (edit: can’t find any official links).
Until now, PCMAV is still a popular antivirus used on most computers in Indonesia. PCMAV usually installed alongside with another popular free antivirus such as Avast, AVG, or Avira Antivir. In some companies, PCMAV is also a mainstay for detecting viruses made in Indonesia.
Antivirus is an endpoint protection to detect malicious programs from outside the computer, so the antivirus should be made with good protection, well flow design, and it should not vulnerable, thus cannot be exploited.
Proof of concept in antivirus product has been researched since a few years ago. Some well-known antivirus cannot survive and suffer from exploitation, thus bringing the risk to computer users.
This time, Spentera brought PCMAV antivirus to our garage to be tested. As a result, PCMAV suffers Insecure Library Loading vulnerability, also known as DLL Hijacking. The vulnerability works as a common DLL Hijacking technique, that an attacker can “introduce” his/her own DLL to be loaded by the vulnerable software. But in this case, it becomes more interesting. Since PCMAV made as portable, users can install PCMAV without installation, it is of course to make it easier to the users.
With the DLL Hijacking vulnerability in PCMAV, it becomes more dangerous. Since the attacker can “introduce” his/her .dll, PCMAV will automatically load the dll without confirmation. So hey, what is the problem?! I can’t get it. Well, let say you create your own DLL to execute another backdoor, listening on port with a command prompt serve you later. Very dangerous isn’t it?!
To be more clear, let us see how the action of this DLL Hijacking on PCMAV.
We can download the latest PCMAV from their website (at the time of writing, this link works and that was the current version): http://virusindonesia.com/2012/11/23/pc-media-112012-pcmav-8-4-raptor/. Now, if we analyzed using Process Monitor, PCMAV load several DLLs, but there is one interesting here.
The svrapi.dll is introduced by PCMAV itself. The svrapi.dll is a common Microsoft Common Server API Library, it is a system process that is needed to work properly. Because it is introduced by PCMAV, we can also introduce our (malicious) svrapi.dll.
Metasploit has the capability to generate malicious DLL, here is the way to create a DLL that can spawn a reverse shell to our machine.
Once created, we just simply put this malicious svrapi.dll into PCMAV’s root directory, the same path as the executable (PCMAV.EXE). Since our prep is complete, now we setup our meterpreter listener in our machine.
Our friend, Tom was asking a good antivirus to detect Ramnit. We put Tom on the test, we give him our modified PCMAV, with our DLL introduced in the root directory. When the package has been delivered to our good friend, Tom, he should be happy because he will get his computer cleaned with PCMAV antivirus. But unfortunately we change the story, Tom executed the PCMAV.EXE, and soon our svrapi.dll get loaded, and not so long, our meterpreter handler receives a connection.
We got our shell and Tom is happy because PCMAV is still scanning his system properly.
Moral of the story: DO NOT trust any files comes from external removable media, even from your trusted friend. Download it from original source (if any).
Note: Tom still doesn’t know about this.. psst..