PC Media Antivirus: Insecure Library Loading Vulnerability

PC Media Antivirus: Insecure Library Loading Vulnerability

PC Media Antivirus (PCMAV) is an AV software made in Indonesia. It’s quite popular back in 2006 since many virus creators in Indonesia actively spread viruses, and infecting most computers. At the time, some people started to claim a special AV to detect viruses, some of which are popular such as SmadAV, PCMAV, and Ansav.

Until now, PCMAV is still a popular AV used on most computers in Indonesia. It is usually installed alongside other popular free Avs such as Avast, AVG, or Avira Antivir. In some companies, PCMAV is also a mainstay for detecting viruses made in Indonesia.

AVs are an endpoint protection to detect malicious programs, so it should be made with good protection, well flow design, and should not be vulnerable, thus cannot be exploited.

Proof of concept in AV products has been researched since a few years ago. Some well-known AVs cannot survive and suffer from exploitation, thus bringing risks to users.

This time, Spentera brought PCMAV to our garage to be tested. The result is that it suffers from Insecure Library Loading vulnerability, also known as DLL Hijacking. It works as a common DLL Hijacking technique in which an attacker can “introduce” his/her own DLL to be loaded by the vulnerable software. In this case, however, it becomes more interesting since PCMAV was created as a portable software, in order to make it easier for users.

With this vulnerability, it becomes more dangerous, since the attacker can “introduce” his/her .dll, PCMAV will automatically load the .dll without confirmation. So hey, what’s the problem?! I don’t get it. Well, let’s say you create your own DLL to execute another backdoor, listening on port with a command prompt serve you later. Very dangerous, isn’t it?!

To be clearer, let’s see how the action of this DLL Hijacking on PCMAV.

We can download the latest PCMAV on their website, http://virusindonesia.com/2012/11/23/pc-media-112012-pcmav-8-4-raptor/. Now, if we analyze it using Process Monitor, PCMAV will load several DLLs, but there is one interesting here.

The svrapi.dll is introduced by PCMAV itself. It is a common Microsoft Common Server API Library, a system process that is needed to work properly. Because it is introduced by PCMAV, we can also introduce our own (malicious) svrapi.dll.

Metasploit has the capability to generate malicious DLL. Here’s the way to create a DLL that can spawn a reverse shell to our machine.

Once created, we just simply put this malicious svrapi.dll into PCMAV’s root directory, the same path as the executable (PCMAV.EXE). Since our prep is complete, now we set up our meterpreter listener in our machine.

Our friend, Tom was asking a good AV to detect Ramnit. We put him on the test by giving him our modified PCMAV, with our DLL introduced in the root directory. When the package were delivered, Tom should be happy because he’s gonna get his computer cleaned with PCMAV. Unfortunately, we change the story. Tom executed the PCMAV.EXE, and soon our svrapi.dll got loaded, and not long after, our meterpreter handler receives a connection.

We got our shell and Tom is happy because PCMAV is still scanning his system properly.

Moral of the story: DO NOT trust any files that come from external removable media, even from your trusted friend. Download it from original source (if any).

Note: Tom still doesn’t know about this.. psst..