When your Anti Virus turns against you...
Product: IOBit Malware Fighter Pro
Version: 8.0.2.547
Tested on: Windows 10 Pro 2004 x64
Vendor informed: Yes
PoC: https://github.com/Daniel-itsec/Malwarefighter/blob/master/config.ini
CVE: 2020-15401
As every other AV solution also Malware Fighter (MF) uses a scan engine to detect malicious file and to remove/quarantine them after detection. Of course files/folders can also be added to a whitelist to exclude them from scanning and allow execution. In this example my goal is deactivate all Virus Scanner Features of Malware Fighter to allow eicar download and handling. Additionally I will lock MF for further usage and remove Microsoft Windows Defender to avoid having a AV solution on the system if MF is uninstalled.
MF runs under the highest possible level in Windows OS which is "NT AUTHORITY\SYSTEM". This is needed to remove malware which require higher access rights. When MF detects a malicious file it will
1. Automatically delete it/move to quarantine
2. Ask the user what to do with this file
It doesn´t matter which method will be used it is still allowed for regular users to delete the file! This is possible because MF does set an delete oplock on the file and when set to "delete automatically" it will not delete the file when it is detected rather after over one second. I guess this is because MD does some additionally checks but I haven´t investigated this further. This brings an attacker into an interesting situation where the attacker can delete a file with SYSTEM rights. Also called arbitrary file deletion.
Malware Fighter uses the folder "C:\ProgramData\IObit\IObit Malware Fighter" to store configuration files. This folder is writable for regular users but they can not delete or write to existing files
Malware Fighter uses the "C:\ProgramData\IObit\IObit Malware Fighter\config.ini" file to store its configuration. Some settings are presented just by a "1" others are presented by a numerical code. In config.ini the entry "ConfigType" holds the value which represents the actual configuration of MF.
A value of "2047" means that all protection features are activated.
A value of "560" means settings are deactivated.
When all settings are deactivated users will also see this notification
*A sample of a configuration file which turns off all settings can be found in the PoC link at the beginning of this article.
So how does the attack actual look like? Pretty easy:
- Create a malicious file (like eicar test file) *The file can be named keylogger.exe to scar users
- Trigger the detection. This can be automatically or by just reading the file.
- Remove the file
- Create a NTFS folder junction and RPC link (pseudo-symlink). Good explanation about symlinks can be found here: https://offsec.almond.consulting/intro-to-file-operation-abuse-on-Windows.html
- Wait until the file gets removed / moved to quarantine
Usually this is bad enough because it allows an attacker to delete system protected files like the hosts file. But we can extend this attack like this
- Create a malicious file (like eicar test file)
- Trigger the detection. This can be done automatically or by just reading the file
- Remove the file
- Create a NTFS folder junction and RPC link (pseudo-symlink) to Windows Defender executable ("C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2006.8-0\MsMpEng.exe")
- Wait until the file is removed. The filename will be saved and the selected operation (delete(move to quarantine) will be automatically executed without notifying the user
- Repeat step 4 with "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2006.8-0\MsMpEng.exe" as target (version umber can be different)
- Repeat step 4 with "C:\ProgramData\IObit\IObit Malware Fighter\config.ini" as target
- Write a new config file. Malware Fighter will read the new settings shortly (few seconds)
- *Additionally you can also replace the config files holding the whitelist entries ("C:\ProgramData\IObit\IObit Malware Fighter\sswlist.ini")
What will happen after following the above steps: Malware Fighter will first delete the Microsoft Windows Defender executables. After that MF will delete its own config file. And finally the new config file will be written. MF will shortly apply the settings stored in the (self written) config file.
It is also possible to delete "C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe". In this case MF Service will run as usual but it will do nothing. You can download the eicar file, run malware etc. the system is not protected. Due to the fact that MF main executable is missing it not possible to open MF anymore. Additionally Windows Defender will present this Window (because the Malware Fighter Service is still running)
When also the uninstaller files are deleted the user will have a system with no working malware protection showing that the system is fully protected. When the user tries to uninstall this glorious software he or she will see this window
If Microsoft Defender and IOBit Malware Fighter executables are deleted Windows Security will end up like this
Of course the service cannot be restarted because there is no executable to run and therefore there is no Virus protection
So I tried to run the Malware Fighter Updater; maybe this would repair the system?!? Instead I got congratulations from IOBit
Personal note: Epic Fail
If Anti Virus software only needs a few lines of PowerShell to delete system files and its own executables this is really hard! It is easy to deactivate all features and leave the system vulnerable with Malware Fighter shwoing that everything is "Fully Protected". It is also easy to stay under the radar with a whitelist entry.