Ticket #146 (new defect)

Opened 10 months ago

Last modified 5 months ago

Mcafee Detected Two Trojans upon Install

Reported by: damdem@msn.com Assigned to: hdm
Priority: minor Milestone: Metasploit 3.2
Component: framework3 Version:
Keywords: Mcafee Cc:

Description

I did not turn off AV software during the installation, and Mcafee 8.5.0i DAT update from Sept 25, 2007 detected two trojans:

9/25/2007 3:08:37 PM Deleted (Clean failed) D810BWV5X81\Administrator C:\Program Files\Metasploit\Framework3\bin\ruby.exe C:\Program Files\Metasploit\Framework3\framework\modules\exploits\windows\browser\ms06_057_webview_setslice.rb\00000972.js Exploit-CVE2006-3730 (Trojan)

9/25/2007 3:08:38 PM Deleted (Clean failed) D810BWV5X81\Administrator C:\Program Files\Metasploit\Framework3\bin\ruby.exe C:\Program Files\Metasploit\Framework3\framework\modules\exploits\multi\browser\firefox_queryinterface.rb\00000993.js Exploit-MF06-04 (Trojan)

Change History

12/27/07 11:56:01 changed by hdm

  • milestone set to Metasploit 3.2 Release.

Find ways to obfuscate the module source.

02/26/08 16:31:09 changed by anonymous

Mine actually detected 4...

Actually this touches on a larger problem that I have wondered about... Since most of us need to exclude AV from the install location, it provides two potential problems:

1> The ability of malware to hide from AV by attempting to store in the Metasploit file structure (quite possible, since nothing is lost if Metasploit isn't present).

2> The ability of malware to call Metasploit's code and therefore use it (less likely, but still has potential).

One way I can think of to limit these risks it is to install in a randomly named directory so at least the location isn't predictable. I currently do this manually, but if the installer would do it automatically it could be helpful. A stronger way to combat the occurrence of the above might be nice if someone can think of one tho as that is pretty thin protection.