Buggy insecure "security" software executes rogue binary during installation and uninstallation Apr 16 2014 07:30PM
Stefan Kanthak (stefan kanthak nexgo de)
Hi @ll,

the $*&#§ware by the name of "McAfee Security Scanner Plus" that Adobe dares
to push to unsuspecting users of Microsoft Windows trying to get flash player
from their main distribution page <hxxp://get.adobe.com/flashplayer/> was
developed, packaged and tested by people who obviously never heard of "long"
filenames which may contain spaces.

From <http://msdn.microsoft.com/library/cc144175.aspx>
or <http://msdn.microsoft.com/library/cc144101.aspx>:

| Note: If any element of the command string contains or might contain
| spaces, it must be enclosed in quotation marks. Otherwise, if the
| element contains a space, it will not parse correctly. For instance,
| "My Program.exe" starts the application properly. If you use
| My Program.exe without quotation marks, then the system attempts to
| launch My with Program.exe as its first command line argument. You
| should always use quotation marks with arguments such as "%1" that are
| expanded to strings by the Shell, because you cannot be certain that
| the string will not contain a space.

When the unsuspecting Joe Average clicks the "Install now" button on the
above mentioned download page, but forgets to deselect the "optional offer"
McAfee Security Scanner Plus before, a file named
is downloaded to directory "C:\Users\Joe Average\Downloads".

Following the instructions displayed after the download, Joe Average opens
the download directory and double clicks

On recent versions of Microsoft Windows this triggers the user account
control, asking Joe Average for consent to continue with administrative

now copies itself to the TEMP directory and executes its copy with the
argument (note the missing quotes.-)
{RemoveFile:C:\Users\Joe Average\Downloads\install_flashplayer13x32_mssa_aaa_aih.exe}

The copy then downloads its payload "gtbcheck.exe", "install_flash_player.exe"
and "SecurityScan_Release.exe" into the directory
"C:\Users\Joe Average\AppData\Local\Adobe\AIH.<40_hex_digits>\"
and executes these three programs in succession.

The last, "SecurityScan_Release.exe", an NSIS installer, unpacks its payload
into directory "C:\Program Files\McAfee Security Scan\<version>\" and calls
Windows' CreateProcess() function (see above) with the UNQUOTED command line
C:\Program Files\McAfee Security Scan\3.0.285\McCHSvc.exe /Service

This command line now runs the rogue program C:\Program.exe which was placed
there waiting for some dimwit of a developer to call CreateProcess() with an
unquoted command line.

Fortunately Joe Average (really: his Administrator) had a hunch and placed
<http://home.arcor.de/skanthak/download/SENTINEL.EXE> as C:\Program.exe on
his system which displayed a message box to Joe Average informing him that
some crappy software may have just run malware on his PC.

This caught the silly beginners mistake of a company that brags with

| For award-winning customer service, please visit our Web
| site that will have answers to almost all questions concerning
| our company:
| ==> http://service.mcafee.com

in automated replies to mail sent to <support (at) mcafee (dot) com [email concealed]> but does not
provide a mailbox to report bugs or vulnerabilities.

JFTR: english versions of Windows have a "Program Files" directory for
nearly 20 years now. That should REALLY be enough time for EVERY
programmer to learn how to properly handle pathnames with spaces.

To complete the story: when Joe Average noticed what was done to him he
opened the Windows control panel and went to uninstall programs, then
selected "McAfee ..." and clicked "uninstall".

This started "C:\Program Files\McAfee Security Scan\uninstall.exe"
which unpacked its payload "Au_.exe" (see above: it's an NSIS installer)
to TEMP and called it with the argument (again note the missing quotes)
_?=C:\Program Files\McAfee Security Scan
"Au_.exe" in turn called Windows' CreateProcess() function with the
(you guess it) UNQUOTED command line
C:\Program Files\McAfee Security Scan\3.0.285\McCHSvc.exe /unregserver
which again led to execution of C:\Program.exe

Stefan Kanthak

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus