Malwarebytes Flaw Found in Upgrade Mechanisms

Written by

Users of the consumer version of the Malwarebytes Anti-Malware and Anti-Exploit should upgrade to the latest version of the security software as soon as possible: A vulnerability that affects both could allow nefarious types to hijack the upgrade mechanisms for the packages, and push their own updates to accomplish malware installation.

CVE-2014-4936 allows attackers to execute arbitrary code by hijacking the underlying network layer or DNS infrastructure between the client PC and the Malwarebytes content delivery network (CDN). Corporate versions are not affected.

Both Anti-Malware and Anti-Exploit have upgrade capabilities through the form of HTTP-transferred installation packages.

“Both software packages have no or limited upgrade validation implemented thus allowing anyone who can work out the upgrade protocol to inject their own payload,” said Yonathan Klijnsma, a researcher with Netherlands-based security firm Fox-IT, in a blog. “We can use this to, with ease, send malicious payloads without having to go into any advanced exploitation techniques.”

He published a proof of concept demonstrating the approach.

“One thing you have to make sure of is that you throw your payload in the working directory of the CDN simulator and name it ‘payload.exe’ in order to be picked up and sent to the upgrading clients,” he said. “For this attack we’ll generate a meterpreter payload, we’re running Kali which has Metasploit installed already. We can quickly generate a PE payload from the commandline.”

From there, DNS requests from the Windows XP machine can be redirected towards the Kali machine so they can be intercepted, a man in the middle attack.

The vulnerability is fixed with software upgrades.

“A vulnerability in the old consumer versions of Malwarebytes Anti-Malware 2.0.2 and Malwarebytes Anti-Exploit 1.03.1 was reported to us by an independent researcher,” said Pedro Bustamante, director of special projects at Malwarebytes, speaking to Infosecurity. “A fix was released some months ago and we have seen no evidence it has ever been used in the wild.”

He added, “We work closely with external researchers, and are grateful for the opportunity to improve our products.”

What’s hot on Infosecurity Magazine?