How an Attacker Can Turn Your Antivirus Into a Botnet
Security researcher Jerome Nokin has managed to find exploits in McAfee’s ePolicy Orchestrator product which can allow an attacker to turn attached computers into a botnet, using the McAfee product as it’s C&C.
According to the author, the attack works by first inserting your control computer into the client list of the McAfee ePolicy software, and then performing pre-authentication SQL injection attacks which carry out queries designed to have the server tell client computers what to do. These instructions could range from telling the client machines to send pings to a remote host, or even download and install software to further control the computers.
For companies with multiple McAfee ePolicy servers in place, main+branch office servers for example, all an attacker needs to do is infect the master server. This will allow them to control every system attached to the server software across the corporation. Each slave ePolicy server will receive replication commands from the master server, allowing this attack to be carried out network wide.