How an Attacker Can Turn Your Antivirus Into a Botnet

  • Author:xnite
  • Date:2013/12/16

botnetSecurity researcher Jerome Nokin has managed to find exploits in McAfee’s ePolicy Orchestrator product which can allow an attacker to turn attached computers into a botnet, using the McAfee product as it’s C&C.

According to the author, the attack works by first inserting your control computer into the client list of the McAfee ePolicy software, and then performing pre-authentication SQL injection attacks which carry out queries designed to have the server tell client computers what to do. These instructions could range from telling the client machines to send pings to a remote host, or even download and install software to further control the computers.

For companies with multiple McAfee ePolicy servers in place, main+branch office servers for example, all an attacker needs to do is infect the master server. This will allow them to control every system attached to the server software across the corporation. Each slave ePolicy server will receive replication commands from the master server, allowing this attack to be carried out network wide.

Jerome demonstrates a perl script he has written in a proof of concept video on his blog, and further explains the attack in a slideshow which was presented at OWASP.

[jwplayer file=””]

Robert Whitney
I'm a geek, gamer and breaker of things.
Opinions expressed here, even 💩 ones, are my own and do not represent those of my employer or associates.
Referral Links

Using my referral links is the best way to help me pay for my projects and development servers and get something out of it for yourself.

Copyright©2011 - 2018, Robert Whitney; All rights reserved.
Aeon Address: WmtnQAoEJsfbcjyMJLmfW8SJ3j5VCGGjX4k3hHrc4XbhVcz6dxifHs65h2w3y5gq8Qf4D4tgzb6VxEtggSq5hR8s1CzN1cLeK