What if I tell you that the only function of one of the anti-virus software components that has a trusted digital signature is to collect all your credentials stored in popular Internet browsers? And if I say that to him it does not matter in whose interests to collect them? Probably think I'm raving. And let's see how it really is?
Sorted out
An antivirus company like Avira GmbH & Co. lives and lives on . KG . It releases various information security related products. The assortment even has free products for home use.
We will establish interest for the sake of the free version, see what the product of German colleagues can do. We glance over the interface - nothing unusual. We do not find any mention of another company product - Avira Password Manager.
And let's take a look at the component with the name “ Avira.PWM.NativeMessaging.exe ” that does not attract attention ? It is compiled for the .NET platform and is not obfuscated in any way, so we load it into dnSpy and freely study the program code.
The program is console and it expects commands in a standard input stream. The main function using " Read " reads data from the stream, checks the format and passes the command to the " ProcessMessage " function . The same, in turn, checks that the transmitted command is " fetchChromePasswords " or " fetchCredentials " (although what difference does it make if the further behavior is the same?) And then the most interesting thing starts - calling the " RetrieveBrowserCredentials " function . It’s even interesting ... what can a function with that name do?
, , - «Chrome», «Opera» ( Chromium), «Firefox» «Edge» ( Chromium) JSON-.
:
IoC
SHA1: 13c95241e671b98342dba51741fd02621768ecd5.
CVE-2020-12680.
On this issue I sent a letter to support@avira.com and info@avira.com with a full description on 04/07/2020. There were no response letters, including from automatic systems. A month later, the described component is still distributed in the Avira Free Antivirus distribution.