Kaspersky Lab product removal utility security analysis
The overall reliability of a system’s protection is determined by its least persistent component. If the defense designer forgets about this rule, it will collapse sooner or later ...
There was a problem the other day - to remove a jammed Kaspersky. The old one did not want to be removed, the new one did not want to be installed. The great and mighty Google gave a solution to the problem - “Kaspersky Lab's product removal utility”, in fact, authored by the Laboratory itself. The program turned out to be extremely interesting, so immediately there was a desire to pick it up ...
As it turned out, this wonderful utility in one fell swoop demolishes all products known to the world from Kaspersky Lab (under Windows, of course), moreover, the most paranoid configurations, including password-protected, are removed without unnecessary talk! The utility is signed by the Lab’s digital signature and automatically falls into the Trusted groups, and even if the settings “Remove to Trusted” programs that have a digital signature ”are cleared, the antivirus feels natively and welcomes you with a friendly Remover. For all this happiness, they demand from us to introduce some kind of dried captcha, which you cannot look at without any tears ...
To get the coordinates of the captcha image field, we find the Remuver window, look through the list of window elements, look for an element of the STATIC class and empty text. Having the coordinates, we cut this area out of the screenshot and pass the recognition algorithm. It didn’t work out a copy of the client area of ​​the active Rumuver window, or the hands were crooked (although everything worked with other applications), or the Lab guys did something to protect them, I had to cut the captcha area from the entire screen image. The finished line is pushed into the clipboard and inserted into the code entry field in the utility window, well, after that you can simulate pressing the "Delete" and "Exit" buttons. The window itself can be hidden, pushed off the screen or hang from its top. From the point of view of the antivirus, the program using Remuver does not do anything illegal and falls into the “Weak Restrictions” group. Remuver itself, launched by this program, falls into the "Trusted".
')
It was experimentally established that the captcha uses only 16 characters (where does Uncle Zhenya come from such greed?). These are separate numbers (0-9) and the first 6 letters of the Latin alphabet (A, B, C, D, E, F). The font does not change, the slope and distortion are not used. As a “defense”, a small change in the position of each symbol and random point noise is used.
Removed single and some other groups of filled pixels. As it turned out, the recognition algorithm works fine without cleaning the image, so I didn’t bother with the noise so as not to damage the characters themselves.
The distribution statistics of shaded pixels is used, roughly speaking, where concentration is stronger, there apparently is a symbol. 8 areas with the highest concentration are selected.
Because the characters on the captcha are not subjected to geometric deformations, it was decided to simply assemble a collection of 16 reference images, when recognizing pixel-by-pixel compared with areas supposedly containing characters. The standard for which there will be the most coincidences will be considered the right decision.
In my demo , the recognition efficiency for a single character is 99%, for the entire captcha of 8 characters, respectively, 92%. Immediately I warn you, it does not delete anything, it simply recognizes the captcha and inserts the code into the input field.
It is easy for an attacker to use the Kaspersky Lab product removal utility (for example, to embed it in a Trojan), because protection mechanisms implemented in it are too primitive.
1. To the guys from the Laboratory to buy beer, or by what they stimulate the brain, bring the complexity of captcha to an acceptable level and in general think about the protection of the utility. Release a new, stable version of Remuver.
2. Add the old versions to the black lists, or at least make sure that they do not automatically fall into the trusted lists. Regular users will not be affected. they will always be able to download the new version, and the attacker will not be able to silently start the old one.
3. Well, or you can just score on this case and hopes that virus writers will be able to build embedded signatures into Trojans, although chat bots are already being used ...
In general, I have great respect for Kaspersky Lab, I actually use only their products in my entire adult life, so I just want the quality of protection to be even higher. I recommend using my lotion only for acute attacks of laziness and myopia, and not for destructive purposes;) By the way, Dr.Web also has a similar utility, but it has a more serious captcha. I will try to tell about it next time, if this topic will be interesting to someone.
There was a problem the other day - to remove a jammed Kaspersky. The old one did not want to be removed, the new one did not want to be installed. The great and mighty Google gave a solution to the problem - “Kaspersky Lab's product removal utility”, in fact, authored by the Laboratory itself. The program turned out to be extremely interesting, so immediately there was a desire to pick it up ...
As it turned out, this wonderful utility in one fell swoop demolishes all products known to the world from Kaspersky Lab (under Windows, of course), moreover, the most paranoid configurations, including password-protected, are removed without unnecessary talk! The utility is signed by the Lab’s digital signature and automatically falls into the Trusted groups, and even if the settings “Remove to Trusted” programs that have a digital signature ”are cleared, the antivirus feels natively and welcomes you with a friendly Remover. For all this happiness, they demand from us to introduce some kind of dried captcha, which you cannot look at without any tears ...
So let's get started
To get the coordinates of the captcha image field, we find the Remuver window, look through the list of window elements, look for an element of the STATIC class and empty text. Having the coordinates, we cut this area out of the screenshot and pass the recognition algorithm. It didn’t work out a copy of the client area of ​​the active Rumuver window, or the hands were crooked (although everything worked with other applications), or the Lab guys did something to protect them, I had to cut the captcha area from the entire screen image. The finished line is pushed into the clipboard and inserted into the code entry field in the utility window, well, after that you can simulate pressing the "Delete" and "Exit" buttons. The window itself can be hidden, pushed off the screen or hang from its top. From the point of view of the antivirus, the program using Remuver does not do anything illegal and falls into the “Weak Restrictions” group. Remuver itself, launched by this program, falls into the "Trusted".
')
Captcha Recognition
It was experimentally established that the captcha uses only 16 characters (where does Uncle Zhenya come from such greed?). These are separate numbers (0-9) and the first 6 letters of the Latin alphabet (A, B, C, D, E, F). The font does not change, the slope and distortion are not used. As a “defense”, a small change in the position of each symbol and random point noise is used.
1. Cleaning noise
Removed single and some other groups of filled pixels. As it turned out, the recognition algorithm works fine without cleaning the image, so I didn’t bother with the noise so as not to damage the characters themselves.
2. The selection of areas containing characters
The distribution statistics of shaded pixels is used, roughly speaking, where concentration is stronger, there apparently is a symbol. 8 areas with the highest concentration are selected.
3. Recognition of each character by comparison with the standard
Because the characters on the captcha are not subjected to geometric deformations, it was decided to simply assemble a collection of 16 reference images, when recognizing pixel-by-pixel compared with areas supposedly containing characters. The standard for which there will be the most coincidences will be considered the right decision.
In my demo , the recognition efficiency for a single character is 99%, for the entire captcha of 8 characters, respectively, 92%. Immediately I warn you, it does not delete anything, it simply recognizes the captcha and inserts the code into the input field.
Conclusion
It is easy for an attacker to use the Kaspersky Lab product removal utility (for example, to embed it in a Trojan), because protection mechanisms implemented in it are too primitive.
What to do?
1. To the guys from the Laboratory to buy beer, or by what they stimulate the brain, bring the complexity of captcha to an acceptable level and in general think about the protection of the utility. Release a new, stable version of Remuver.
2. Add the old versions to the black lists, or at least make sure that they do not automatically fall into the trusted lists. Regular users will not be affected. they will always be able to download the new version, and the attacker will not be able to silently start the old one.
3. Well, or you can just score on this case and hopes that virus writers will be able to build embedded signatures into Trojans, although chat bots are already being used ...
PS
In general, I have great respect for Kaspersky Lab, I actually use only their products in my entire adult life, so I just want the quality of protection to be even higher. I recommend using my lotion only for acute attacks of laziness and myopia, and not for destructive purposes;) By the way, Dr.Web also has a similar utility, but it has a more serious captcha. I will try to tell about it next time, if this topic will be interesting to someone.
Source: https://habr.com/ru/post/102478/
All Articles