A small study of self-defense products Dr.Web
Continuing my previous topic about the remuver from the LC, as I promised, I will tell you about the removal utility from Dr.Web. Last time, Kaspersky Lab reacted rather quickly and complicated the captcha, now it’s blinking, and there’s no desire to write a recognition algorithm. However, before posting a version with a new captcha (build 157), they updated the old one, where they added the removal of the newest products of the 2011 line (build 155) ...
I was going to write about Dr.Web remoover back in September, but since a rather serious vulnerability was discovered in the self-defense module not only of the removal utility itself, but also of the entire line of anti-viruses, and the programmers from Dr.Web had to give time to fix it.
So, I ask you to love and favor Dr.Web Anti-Virus Remover:
')
We immediately see what the guys did with the soul! The logo on the floor of the window, the statusbar even ... Lopota! They always pinned up how they manage to combine glamorous pictures with Win98-style interface elements in their products :) To carry out the removal of the product, they again require entering a captcha, no confirmation is displayed, only a message about successful deletion. Let's see if everything is so beautiful inside and try to go in several ways ...
The captcha of the utility from Dr.Web is, of course, much more resistant than that of the remuver from Kaspersky Lab, largely due to geometric distortions of the characters, but even this was not without weaknesses.
First, a captcha consists of 6 numbers, and they, surprisingly, do not repeat! What sense in this "feature" I can not understand at all ... This approach reduces the number of possible options by almost 7 times! This makes it possible to use something like an exclusion method in recognition and significantly increases the probability of success.
Secondly, each digit on the captcha is surrounded by a gray halo, while the noise is pure black. Thanks to this, it is possible to precisely cut out individual characters and eliminate noise.
Thirdly, the positions of the figures practically do not change, only the size and style of the font (with or without serifs), as well as the degree of distortion, change.
Because of the strong distortions of characters, only 20% recognition accuracy was achieved for the entire captcha, which is acceptable in principle (for web captchas, for example), but in this case, flicking on the screen, updating the picture is not lucky, this is nonsense. Further complicating the recognition algorithm was laziness, so I decided to try to enter from the other side.
You can simply cut the validation of the code and recompile the utility. But in this case, the EDS becomes invalid. Remuver works, deletes everything except the self-defense module (apparently the absence of a valid digital signature affects). However, the antivirus completely loses its working capacity, who needs this self-defense, if everything has already been removed is not entirely clear.
When trying to remove a more recent version of Dr.Web Security Space (6.0.2.07290), SpIDer Guard remained alive.
Why recognize captcha if the value is open in the memory, and even at a fixed address? You can simply read it and insert it into the input field. With this approach, the EDS is saved, which means the remuver is guaranteed to work as expected and will take down the antivirus completely. A program for reading a piece of memory is written in 20 minutes. "Thanks to" the lack of proactive protection or HIPS products from Dr.Web, nothing prevents the reading of the memory of the trusted utility.
In general, the exe-file of the utility itself contains in its open form many interesting things, for example, the paths to the vital files and registry keys of Dr.Web products. In the same remuver from Kaspersky Lab, everything is not so simple and such data is not stored in the clear.
Later, it suddenly turned out that the praised module of self-defense of Dr.Web products itself suffers from a similar problem! The value of captcha in the same way, without hesitation, is stored in memory. It is hard to believe that programmers who fiddled with such powerful (seemingly) self-defense could have made such a childish mistake, but this is so ...
To unload the self-defense module, SpIDerAgent_Set.exe is called with the -uninstall parameter: ##########, where ########## is a number that depends in some way on the system time. If you receive an incorrect code, the unloading self-unloading will not start. Again, due to the absence of all unnecessary (from the Dr.Web point of view) behavioral blockers, it does not cost anything to unwind the system date by a certain value and run SpIDerAgent_Set.exe with a code known in advance;)
Since we are talking not only about the remuver, but about the Dr.Web products themselves, it would be wrong to ignore another vector of attack on self-defense.
When dubbing the value of the captcha, the Microsoft Speech API is used, there is no noise, so recognition is not a problem at all, it was already like that in Habré. It seems that this function was screwed up in general "for show". It would be better to move the code to the holes ...
Experiments were carried out with the September versions of Dr.Web Anti-Virus Remover v.1.00.5.08230 and Dr.Web Security Space 6.0.2.07290. After I reported the vulnerability, they released an updated version of Dr.Web Anti-Virus Remover v.1.00.6.09200, in which the gaps were covered. At the expense of fixes in the line of antiviruses themselves keep proud silence, but in 3 months they should have come up with something.
The program that demonstrates the vulnerability in the remuver and antivirus self-defense module. Except on WinXP, I didn’t test it; besides, the self-defense module of the antivirus product line should already be updated, but it should work on earlier versions.
Just in September, a comparative test of antivirus self-defense was published on anti-malware.ru, which is remarkable, our heroes were the winners with the results of 100% and 99% - Kaspersky Lab (Kaspersky Internet Security 2011) and Doctor Web (DrWeb Security Space 6.0) respectively.
And recently, the malware Trojan-PSW.Win32.VKont.alb (according to the classification of the LC), which generally mows down almost all popular antiviruses, including those with platinum test awards anti-malware.ru (Dr.Web today) the day has already been fixed) ...
All this proves once again that there is no ideal protection, just as there are no ideal tests for this protection itself, and remember that the best antivirus is the head!
I was going to write about Dr.Web remoover back in September, but since a rather serious vulnerability was discovered in the self-defense module not only of the removal utility itself, but also of the entire line of anti-viruses, and the programmers from Dr.Web had to give time to fix it.
So, I ask you to love and favor Dr.Web Anti-Virus Remover:
')
We immediately see what the guys did with the soul! The logo on the floor of the window, the statusbar even ... Lopota! They always pinned up how they manage to combine glamorous pictures with Win98-style interface elements in their products :) To carry out the removal of the product, they again require entering a captcha, no confirmation is displayed, only a message about successful deletion. Let's see if everything is so beautiful inside and try to go in several ways ...
1. Recognition captcha
The captcha of the utility from Dr.Web is, of course, much more resistant than that of the remuver from Kaspersky Lab, largely due to geometric distortions of the characters, but even this was not without weaknesses.
First, a captcha consists of 6 numbers, and they, surprisingly, do not repeat! What sense in this "feature" I can not understand at all ... This approach reduces the number of possible options by almost 7 times! This makes it possible to use something like an exclusion method in recognition and significantly increases the probability of success.
Secondly, each digit on the captcha is surrounded by a gray halo, while the noise is pure black. Thanks to this, it is possible to precisely cut out individual characters and eliminate noise.
Thirdly, the positions of the figures practically do not change, only the size and style of the font (with or without serifs), as well as the degree of distortion, change.
Because of the strong distortions of characters, only 20% recognition accuracy was achieved for the entire captcha, which is acceptable in principle (for web captchas, for example), but in this case, flicking on the screen, updating the picture is not lucky, this is nonsense. Further complicating the recognition algorithm was laziness, so I decided to try to enter from the other side.
2. Patch exe file
You can simply cut the validation of the code and recompile the utility. But in this case, the EDS becomes invalid. Remuver works, deletes everything except the self-defense module (apparently the absence of a valid digital signature affects). However, the antivirus completely loses its working capacity, who needs this self-defense, if everything has already been removed is not entirely clear.
When trying to remove a more recent version of Dr.Web Security Space (6.0.2.07290), SpIDer Guard remained alive.
3. Reading the correct code from memory remuver
Why recognize captcha if the value is open in the memory, and even at a fixed address? You can simply read it and insert it into the input field. With this approach, the EDS is saved, which means the remuver is guaranteed to work as expected and will take down the antivirus completely. A program for reading a piece of memory is written in 20 minutes. "Thanks to" the lack of proactive protection or HIPS products from Dr.Web, nothing prevents the reading of the memory of the trusted utility.
In general, the exe-file of the utility itself contains in its open form many interesting things, for example, the paths to the vital files and registry keys of Dr.Web products. In the same remuver from Kaspersky Lab, everything is not so simple and such data is not stored in the clear.
Later, it suddenly turned out that the praised module of self-defense of Dr.Web products itself suffers from a similar problem! The value of captcha in the same way, without hesitation, is stored in memory. It is hard to believe that programmers who fiddled with such powerful (seemingly) self-defense could have made such a childish mistake, but this is so ...
To unload the self-defense module, SpIDerAgent_Set.exe is called with the -uninstall parameter: ##########, where ########## is a number that depends in some way on the system time. If you receive an incorrect code, the unloading self-unloading will not start. Again, due to the absence of all unnecessary (from the Dr.Web point of view) behavioral blockers, it does not cost anything to unwind the system date by a certain value and run SpIDerAgent_Set.exe with a code known in advance;)
Since we are talking not only about the remuver, but about the Dr.Web products themselves, it would be wrong to ignore another vector of attack on self-defense.
4. Recognizing captcha voice
When dubbing the value of the captcha, the Microsoft Speech API is used, there is no noise, so recognition is not a problem at all, it was already like that in Habré. It seems that this function was screwed up in general "for show". It would be better to move the code to the holes ...
PS
Experiments were carried out with the September versions of Dr.Web Anti-Virus Remover v.1.00.5.08230 and Dr.Web Security Space 6.0.2.07290. After I reported the vulnerability, they released an updated version of Dr.Web Anti-Virus Remover v.1.00.6.09200, in which the gaps were covered. At the expense of fixes in the line of antiviruses themselves keep proud silence, but in 3 months they should have come up with something.
The program that demonstrates the vulnerability in the remuver and antivirus self-defense module. Except on WinXP, I didn’t test it; besides, the self-defense module of the antivirus product line should already be updated, but it should work on earlier versions.
Pps
Just in September, a comparative test of antivirus self-defense was published on anti-malware.ru, which is remarkable, our heroes were the winners with the results of 100% and 99% - Kaspersky Lab (Kaspersky Internet Security 2011) and Doctor Web (DrWeb Security Space 6.0) respectively.
And recently, the malware Trojan-PSW.Win32.VKont.alb (according to the classification of the LC), which generally mows down almost all popular antiviruses, including those with platinum test awards anti-malware.ru (Dr.Web today) the day has already been fixed) ...
All this proves once again that there is no ideal protection, just as there are no ideal tests for this protection itself, and remember that the best antivirus is the head!
Source: https://habr.com/ru/post/110508/
All Articles