KAV TEST Part 3 Next and end

Publié le par SSTA

7) Man-In-The-Middle Attack:

a) Locally with SSLSpoofer (R) : P1/P2

A fake certificate is returned but kav is able to detect the connection of SSLSpoofer on 443 port, and the fake certificate.

As it is displayed by  the next image (referer), this communication is encrypted:

With Opera:

Here again it's up to the server side to audit and harden their applications (an exaple of dedicated software with Proxy-sniffer ).
And for advanced and experinced users, there is an example of server configuration here.

b) with SSLAGY(R): P1/P2

c) Remotely with an attack tool (also useful for security auditing/pen-testing):

 We use the dark side of Abel to perform a classical MIM attack by spoofing the certificate.
We run the attack from computer B where "Abel brother" is intalled, and launch the attack against the computer A where kav is intalled.

Kav detects the fake certificate, but can't prevent this attack: F1/F2

NB. IE 7 was hardened against certificate spoofing, especially used in Phishing.
And for normal users who often practises online banking and shopping, we can mention the TrustDefender (free after a trial of 21 days) which provides an excellent protection agaist threats relates to bank site or certificate spoofing.

8) Remote access/intrusion detection tests

a) with a backdoor: F1/F2 (access) and P1/P2 (intrusion detection)

We can connect to the backdoor (F1) which is not known from the antivirus database (F2).

On the other hand, if we try a remote command ( to know what services are active for instance), the proactive module warns the user:

b) with a RAT (Havar Rat): P1/P2 (access/intrusion detection)

We firstly connect to the victim's host (where kav is installed):

Once done we we lauch a simple net view command ("net start" for instance), which is detected by the proactive module:

If we allow the action:

c) via VNC server password cracking: F1/F2 (access/intrusion detection)

We can crack the password, login via an exploit (Metasploit reverse VNC for instance or this POC  by the IntelliAdmin team) and login with no kind of alert from kav.
NB. a video of this exploit is available at Milw0rm.

The same exploit works with VNC clones:

This is here a normal alert when we run ZWinVNC on the targuet host:

When the exploit is launch, the firewall warns the user:

And we can have access to the desktop, and all external drives:

This test was done in august of 2006, and VNC has been updated.

NB. For those (administrators, travellers etc) who often use VNC, we highly suggest to take a look at Zebedee, a secured version of VNC.

d) via an UDP R.A.T: F1/P2 (access) and P1/P2 (intrusion detection)

9) data theft tests

10) Buffer/heap overflow test

a) Buffer overflow: P1/P2

b) heap overflows (various shellcodes): F1/F2

No one of the four code has been detected.

11) Other objective criteria:

We  take into consideration important criteria for the potential consumer via a rating (A, B, C, D, E and +-):

-installation: A: easy and does not require to much time (about 6 minutes with the updates);

-ease of use: C: if antivirus options are easy, this is not the case for the creation of rules (proactive defense, especially the application integrity control ): a piece of cake with a cup of coffee for advanced users, but a real challenge which requires aspirin for beginners and classical users!

-convenience: C : as there is no fingerprint mode, the product can be a little bit intrusive (POP up syndrome for many legitimate applications and behaviours like "invader" alerts for  IM programs like Yahoo Messenger for instance).
Proactive or HIPS products are quite new in the market for normal/classical users, and education, time and specific improvements are required from editors.

-price: A: the rating takes into consideration that it's not a single HIPS, but an antivirus with an HIPS module.
About 40 $/Euros, it's cheap for an exhaustive product (efficiency, forums, supports, language packs etc).
With BitDefender, Panda, GData, this is certainly one the av which provides the best value for money in the market.
On the other hand some popular products are expensive.
This is particularly the case of Norton antivirus:
Symantec has many partneships with resellers (Supermarkets for instance) and PC manufacturers, and that's why many first computer's buyers have their first antivirus experience with Norton.
But this marketing policy has a cost: Symantec products, especially Norton antivirus (or suit and firewall) are more expensive than other similar products.

-memory usage: B: with all options enabled (auto-updates, registry  scan etc).

The antivirus consumes only significative memory when the system has started if auto-udated and start registry scan are enabled with the "at system start" option.
There is an option to manage AVP.exe memory resources already integrated in the product, but there is many free tools which can be helpful if necessary: this is the case of Process Lasso (not suited for beginners) or Process Tamer.

-laguage pack:+++ (available in many languages)

-support:+++ (reactive support and forums available in english, russian, french, spanish);

-privacy violation: nothing suspect.

It's necessary here to consider what is exactly privacy violation: since there's no private informations (softwares installed, user's surf and activities etc) transmitted without user's acceptance, we can consider that there's no real privacy invasion.
With the growning rootkit phenomena, Kasperky labs have been accused of using stealthkit or rootkit technologie via their Istreams1 technology.
This technology requires a specific uninstaller.

More over, it's important to consider

- that some anti-piracy solutions are really intrusive ( IP, computer name, mac address and various private info are sent): remember the Sony DRM rootkit, or more recently Skype addons which flashed the Bios.

The first goal of any security software editor is to take care of its money first, and this is not to take care of privacy violations.
That's why users should consider what information they send to editors, especially  if we take into consideration recent incidents of data loss.
And what editors do with all these data (credid card number, name etc)?
This is here a job for privacy rights and consumers guild foundations.

-that any product which has access to the net is potentially intrusive and backdoored.

Hooking ZwQuerySystemInformation is a classical method for service and process detection:

That's  normal to pactch the system for an effective and reliable detection of rootkits.
Use of ADS for the updates:

A quick sniff has been done and we had not noticed that private informations are transmitted (only those which concerns the update database):

But we can't give 100% warranty that none suspect information is sent.
For that purpose, it requires to make an exhaustive network forensic analysis.

In this case, it requires time, and a specific forensic2 environment.

But in all cases, it's important to distinguish legitimate paranoia from pathologic paranoia: Kaspersky is a serious company, and if their products can't be trusted, then this should be the case of any other software editor, Microsoft and Windows included: Vista was'nt it designed in collabarotation with the NSA?

1. " No rootkit in KAV" by Kaspersky labs,

2. For those interested in the subject: here an excellent summary of various aspects of forensic analysis.

Next : KAV TEST 2

Publié dans KASPERSKY 6 TEST

Commenter cet article