Monday, December 10, 2012

Kaspersky 2013 Safe Money - Another scam

Safe Money, a feature that Kaspersky introduced with their 2013 line of products, is just another example of a long list of features that the company has released over the years that are designed to sound "cool", trick the customer into buying the product, but do little to increase overall security.

However, unlike many their features, Kaspersky has gone through great pains to provide data-points to show that the feature is in fact useful.

Take the example of them partnering with the highly dubious testing outfit called Matousec that performed a series of tests to demonstrate how the feature blocks malware that is designed to steal your financial "gold". Needless to say, that test report serves a secondary purpose which is to show how badly Kaspersky's competitors suck. This report can be read in its entirety at There are multiple problems with the testing methodology in that report and likely would not have passed a review by AMTSO the organization that is composed of a number of industry insiders, including members from all the AV vendors. Hence, they didn't even bother to put up this test report for review. Personally, the one sentence that eliminates any remaining shred of credibility is this -

"The techniques of the created tests have been inspired by real-life malware:"

"Inspired by" !!! They are not testing with real-malware. So it doesn't really matter what the tests show. The executables run were not malicious, so why should any product detect and block them. Being Kaspersky's test, they detected 100% of all the samples testing. Get this Mr. K - you just demonstrated you have a 100% false positive rate on this test!!! What a bunch of knuckleheads. There is no substitute for testing with real samples. Nothing!

But lets get back to the real purpose of this article, which is to determine whether the Kaspersky Safe Money feature really does protect the user's banking logins from being stolen by malware that is already on the machine. For those of you have not figure out, such a feature is very different from a sandboxing feature like SandboxIE and other such products that sandbox the browser in an effort to prevent the browser from infected the rest of the machine. SafeMoney claims to protect the browser from the rest of the machine and assume the machine might be infected.

Without further ado, let us start poking holes in Kaspersky's solution.

1. Parasitically infected files  - If piece of banking malware like Zeus want to bypass SafeMoney, all they need to do is to parasitically infect i..e attach themselves to either the main browser executable IExplore.exe, or to one of the many Windows DLLs that IE loads. Note that we aren't talking foreign DLLs like BHOs etc., rather we are talking DLLs that are fundamental to the functioning of IE. Parasitic infections or file infectors as they are commonly called, have made quite a comeback in recent years only because they are so difficult to get rid off. You can just delete the file as doing so will likely break some critical OS functionality. You have to surgically remove the malicious bytes from the exe while retaining a functional exe. In any case, even if Kaspersky tries to launch a new browser process once it detects a banking URL, that new browser process could  be totally compromised simply because it has loaded an infected DLL.

2. Unsafe processes can't launch safe processes - Safe Money's implementation requires that a new instance of the browser is launched when the product detects that a financial transaction is about to begin. This new instance is supposed to be the "safe" instance where the user actually conducts the financial transaction. There is just one problem: there is simply no way for an untrusted parent process, whether it be the original IE process, or even one of Kaspersky's own processes, to launch a trusted process. Its Security 101, a concept call the 'chain of trust'. To make matters worse, Windows adds its own security challenges to the mix, just by the way it launches processes. When a process launches another process, there a portion of the launch sequence where the parent has full control over the child, full control of its initial thread, the initial bytes that get executed etc. How can Kaspersky claim that they can launch a trusted IE process even if all other processes running on that machine have malware running in them ??

3. Rootkits run rings around Kaspersky's Safe-ish Money - Oh yes! Once malware has Ring 0 control of your machine, its game over! Once the security software is at the same privilege level as the malware, whatever the security software can do, the Rootkit can undo, and a lot faster too. Because they dont need to go through months of Quality Assurance like the Security Vendor does. Needless to say, Matousec conveniently failed to test with Rootkit banking stealing malware.

4. You have to opt-in your banking URLs - If you type in into your browser after installing KIS2013, it will NOT load up safe Money. It loads the regular ol' browser and your credentials can be stolen. You have to go into this curious configuration option hidden deep in the product and explicitly add the URL in there. And do that for all the rest of the URLs. What a sucky user experience.

There are many more holes, but I have better things to do.


Sunday, August 26, 2012

If you quote VirusTotal, you should be fired.

In this post rather than cover Kaspersky chicanery I instead focus on a pretty big problem the Security industry at large faces. This is a classic example of a well-intentioned idea gone horribly wrong.

I was reminded to post this because of a recent posting by a security company called Carbon Black. In its posting at I quote

"We downloaded 84 random malware samples from and submitted each to VirusTotal to see what each antivirus product had to say about them."

I see this all the time - you have some upstart company like Carbon Black (who I had never heard of), wanting to promote some cool new technology of their and they do this by undermining "traditional Anti-virus" by quoting some bogus results from VirusTotal. If I got a dollar for every time I heard the term "Traditional Antivirus can't/doesn't" at a conference, or in a blog or security paper, I would be a very rich person. Guys, read my lips "THERE IS NO SUCH THING AS A TRADITIONAL AV PRODUCT ANYMORE".
I can understand where Carbon Black is coming from - With all hacks, APTs, infiltrations, nation-sponsored cyberattacks in the news, there is a lot of money to be made being a security professional. And let me tell you, self-professed security pros/companies  are crawling out of the wood-work. The result, security pros are a dime a dozen and everyone is trying their best to stand-out, be heard, gain some attention, fame, notoriety, call it what you may. These security pros/companies do everything they can to sensationalize even the most mundane issues. In the process they often demonstrate how their poor understanding of the basics of today's security challenges and products. And worse of all, it doesn't seem matter who they are. I have seen this problem from some iconic WallStreet Journal tech reviewers to your friendly neighborhood PC magazine editor, all appear to have an outdated impression of today's security products and assume they work exactly like they did 10 years ago.
Case in point - Quoting VirusTotal.
For the less astute reader, VirusTotal is a free website ( that allows you to submit a file and the website will scan that file with security products from 45 security vendors and return the results to you in a neatly formatted table that allows you to compare the results of competing vendors. A good idea of considerable value to the community but as you shall see it has little value for any security pro that really knows their stuff. Sometimes I wish it never existed. Due to the simplicity of this website and the very fact that its free, it has become the go-to site for a lot of security pros including IT administrators to compare the effectiveness of the current security product they own versus another one that they have heard "good things about". Not surprisingly they will sometimes use virustotal results as "evidence" to go beat up their security vendor (say McAfee), telling McAfee "Hey McAfee you are absolutely useless. Look how many other vendors detect this piece of malware and you don't. Go get your act together and release a new signature ASAP".
Let me just come out and say this right up front "The results from VirusTotal are a very poor indicator of the detection capabilities of a security product". Why you may ask ? Its simple. VirusTotal runs outdated and partial versions of the traditional AntiVirus engines. These are engines that look for patterns in the files and as you well know, are not very good at detecting 0-day polymorphic threats which just happen to be the vast majority of threats out there today. Fortunately for the user, most modern security products depend very little on their AV engines for proactive detection. Instead they have multiple engines (or layers as they are sometimes called) to make up for the lack of detection from these traditional string-scanning engines. Some of these include Reputation-based engines, IPS engines, Browser Protection engines, Buffer-overflow engines, Behavioral engines and other Heuristic engines. All of these engines are far more effectiveness at detecting the fresh batch of new malware that appears every single day. And yet, none of them are used by VirusTotal.
Don't believe me ? Try a simple test. Take a URL that you know is hosting malicious software or an exploit kit. Using IE with various vulnerable plugins like Java, Flash etc., browse to that URL. Here is what you are likely to see:
- URL Blacklisting Layer - the website will likely to be blocked by the URL blacklisting layer of your product.
- Vulnerability Protection Layer or IPS - If the above layer doesn't block it, then your networking scanning layer or IPS will inspect the traffic and block the traffic if in fact that URL is exploiting one of the dozens of vulnerabilities out there
- Shell-code Protection Layer - If the above layers don't block the attacker, then likely the product will detect the heap-corruption, heap-spraying and the shell-code executing and terminate the browser
- Reputation Layer - If the above layers don't block it, then the reputation of any created PE files will be looked up in the cloud and will likely block that PE file.
- AVE Layer - Here the traditional AVE engines scan the PE file for known AVE signatures and might block it. This layer has gotten a lot more sophisticated over the years, now employing heuristic techniques as well as emulation.
- Behavioral Layer - if you are able to run the file because the other above layers missed it, the behavioral layer will monitor the running exe and all the actions it performs on the machine and if it notices something suspicious, it will block it. Symantec's SONAR engine is the undisputed champion here.
- HIPS Layer - A lot of products have a trip-wire like HIPS layers that will alert the user on any modifications to sensitives poritions of the OS, like the hosts file etc. Personally I think these products should be avoided like the plague since they are highly False Positive prone.
- Phone-home IPS inspection layer - The last layer is an IPS layer that looks at outbound network traffic and will identify running malware that has bypassed all other layers and is now phoning home. It will detect this and either block the traffic rendering the malware useless or remove the malware altogether.
As you can see your typical Internet Security product is far more sophisticated than you might think, and none of these layers are used/tested by VirusTotal. Its also worth reiterating that VirusTotal doesn't even use all the engines within the AVE Layer. So its somewhat neutered even in the layer it does use.
Bottom line, don't use Virus Total as a tool to compare the effectivness of two security products. Even VirusTotal has a page that recommends not doing this. See Specifically it says

Why do not you include statistics comparing antivirus performance?

At VirusTotal we are tired of repeating that the service was not designed as a tool to perform antivirus comparative analyses, but as a tool that checks suspicious samples with several antivirus solutions and helps antivirus labs by forwarding them the malware they fail to detect. Those who use VirusTotal to perform antivirus comparative analyses should know that they are making many implicit errors in their methodology, the most obvious being:
  • VirusTotal's antivirus engines are commandline versions, so depending on the product, they will not behave exactly the same as the desktop versions: for instance, desktop solutions may use techniques based on behavioural analysis and count with personal firewalls that may decrease entry points and mitigate propagation, etc.
  • In VirusTotal desktop-oriented solutions coexist with perimeter-oriented solutions; heuristics in this latter group may be more aggressive and paranoid, since the impact of false positives is less visible in the perimeter. It is simply not fair to compare both groups.
  • Some of the solutions included in VirusTotal are parametrized (in coherence with the developer company's desire) with a different heuristic/agressiveness level than the official end-user default configuration.
These are just three examples illustrating why using VirusTotal for antivirus testing is a bad idea, you can read more about VirusTotal and antivirus comparatives in our old blog. The Prevx team also made an entry in their blog discussing the matter.
If you have a security pro on your staff that presents you with results of a virustotal scan to convince you that you should change your security product, FIRE HIM!