Monday, December 10, 2012

Kaspersky 2013 Safe Money - Another scam

Safe Money, a feature that Kaspersky introduced with their 2013 line of products, is just another example of a long list of features that the company has released over the years that are designed to sound "cool", trick the customer into buying the product, but do little to increase overall security.

However, unlike many their features, Kaspersky has gone through great pains to provide data-points to show that the feature is in fact useful.

Take the example of them partnering with the highly dubious testing outfit called Matousec that performed a series of tests to demonstrate how the feature blocks malware that is designed to steal your financial "gold". Needless to say, that test report serves a secondary purpose which is to show how badly Kaspersky's competitors suck. This report can be read in its entirety at There are multiple problems with the testing methodology in that report and likely would not have passed a review by AMTSO the organization that is composed of a number of industry insiders, including members from all the AV vendors. Hence, they didn't even bother to put up this test report for review. Personally, the one sentence that eliminates any remaining shred of credibility is this -

"The techniques of the created tests have been inspired by real-life malware:"

"Inspired by" !!! They are not testing with real-malware. So it doesn't really matter what the tests show. The executables run were not malicious, so why should any product detect and block them. Being Kaspersky's test, they detected 100% of all the samples testing. Get this Mr. K - you just demonstrated you have a 100% false positive rate on this test!!! What a bunch of knuckleheads. There is no substitute for testing with real samples. Nothing!

But lets get back to the real purpose of this article, which is to determine whether the Kaspersky Safe Money feature really does protect the user's banking logins from being stolen by malware that is already on the machine. For those of you have not figure out, such a feature is very different from a sandboxing feature like SandboxIE and other such products that sandbox the browser in an effort to prevent the browser from infected the rest of the machine. SafeMoney claims to protect the browser from the rest of the machine and assume the machine might be infected.

Without further ado, let us start poking holes in Kaspersky's solution.

1. Parasitically infected files  - If piece of banking malware like Zeus want to bypass SafeMoney, all they need to do is to parasitically infect i..e attach themselves to either the main browser executable IExplore.exe, or to one of the many Windows DLLs that IE loads. Note that we aren't talking foreign DLLs like BHOs etc., rather we are talking DLLs that are fundamental to the functioning of IE. Parasitic infections or file infectors as they are commonly called, have made quite a comeback in recent years only because they are so difficult to get rid off. You can just delete the file as doing so will likely break some critical OS functionality. You have to surgically remove the malicious bytes from the exe while retaining a functional exe. In any case, even if Kaspersky tries to launch a new browser process once it detects a banking URL, that new browser process could  be totally compromised simply because it has loaded an infected DLL.

2. Unsafe processes can't launch safe processes - Safe Money's implementation requires that a new instance of the browser is launched when the product detects that a financial transaction is about to begin. This new instance is supposed to be the "safe" instance where the user actually conducts the financial transaction. There is just one problem: there is simply no way for an untrusted parent process, whether it be the original IE process, or even one of Kaspersky's own processes, to launch a trusted process. Its Security 101, a concept call the 'chain of trust'. To make matters worse, Windows adds its own security challenges to the mix, just by the way it launches processes. When a process launches another process, there a portion of the launch sequence where the parent has full control over the child, full control of its initial thread, the initial bytes that get executed etc. How can Kaspersky claim that they can launch a trusted IE process even if all other processes running on that machine have malware running in them ??

3. Rootkits run rings around Kaspersky's Safe-ish Money - Oh yes! Once malware has Ring 0 control of your machine, its game over! Once the security software is at the same privilege level as the malware, whatever the security software can do, the Rootkit can undo, and a lot faster too. Because they dont need to go through months of Quality Assurance like the Security Vendor does. Needless to say, Matousec conveniently failed to test with Rootkit banking stealing malware.

4. You have to opt-in your banking URLs - If you type in into your browser after installing KIS2013, it will NOT load up safe Money. It loads the regular ol' browser and your credentials can be stolen. You have to go into this curious configuration option hidden deep in the product and explicitly add the URL in there. And do that for all the rest of the URLs. What a sucky user experience.

There are many more holes, but I have better things to do.



Colin Gibbens said...

My company is thinking of installing Kaspersky is there anything else we should watch for

Colin Gibbens said...

My company is thinking of installing Kaspersky is there anything else we should watch for

Iron Maiden said...

Thanks for the warning! I'll avoid using this product.

Blogger said...

Been using AVG protection for a few years now, and I would recommend this antivirus to all you.