One of the hidden gems included in the Vault 7 data, dumped yesterday by WikiLeaks, is a document detailing bypass techniques for 21 security software products.
The document is part of a data dump of nearly 9,000 other files, all documentation files and manuals for various hacking tools, which WikiLeaks claims belong to the CIA.
One particular document, labeled "Personal Security Products (PSPs)" lists 21 security products, each linking to a separate document, containing descriptions of various exploits and techniques that could be used to bypass the named security tools.
The list covers almost all major antivirus vendors, including Comodo, Avast, Kaspersky, AVG, ESET, Symantec, and others.
For most security products included in this list, the bypass/exploit technique has been redacted. Yesterday, when it announced the Vault 7 leak, WikiLeaks said it made 70,875 redactions in total, mainly to remove any harmful code and personal details, such as names and IP addresses.
Bypass and exploit techniques were only listed for three vendors: F-Secure, Avira, AVG (partial info), Kaspersky, and Comodo.
In OSB's experience, F-Secure has generally been a lower tier product that causes us minimal difficulty. The only annoyance we have observed is that F-Secure has an apparent entropy-based heuristic that flags Trojaned applications or other binaries containing encrypted/compressed payloads. Two defeats are known to exist: On involves using RAR file string tables in the resource section, the other involves cloning a RAR file manifest file – the manifest technique also works against Avira's entropy-based heuristics.
Avira has historically been a popular product among [Counter Terrorism] targets, but is typically easy to evade. Similar to F-Secure, Avira has an apparent entropy-based heuristic that flags binaries containing encrypted/compressed payloads, but there are two known defeats.
AVG Catches a Payload Dropped to Disk and Launched via Link File Well After Execution (Process Hollowing)
The Kaspersky AVP.EXE process references a DLL called WHEAPGRD.DLL. This DLL is supposed to be located in one of the Kaspersky directories (which are protected by the PSP). Due to a UNICODE/ASCII processing mistake, the DLL name is prepended with the Windows installation drive letter, rather than the full path to the DLL. For typicall installations, this causes Kaspersky to look for the DLL “CWHEAPGRD.DLL” by following the standard DLL search path order. Loading our own DLL into the AVP process enables us to bypass Kaspersky’s protections. This vulnerability is limited to some of Kaspersky’s previous releases (on both XP and Win 7).
Comodo, as you may know, is a colossal pain in the posterior. It literally catches everything until you tell it not to, including standard windows services (say what?!?).
...at least, that's what happens on Comodo 5.X. In 6.X, Comodo apparently decided that catching things that were part of windows was a Bad Thing(tm). Their "fix" was... kinda lame
Anything running as SYSTEM is automatically legit under 6.X. ANYTHING. Let that sink in. Got a kernal level exploit? Good, because you can drop the kitchen sink and the contents of your garage and as long as you continue to run as SYSTEM you are golden. Yeah.
Needless to say, Comodo 6.X doesn't catch nearly as much stuff. Comodo's user base, paranoid bastards that they are, has apparently caught wind of this and lots of them haven't upgraded to 6.X. Kind of a shame, cuz this is a hole you could drive a very large wheeled freight carrying vehicle through. However, if you're lucky enough to be going against a target running 6.X, have fun!
The full list of security products included in the WikiLeaks Vault 7 dump are as follows:
- Zemana Antilogger
- Zone Alarm
- Trend Micro
- Panda Security
- Malwarebytes Anti-Malware
- EMET (Enhanced Mitigation Experience Toolkit)
- Microsoft Security Essentials