Tuesday, September 01, 2015

there's a quality problem in the anti-malware industry

if you follow infosec news sources at all, by now you've probably heard about the claim made by an anonymous pair of ex-kaspersky employees that kaspersky labs weaponized false positives.

more specifically, the claim is that engineers at kaspersky labs were directed to reverse engineer competing products and use that knowledge to alter legitimate system files by inserting malicious looking code into them so that they would both seem like files that should be detected and be similar enough to the original file that the competing product will also act on the legitimate file and in so doing cause problems for users of those competing products.

i've heard this described as fake malware, but for the life of me i can't see why it should be called fake. the altered files may not do anything malicious when executed, but they're clearly designed to exploit those competing products. furthermore, there is clearly a damaging payload. this isn't fake malware, it's real malware. it may launch it's malicious payload in an unorthodox and admittedly indirect manner, but this is essentially an exploit.

some consider the detection of these altered files to be false positives because the files don't actually do anything themselves, but since they have malicious intent and indirectly harmful consequences, i think the only real false positives in play here are the original system files that are being mistaken for these modified files.

by all accounts, this type of attack on anti-malware products actually happened. what's new here is the claim that kaspersky labs was responsible at the direction of eugene kaspersky himself. there's a lot of room for doubt. the only data we have to go by so far, besides the historical fact of the attack's existence, is the word of anonymous sources (who potentially have an ax to grind) and some emails that, quite frankly, are easily forged. circumstantially there's also an experiment kaspersky participated in around the same time frame that has similar earmarks to what is being claimed except for the part about tricking competing products into detecting legitimate files as malware.

i don't expect we'll ever know for sure if kaspersky was behind the attacks. doubts have been expressed by members of the industry, but frankly i've seen too many things whitewashed or completely ignored (like partnerships with government malware writers) to take their publicly expressed statements at face value. there are certainly vendors i'd have a harder time believing capable of this but there just doesn't seem to be sufficient evidence that the claims are true. the problem is that i can't imagine any kind of evidence the anonymous sources are likely to have that isn't easy to repudiate. had they taken a stand at the time (like someone with actual scruples would have done) they would have been able to put their names behind their claims - they may have lost their jobs but they surely would have been able to find employment with a different vendor because hiring a whistle-blower would have been good PR.

however, as it stands now, the anonymous sources have to remain anonymous. if they're telling the truth then they are complicit in kaspersky's wrong-doing, and if they're lying they are throwing the entire industry under the bus for no good reason (because this claim fans the fires of that old conspiracy theory about AV vendors being the ones who write the viruses). Either way, to have this claim linked to their real identities now would make them radioactive in the industry. no one would touch them, and for good reason.

long ago it used to be that the industry only employed the highest calibre of researchers. people who were beyond reproach. naturally, in order to grow, the industry has had to hire ever increasing numbers of people and old safeguards against undesirable individuals joining the ranks don't scale very well. increasingly people who aren't beyond reproach are being found amongst the industry's ranks and there appears to be no scenario where these two anonymous sources don't fall into that category. the inclusivity that the general security community embraces (and that the anti-malware industry is increasingly mimicking) has the consequence that blackhats are included. the anti-malware industry is going to have to either figure out if they're ok with that or figure out a way to avoid what the general security community could not.


Vess said...

This story was started by Reuters. As far as I am concerned, it is clearly bullshit. In fact, I suspect that it is an intentional smear campaign, a kind of psy-op conducted against Kaspersky. Remember that several government intelligence agencies have a reason to be pissed off at Kaspersky.

Reuters have recently doubled-down on that story, using even less trustworthy means, by claiming that "e-mails have surfaced that support it". Turns out, these e-mails support nothing of the sort except that Kaspersky was pissed off by other companies reverse-engineering his product and staling his intellectual property. (That much is indeed true; I remember when a Chinese AV producer was stealing his whole database; this prompted us all - the AV producers - to introduce "fake" entries in our databases. That is, entries that are not listed when the scanner is asked to list all the viruses it detects and which detect no real malware and no real legitimate file but specially constructed files of our own that are kept secret. If the competition suddenly starts detecting these files of ours, this is an indication that they are stealing our database entries.)

Now, the way Reuters is telling the story, this thing is impossible to conduct in a targeted way. Yes, you can take a legitimate file, modify it so that several scanners start detecting it as malware and upload it to VirusTotal. It will end up being sent to the whole industry, many producers won't bother analyzing it since "several other scanners are already deteting it" and will implement detection of it witout thinking. Or at least you can hope so. And you can also hope that when they implement detetion, they will be stupid enough to pick identification data from the legitimate part of the file, causing false posities on the original, unmodified file.

Yes, this can be done and has been done - against the AV industry as a whole. And several AV producers did fall for it (including Kaspersky, the irony). What you cannot do, is ensure that (by using this tactic), a particular product will cause false positives. You simply cannot control which part of the file will be picked for identification purposes by the producer. You can attack the industry as a whole - and many products will fall for it - but you cannot attack a particular competitor.

The other "clearly bullshit" part of the story was that, allegedly, Kaspersky did that to punish competitors who were stealing from him. And one of these competitors was, allegedly, Microsoft?! We aren't talking about a two-bit no-name unreachable Chinese schmuck here - we are talking about one of the largest companies around that can be sued for hundreds of millions of dollars if they are caught stealing - and they were supposed to have stolen Kaspersky's detection entries?! Come on.

Vess said...

OK, politics, ethics and other bullshit aside, me being a techie, I started thinking - can one do something like this in principle? Can you force a particular AV product to cause a false positive? Not by using the method described in Reuters' story, of course - that won't work. But can it be done by other means?

I discussed some ideas with various people and, sadly, the conclusion is that yes, it is technically possible.

As you probably know, contrary to popular belief, scanners stopped relying exclusively on "signatures" (i.e., scan strings) mode than two decades ago. Nowadays many other, more precise and reliable methods are used. One of them involves computing some sort of checksum of the non-variable part of the malware (or part of it, if the malware is large).

Now, for performance reasons, nobody is really using a cryptographically strong hash function for the checksum. Some use plain CRC-32, some use proprietary functions - but they are all simple and fast; not cryptographically strong. Which means that for a cryptographer, it should be relatively easy to find collisions for them - i.e., two different pieces of data that both have the same checksum. (This is feasible even for MD5, let alone for something as trivial as CRC-32.)

So, the attack goes like this. You reverse-engineer the AV product and determine what kind of checksum is used and for what kind of objects (one and the same scanner often uses different identification methods for different kinds of malware). Let's say that you find out that for small, self-contained malware (i.e., not a parasitic virus) that contains no variable areas, the scanner identifies it by computing a CRC-32 of the first 512 bytes after the entry point.

So, you take some relatively small legitimate and widely used file and compute this checksum of the first 512 bytes after its entry point. Then you write some malware (small, self-contained, no variable areas) and make sure that it has the same length and the same checksum of the first 512 bytes after the entry point. You send this (clearly malicious) file to the producer of the product you want to attack. They implement detection the way they usually do for this kind of malware and - blam! - they will also detect the legitimate file.

Of course, you'd have to hope that their in-house false positive testing doesn't pick up this before the new entry gets distributed to the world.

kurt wismer said...

i appreciate your candor, vess. let me ask you something, though - you believe the story is bullshit, but how far does the bullshit extend? are the anonymous sources real or made up? if they're real people who actually contacted the journalist, are they really ex-employees or are their credentials forged?

i think since there's already recent news about an intern at another company being charged with malware-related crimes that my conclusion about a quality problem still stands, but if the anonymous sources here aren't actual ex-employees then they can't back up that conclusion.

Anonymous said...

Sorry Vess, but the exploit method described my Reuters can easily work with any vendor who does fully automated signatures, which would be any vendor who gets 50000-100000 new samples per day.

Like you said, a static malware detection works roughly by looking a some parts of the file that are enough to ensure it's a known malicious. Might be a checksum, or for smaller blocks might be a comparison. Now, if you reverse engineer that a real malware file gets detected by the by the arget by looking at certain specific blocks, what if you change those small blocks to contain the same bytes of a Steam core file, and upload that file to Virustotal? With any luck, the automated detection generator system will correctly mark the file as malicious due to its full contents, but will make a new detection using the same exact offsets as before. Now, when that detection gets released, it will detect your modified malware, but it also will detect the Steam core file!

Vess said...

Kurt, I have no way of knowing whether the two anonymous sources actually exist. Even if they do, they could have still made up the story in order to harm a former employer that they might have left not on the best of terms.

It doesn't really matter. What matter is that, as described, the attack simply isn't going to work and if these sources were real and have real, hard information, why didn't they share any hard technical details?! I mean, one that an expert would find believable? It seems that they (or just Reuters) are playing on the general public's lack of understanding of how AV products actually work.

I have no problem with your argument that the AV industry needs better quality control. I just have a problem with Reuters' bullshit story.

The FireEye story you are referring to is completely different. A rogue employee at the company decided to make some money on the side by selling a piece of malware he had designed. While unethical and otherwise despicable, I have absolutely no problem believing that. I do have a huge problem believing Reuters' story.

Anonymous, please read again what I have written and try to understand it. You can reverse-engineer a competing product and see how it works - but you cannot know how a competing AV company selects malware identification data, unless you work there and are familiar with the process. You certainly can modify a non-malicious file to me misidentified as some known malware by a given product. But that certainly won't be a legitimate file any longer, and detecting it (while being a misidentification) would not be a false positive. You can HOPE that you will luck out and somebody's AV product will implement detection of it by picking parts which are also present in the original, unmodified file, but you cannot be sure that it will happen. That's why you can attack the whole industry this way (and will almost certainly "luck out" with some products), but you cannot attack a particular product this way and make sure that it causes a false positive.

Oh, and BTW, while the creation of malware detection and identification entries is automated to a large degree, it is not fully automatic - there is usually a human somewhere in the loop. At the same time, every self-respecting AV company DOES conduct false positive testing in-house (and those ARE automatic), so if a false positive wasn't caught it is, to a large degree, a failure of that AV company's internal quality control procedures.

If the Reuters story had claimed that Kaspersky had attacked the whole AV industry this way, it would be stupid and difficult to believe claim - but at least it would have been technically possible; I'd just require some hard evidence (besides relying on dubious anonymous sources) that it was actually done. As it is now, the attack, as they have described it, is simply unreallistic.