KAV 7.0

Overview of technologies

Nikolay Grebennikov

Department of Innovative Technologies, Deputy Director,

Nikolay.Grebennikov@kaspersky.com

We’ll talk about new protection technologies

Plan of presentation

• New heuristic based engine based on emulator

• Greatly improved Anti-root kit

• Outbound protection improvements (anti-leaks)

• New Privacy control concept

• Protection against new type of key loggers

• Improved PDM detection

• Improved self-protection

New heuristic engine (1)

• KAV 3.0, 4.0, 5.0: best detection rate and fastest reaction time: signature-based detection

• KAV 6.0: + Proactive Defense Module – based on analyses of applications behavior

• KAV 7.0: + new Heuristic engine based on emulator

Now KL’s 7.0 products contain a full set of most effective technologies which give our users the unique level of protection against all types of modern threats.

Triple shield of protection

New heuristic engine (2)1. Heuristic engine uses the same decision making

logic (set of rules) as Proactive defense module.

2. But events for heuristic engine and PDM are generated by different modules: emulator and kernel mode driver.

Windows kernel mode drivers Emulator

Decision making logic

Proactive defense module Heuristic engine

Events providers

The driver intercepts operations on real file system and system registry, network and other activities of all processes

The emulator gets the same information during emulation of the execution of application’s program code

New heuristic engine (3)

Signature based engine

Heuristic engineProactive defense module

Real time protection

Scan tasks

Signature based engine

+ +

Influence on system performanceNew emulator won’t increase system slowdown caused by AV because KAV 7.0 uses the power of triple shield:• With default settings PDM and signature engine work in

real-time,• Heuristic engine and signature engine work for scan

tasks.

New heuristic engine (5)Demo: scan of emul.zip archive with 4 test viruses

1. Heuristic is disabled: no threats detected

New heuristic engine (6)2. Heuristic is enabled

Аll threats are detected with 3 different behavior-based verdicts

Greatly improved Anti-rootkit (1)

Anti-root technologies

1. During installation of rootkit• Interception of rootkit’s drivers and

services registration• Interception of injection of rootkit’s code

in trusted processes + self-protection of KAV

• Detect of active rootkits• Detect of hidden processes in memory• Active threats disinfection technology• Detect and removal of hidden files on

disk

New in 7.0!

Greatly improved Anti-rootkit (2)

Detection of hidden files

• Main idea is a cross-scan – get the list of the files using Window API, get the same list using direct disk access and compare!

• Rootkit scan• Direct disk access for all files and NTFS

Alternative Data Streams of folders

• Advanced rootkit scan• The same as basic plus scan of ADS for all

files (much more slowly but necessary in some cases)

Greatly improved Anti-rootkit (3)

Materials

• Fighting Rootkits with Kaspersky Internet Security 6.0/Kaspersky Antivirus 6.0 (http://www.kaspersky.com/fighting_rootkits_version_6_products)

• In the nearest future we’ll publish the second part of the article about Anti-rootkit in KIS 7.0• But right now you can make a demo using

3 rootkits described on the next slides (Costrat, Unreal, Elite Keylogger)

Greatly improved Anti-rootkit (4)

• Costrat (Rustock.B; Spambot)http://www.symantec.com/security_response/writeup.jsp?docid=2006-070513-1305-

99&tabid=2

• family of back door programs with advanced user and kernel mode rootkit capabilities,

• very powerful rootkit, described in VB in August 2006,

• Elite Keylogger http://www.elitekeylogger.com/

• very powerful keylogger and rootkit, uses 3 kernel mode drivers

• detected by KAV 6.0 during installation; Rescue CD was needed to remove it.

• Unreal.A by MP_ART & EP_X0FF • proof of concept nonmalicious stealth rootkit• designed to be invisible to all current rootkit

detection technologies

Greatly improved Anti-rootkit (5)

Trojan-Clicker.Win32.Costrat.ab (Rustock)

Driver is hidden in NTFS Alternate Data Stream of System32 folder

Greatly improved Anti-rootkit (6)

not-a-virus:Monitor.Win32.EliteKeylogger

Greatly improved Anti-rootkit (7)

Exploit.Win32.Unreal.a1. Driver is hidden in NTFS Alternate Data Stream of the root C:\ folder

2. This Alternate Data Stream is hidden itself by rootkit’s driver!

Firewall outbound protection improvements (1)

Leaktests failed in KIS 6.0 MP2

BITStester Using of BITS service

Breakout Windows Messages to IE

Breakout2 changing of ActiveDesktop with URL

CPILSuite3 SetWinEventHook function

DNStester DnsQuery from Dnsapi.dll

OSfwbypass ShowHTMLDialog from Mshtml.dll

Surfer DDE communication with IE

* http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php

Firewall outbound protection improvements (2)

Firewall outbound protection improvements (3)

1. BITSAdmin

2. Breakout

Firewall outbound protection improvements (4)

4. CPILSuite (3)3. Breakout2

Firewall outbound protection improvements (5)

6. OSFwBypass5. Surfer

Firewall outbound protection improvements (6)

1. KIS 7.0 should improve its result by 650+(300-600 points - I am not sure about FPR tests)

• In any case KIS will surpass ZoneAlarm and SSM in the result table.

We will consider our 3-rd place as the best possible result because we are not going to fight against specific solutions from Comodo and Jetico (the only difference will be in the default settings - we think that our settings is the best balance for 95% of Internet users).

New Privacy control concept (1)

1. Concept of Privacy Control component implemented in the most Security Suites:

“enter all your private data – PINs, Passwords, …” “we will analyze outgoing traffic and if some of your

private data will be found – it will be replaced by “***”

Cool idea but it DOES NOT work in real world.

Why? Because almost all of the trojans encrypt all sending data and Security Suite will found nothing in such encrypted traffic!

1. And how we can protect user’s private data?

1) we can block access to password’s storages for many well-known programs and Windows Protected storage,

2) we can block all attempts of data sending in hidden ways (used by most of the trojans).

New Privacy control concept (2)

Real life example - Trojan-PSW.Win32.LdPinch Test sample - passview utility which try to get

information from the Windows Protected storage

Protection against new type of keyloggers (1)

Protection against all types of keyloggers

User-mode SetWindowHook (global keyboad hook) GetAsyncKeyState/GetKeyState (keyboard

polling) GetMessage/PeekMessage interception Using of Raw Input model

Kernel-mode Kbdclass driver filter Device\KeyboardClass0 driver filter Kbdclass’s dispatch table patch KeServiceDescriptorTableShadow patch

New in 7.0!

Protection against new type of keyloggers (2)

Protection against new technique to intercept keyboard input: using model of Raw Input via DirectX functions

Unique!

Improved PDM detection (1)

Protection against new technique to install drivers in hidden way: save/restore registry hive for Services part of System

registry

Unique!

Improved PDM detection (2)

Protection against new technique to install drivers in hidden way: using kernel function ZwLoadDriver (can be used by

ring3-applications)

Unique!

Improved self-protection (1)

Self-protection technologies

• Protection of product’s files on disk

• Protection of product’s registry keys

• Protection of product’s processes in memory

• Protection of product’s folders against changes of permissions

• Protection of product’s registry keys against changes of permissions

New in 7.0!

New in 7.0!

Improved self-protection (2)

Protection against changes of permissions on KAV foldersUnique!

Improved self-protection (3)

Protection against changes of permissions on KAV registry keys

Unique!

Last point – network perfomance

Influence on system performance• Some users complained about decreasing of network

performance after installing of KIS 6.0 (eMule, games, …)• And we’ve completely rewritten our network driver• Let’s see the result:Test standWindows Vista and XP SP2 32bit. KIS 7.0 with Firewall and IDS enabled. Аbout 200 rules are added for different network applications. Network throughput is being measured by using the netcps.exe utility

7,93

2,84

8,03

In (MPS)

99,25

48,38

100

In (%)

98,757,94KIS 7.0

35,373,87KIS 6.0

1008,00w/o KIS

Out (%)

In (MPS)

MPS = Mb per second

Thank you!

Questions?