KAV 7'0

1
KAV 7.0 Overview of technologies
Nikolay Grebennikov Department of Innovative
Technologies, Deputy Director, Nikolay.Grebennikov
_at_kaspersky.com
2
Plan of presentation
Well talk about new protection technologies

• New heuristic based engine based on emulator
• Greatly improved Anti-root kit
• Outbound protection improvements (anti-leaks)?
• New Privacy control concept
• Protection against new type of key loggers
• Improved PDM detection
• Improved self-protection

3
New heuristic engine (1)?

• Triple shield of protection

• KAV 3.0, 4.0, 5.0 best detection rate and
  fastest reaction time signature-based detection
• KAV 6.0 Proactive Defense Module based on
  analyses of applications behavior
• KAV 7.0 new Heuristic engine based on emulator
• Now KLs 7.0 products contain a full set of most
  effective technologies which give our users the
  unique level of protection against all types of
  modern threats.

4
New heuristic engine (2)?

• Heuristic engine uses the same decision making
  logic (set of rules) as Proactive defense module.
• But events for heuristic engine and PDM are
  generated by different modules emulator and
  kernel mode driver.

Proactive defense module
Heuristic engine
Decision making logic
Windows kernel mode drivers
Emulator
The driver intercepts operations on real file
system and system registry, network and other
activities of all processes
The emulator gets the same information during
emulation of the execution of applications
program code
Events providers
5
New heuristic engine (3)?
Influence on system performance

• New emulator wont increase system slowdown
  caused by AV because KAV 7.0 uses the power of
  triple shield
• With default settings PDM and signature engine
  work in real-time,
• Heuristic engine and signature engine work for
  scan tasks.

Real time protection
Scan tasks
Heuristic engine
Proactive defense module


Signature based engine
Signature based engine
6
New heuristic engine (5)?

• Demo scan of emul.zip archive with 4 test viruses

1. Heuristic is disabled no threats detected
7
New heuristic engine (6)?
2. Heuristic is enabled
?ll threats are detected with 3 different
behavior-based verdicts
8
Greatly improved Anti-rootkit (1)?
Anti-root technologies

• During installation of rootkit
• Interception of rootkits drivers and services
  registration
• Interception of injection of rootkits code in
  trusted processes self-protection of KAV
• Detect of active rootkits
• Detect of hidden processes in memory
• Active threats disinfection technology
• Detect and removal of hidden files on disk

New in 7.0!
9
Greatly improved Anti-rootkit (2)?
Detection of hidden files

• Main idea is a cross-scan get the list of the
  files using Window API, get the same list using
  direct disk access and compare!
• Rootkit scan
• Direct disk access for all files and NTFS
  Alternative Data Streams of folders
• Advanced rootkit scan
• The same as basic plus scan of ADS for all files
  (much more slowly but necessary in some cases)?

10
Greatly improved Anti-rootkit (3)?
Materials

• Fighting Rootkits with Kaspersky Internet
  Security 6.0/Kaspersky Antivirus 6.0
  (http//www.kaspersky.com/fighting_rootkits_versio
  n_6_products)?
• In the nearest future well publish the second
  part of the article about Anti-rootkit in KIS 7.0
• But right now you can make a demo using 3
  rootkits described on the next slides (Costrat,
  Unreal, Elite Keylogger)?

11
Greatly improved Anti-rootkit (4)?

• Costrat (Rustock.B Spambot)?
• http//www.symantec.com/security_response/writeup.
  jsp?docid2006-070513-1305-99tabid2
• family of back door programs with advanced user
  and kernel mode rootkit capabilities,
• very powerful rootkit, described in VB in August
  2006,
• Elite Keylogger http//www.elitekeylogger.com/
• very powerful keylogger and rootkit, uses 3
  kernel mode drivers
• detected by KAV 6.0 during installation Rescue
  CD was needed to remove it.
• Unreal.A by MP_ART EP_X0FF
• proof of concept nonmalicious stealth rootkit
• designed to be invisible to all current rootkit
  detection technologies

12
Greatly improved Anti-rootkit (5)?
Trojan-Clicker.Win32.Costrat.ab (Rustock)?
Driver is hidden in NTFS Alternate Data Stream of
System32 folder
13
Greatly improved Anti-rootkit (6)?
not-a-virusMonitor.Win32.EliteKeylogger
14
Greatly improved Anti-rootkit (7)?
Exploit.Win32.Unreal.a
1. Driver is hidden in NTFS Alternate Data Stream
of the root C\ folder
2. This Alternate Data Stream is hidden itself by
rootkits driver!
15
Firewall outbound protection improvements (1)?

• Leaktests failed in KIS 6.0 MP2
• BITStester Using of BITS service
• Breakout Windows Messages to IE
• Breakout2 changing of ActiveDesktop with URL
• CPILSuite3 SetWinEventHook function
• DNStester DnsQuery from Dnsapi.dll
• OSfwbypass ShowHTMLDialog from Mshtml.dll
• Surfer DDE communication with IE

http//www.matousec.com/projects/windows-persona
l-firewall-analysis/leak-tests-results.php
16
Firewall outbound protection improvements (2)?
17
Firewall outbound protection improvements (3)?
1. BITSAdmin
2. Breakout
18
Firewall outbound protection improvements (4)?
4. CPILSuite (3)?
3. Breakout2
19
Firewall outbound protection improvements (5)?
5. Surfer
6. OSFwBypass
20
Firewall outbound protection improvements (6)?

• KIS 7.0 should improve its result by 650(300-600
  points - I am not sure about FPR tests)?
• In any case KIS will surpass ZoneAlarm and SSM in
  the result table.We will consider our 3-rd
  place as the best possible result because we are
  not going to fight against specific solutions
  from Comodo and Jetico (the only difference will
  be in the default settings - we think that our
  settings is the best balance for 95 of Internet
  users).

21
New Privacy control concept (1)?

• Concept of Privacy Control component implemented
  in the most Security Suites
• enter all your private data PINs, Passwords,
  
• we will analyze outgoing traffic and if some of
  your private data will be found it will be
  replaced by
• Cool idea but it DOES NOT work in real world.
• Why? Because almost all of the trojans encrypt
  all sending data and Security Suite will found
  nothing in such encrypted traffic!
• And how we can protect users private data?
• we can block access to passwords storages for
  many well-known programs and Windows Protected
  storage,
• we can block all attempts of data sending in
  hidden ways (used by most of the trojans).

22
New Privacy control concept (2)?

• Real life example - Trojan-PSW.Win32.LdPinch
• Test sample - passview utility which try to get
  information from the Windows Protected storage

23
Protection against new type of keyloggers (1)?

• Protection against all types of keyloggers
• User-mode
• SetWindowHook (global keyboad hook)?
• GetAsyncKeyState/GetKeyState (keyboard polling)?
• GetMessage/PeekMessage interception
• Using of Raw Input model
• Kernel-mode
• Kbdclass driver filter
• Device\KeyboardClass0 driver filter
• Kbdclasss dispatch table patch
• KeServiceDescriptorTableShadow patch

New in 7.0!
24
Protection against new type of keyloggers (2)?
Protection against new technique to intercept
keyboard input using model of Raw Input
via DirectX functions
Unique!
25
Improved PDM detection (1)?
Protection against new technique to install
drivers in hidden way save/restore registry
hive for Services part of System registry
Unique!
26
Improved PDM detection (2)?
Protection against new technique to install
drivers in hidden way using kernel
function ZwLoadDriver (can be used by
ring3-applications)?
Unique!
27
Improved self-protection (1)?
Self-protection technologies

• Protection of products files on disk
• Protection of products registry keys
• Protection of products processes in memory
• Protection of products folders against changes
  of permissions
• Protection of products registry keys against
  changes of permissions

New in 7.0!
New in 7.0!
28
Improved self-protection (2)?
Protection against changes of permissions on KAV
folders
Unique!
29
Improved self-protection (3)?
Protection against changes of permissions on KAV
registry keys
Unique!
30
Last point network perfomance
Influence on system performance

• Some users complained about decreasing of network
  performance after installing of KIS 6.0 (eMule,
  games, )?
• And weve completely rewritten our network driver
• Lets see the result

Test stand Windows Vista and XP SP2 32bit. KIS
7.0 with Firewall and IDS enabled. ?bout 200
rules are added for different network
applications. Network throughput is being
measured by using the netcps.exe utility
MPS Mb per second
31
Thank you!

• Questions?