{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/kaspersky-internet-security/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Kaspersky Internet Security"],"_cs_severities":["medium"],"_cs_tags":["anti-virus","reverse-engineering","signature-analysis","macos"],"_cs_type":"advisory","_cs_vendors":["Kaspersky"],"content_html":"\u003cp\u003eThe blog post examines the inner workings of Kaspersky Internet Security for macOS, specifically focusing on its signature update mechanism and the architecture of its scanning engine. It highlights how anti-virus products, due to their inherent need to scan all files, including documents, for malicious patterns, could theoretically be repurposed to identify and flag documents containing specific classification markers. The author reverses the Kaspersky product to understand how to craft a signature that could detect classified documents. The analysis focuses on the \u003ccode\u003ekav\u003c/code\u003e daemon, responsible for the core anti-virus scanning and detection logic. The blog post emphasizes that the analysis is purely for research purposes and does not suggest any actual subversion or misuse by Kaspersky. The target version was the latest version of Kaspersky Internet Security for macOS at the time of the blog post (January 1, 2018).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker downloads and installs Kaspersky Internet Security for macOS.\u003c/li\u003e\n\u003cli\u003eAttacker identifies the \u003ccode\u003ekav\u003c/code\u003e daemon as the core component for scanning and detection logic.\u003c/li\u003e\n\u003cli\u003eAttacker reverse engineers the \u003ccode\u003ekav\u003c/code\u003e daemon to understand its signature format and scanning logic.\u003c/li\u003e\n\u003cli\u003eAttacker observes the signature update process where encrypted signatures are downloaded from Kaspersky\u0026rsquo;s update servers (e.g., dnl-03.geo.kaspersky.com) and stored temporarily in \u003ccode\u003e/private/tmp/temporaryFolder/updates/kdb/i386/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker discovers that signature updates are installed to \u003ccode\u003e/Library/Application Support/Kaspersky Lab/KAV/Bases/KLAVA/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker notes the signatures are stored in a cache file \u003ccode\u003ekavbase_00000000\u003c/code\u003e which is exclusively opened by the \u003ccode\u003ekav\u003c/code\u003e daemon.\u003c/li\u003e\n\u003cli\u003eAttacker bypasses the need to decrypt the signature database by interacting with signatures in memory.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a custom signature designed to detect specific classification markers within documents, demonstrating the potential for exfiltration of sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful crafting and deployment of a malicious signature within a subverted anti-virus product could enable the unauthorized detection and exfiltration of documents containing specific classification markers. While the blog post does not detail a real-world attack or any victims, it highlights a potential vulnerability in anti-virus architectures that could be exploited by malicious actors. If successful, sensitive or classified documents could be identified, copied, and sent to attacker-controlled systems without the user\u0026rsquo;s knowledge or consent.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for suspicious network connections originating from anti-virus processes to unusual or external domains, based on the \u003ccode\u003enetwork_connection\u003c/code\u003e category and \u003ccode\u003eproduct: windows\u003c/code\u003e log source.\u003c/li\u003e\n\u003cli\u003eImplement a detection rule (like the example Sigma rule provided) to alert on unauthorized file access or modification attempts to anti-virus signature directories such as \u003ccode\u003e/Library/Application Support/Kaspersky Lab/KAV/Bases/KLAVA/\u003c/code\u003e, as identified in the attack chain.\u003c/li\u003e\n\u003cli\u003eMonitor for processes interacting with Kaspersky\u0026rsquo;s signature cache file (\u003ccode\u003e/Library/Application Support/Kaspersky Lab//KAV/Bases/Cache/kavbase_00000000\u003c/code\u003e), using a \u003ccode\u003efile_event\u003c/code\u003e category log source and a process monitoring tool like Sysmon or auditd.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T18:23:00Z","date_published":"2024-01-26T18:23:00Z","id":"/briefs/2024-01-kaspersky-av-signature-analysis/","summary":"A blog post details the reverse engineering of the Kaspersky anti-virus engine on macOS to demonstrate the potential for crafting signatures capable of detecting and flagging classified documents, leveraging the product's scanning capabilities and dynamic signature updates, without implying any malicious activity by Kaspersky.","title":"Kaspersky Anti-Virus Reverse Engineering for Document Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-kaspersky-av-signature-analysis/"}],"language":"en","title":"CraftedSignal Threat Feed — Kaspersky Internet Security","version":"https://jsonfeed.org/version/1.1"}