Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Owner: User #71468
Check for PSP Detection
This article aims to give an overview of how to ensure a payload dropped to a DARTTest-Software (commercial) VMVirtual Machine is not detected by a Personal Security Product (PSPPersonal Security Product (Anti-Virus)). The article assumes the reader is familiar with DARTTest-Software (commercial) in general and will instead focus on specifics related to the PSPPersonal Security Product (Anti-Virus) scripts located in the EDGEngineering Development Branch leafbag.
This is a work in progress... exuse any sloppiness or unfinished sections until I'm done
Anatomy of a PSPPersonal Security Product (Anti-Virus) test:
In general, we're interested in the following three things:
- When was the PSPPersonal Security Product (Anti-Virus) last updated? - We use this to determine if our results can be relatively trusted, or not
- Does the PSPPersonal Security Product (Anti-Virus) catch us on a static scan? - Will the PSPPersonal Security Product (Anti-Virus) complain if we explicitly tell it to scan our file?
- Does the PSPPersonal Security Product (Anti-Virus) catch us on a dynamic scan? - Will the PSPPersonal Security Product (Anti-Virus) complain before we ever attempt to execute?
To determine the answers to these questions, we standardized the following method signatures for all of our PSPPersonal Security Product (Anti-Virus) scripts. These abstract methods can be found in pspbase.py
def run_static_scan(self, files_to_scan=[]):
"""
Kicks of a static scan for the PSP, will pass a list of files to scan to the scanner then parse the logs to see
if any hits occurred.
:param files_to_scan: List of full paths to desired files to scan
:return: True - Scan conducted, no issues to report
False - Something went wrong, should be treated as a failure case
"""
def check_dynamic_logs(self, additional_bad_words=[], max_allowed_line_entries=5):
"""
Checks the logs generated by a PSPPersonal Security Product (Anti-Virus) and looks for anything of interest. This log will be compared with the log
file collected during initialization (so declaration should be the first part of any test, this the last part)
and checks the diff only. There are two types of failures, if a dirty word like CRITICAL THREAT DETECTED or
similar is found, or the log grew in size greater than max_allowed_line_entries.
:param max_allowed_line_entries: Maximum number of lines a log can grow before being considered a failure case
:param additional_bad_words: List of black listed words to add to our list to fail on (ie. payload file names)
:return: True - No issues to report
False - Something went wrong, should be treated as a failure case
"""
def psp_is_updated(self, max_days_since_update=14):
"""
Checks the PSPs logs to see if the product was updated within the time period set by max_days_since_update
:param max_days_since_update: Maximum number of days since a PSPPersonal Security Product (Anti-Virus) has been updated.
:return: True - No issues to report (PSPPersonal Security Product (Anti-Virus) has been updated recently)
False - Something went wrong, PSPPersonal Security Product (Anti-Virus) should be considered outdated
"""Determining which PSPPersonal Security Product (Anti-Virus) is installed:
In order to know which PSPPersonal Security Product (Anti-Virus) script to use, we must first find out which PSPPersonal Security Product (Anti-Virus) is installed. DART refers to installed PSPs as "apps" and allows use to retrieve a list of those that are installed.
The following is an exercpt from pspbase.py, which is used to determine the PSPPersonal Security Product (Anti-Virus) installed on a VMVirtual Machine and run tests accordingly.
# Get the app string from the VMVirtual Machine to determine which PSPPersonal Security Product (Anti-Virus) is installed
def get_app_string(ip_address):
cmd = './media/tyworkflow/bin/db_admin -j list_resources with_header=False filter_by=ip="%s" select=apps'\
% ip_address
import os
x = os.popen(cmd)
data = x.read()
x.close()
return data
From here, if we know the app name of the PSPPersonal Security Product (Anti-Virus) we're interested in, we can simply query to see if the name exists in the app string and load the appropriate PSPPersonal Security Product (Anti-Virus) script accordingly. The following is an excerpt from pspbase.py showing this in the form of several "if, elif" cases
app_string = get_app_string(host.ip)
if 'avast' in app_string:
host.log.info('PSP appears to be Avast')
self.psp = avast.Avast(host)
elif 'avgis' in app_string:
host.log.info('PSP appears to be AVG')
self.psp = avg.Avg(host)
Table of PSPs Implemented:
The following table shows which PSPPersonal Security Product (Anti-Virus) scripts have been implemented and to what degree as of 1/20/2015.
The scripts can always be improved or further implemented, so I encourage any users to take a look at them and make changes as necessary. If a method is not implemented for a given script, that does NOT mean it's impossible - simply that I didn't get around to it. See if you can implement the functionality and update this table
| Table Legend | Yes | Relies on GUI |
No / Not Yet |
Note: If a script relies on GUIGraphical User Interface interaction, mixed results may ensure. Use a implementation that requires GUIGraphical User Interface interaction with caution
| PSP Name | psp_is_updated | run_static_scan | check_dynamic_logs |
|---|---|---|---|
| Avast | Y | Y | Y |
| AVG | Y | Y | G |
| Avira | Y | Y | Y |
| Bit Defender | Y | G | Y |
| Clam | Y | G | Y |
| Eset | Y | Y | Y |
| F-Secure | Y | Y | Y |
| GData | Y | Y | Y |
| Kaspersky | Y | Y | Y |
| McAfee | Y | Y | Y |
| MSE | Y | Y | Y |
| Net Protect | Y | N | N |
| Norton | Y | N | N |
| Panda | Y | N | N |
| Rising | Y | N | N |
| SEP | Y | Y | Y |
| Trend Micro | Y | G | Y |
| Zone Alarm | Y | Y | Y |
Known "Gotchas" and Workarounds:
Additional Notes:
Example Tests:
Related articles
('contentbylabel' missing)
('details' missing)