- Jul 13, 2014
- 766
Research presented at Black Hat conference contends that at least four antivirus companies’ products use cloud sandboxes that could be exploited by malware to send out data undetected across the internet.
Antivirus Software Cloud Use Exposes Customers to Data Exfiltration
- Thread starter spaceoctopus
- Start date
- Jun 21, 2017
- 616
i would love to know the four anti-virus companies in question here 
- Aug 6, 2014
- 1,044
Interesting article @spaceoctopus. Thanks for sharing!
I want to know the names too.
I want to know the names too.
- May 26, 2014
- 1,130
Its seems like there in no position to name the at least 4 companies do to there wording"they could{maybe, maybe not} be exploited, interesting article,I guess no one wants us to feel to safe. lol Thanks spaceoctopus gl
- Apr 13, 2013
- 3,224
Specifically the 4 that failed are Avira AV Pro (version 15), Eset (ver 10), Kaspersky Total Security 2017, and Comodo Client security (ver 8).
It is also important to note that they did NOT test if any OutBound Containment technology was already present on the machine (this was a specific point made in the presentation)- In other words at the point of infection the "rocket" must have the ability to scan for and acquire data that would be then passed on to the "Satellite". So those using Cruel Comodo wouldn't be prone to the issue as the rocket can't find the data to collect.
However, all of the above products HAVE FIXED THERE PRODUCTS and are not vulnerable currently, EXCEPT for Kaspersky who obviously does not care.
Fun Facts:
1). Avast, AVG, Windows Defender, Norton, Mcafee, and Bitdefender clouds were tested and passed.
2). The sandboxes used by both VirusTotal and Payload Security's Hybrid Analysis were prone to the issue.
It is also important to note that they did NOT test if any OutBound Containment technology was already present on the machine (this was a specific point made in the presentation)- In other words at the point of infection the "rocket" must have the ability to scan for and acquire data that would be then passed on to the "Satellite". So those using Cruel Comodo wouldn't be prone to the issue as the rocket can't find the data to collect.
However, all of the above products HAVE FIXED THERE PRODUCTS and are not vulnerable currently, EXCEPT for Kaspersky who obviously does not care.
Fun Facts:
1). Avast, AVG, Windows Defender, Norton, Mcafee, and Bitdefender clouds were tested and passed.
2). The sandboxes used by both VirusTotal and Payload Security's Hybrid Analysis were prone to the issue.
- Jun 21, 2017
- 616
- May 26, 2014
- 1,130
Thanks,You seem to have access to information,not easily found,any chance your a Kaspersky hater? Gl
Kaspersky published a statement / responded to the articles with the recommendation to disable the cloud upload.
Virustotal also does not want to restrict the Internet access of the sandbox, which is allowed on different ports.
In addition:
As far as I understand the problem:
An executable file is compiled which, in addition to a "send function", also contains the "information from the infected PC" to be sent and a program code that should trigger the "cloud upload" function of the security software if it scans this crafted software. To make this happen the executable is moved to the Windows autostart folder.
After the "cloud upload" the finished software is executed in the sandbox of the security software manufacturer to investigate the behavior.
If a sandbox is supposed to examine the full potential of a malicious software, then it must inevitably allow full access to the Internet. You can block outgoing connections to avoid the problem described but then you can only examine the file "as it is" .... not what it may become.
In a security setup, I would not allow any cloud uploads anyway.
I also would not allow unknown programs to run / to be executed.
The goal is that the original software, which does all the things described above, do not reach my systems at all, and if so, the execution should be prevented.
Regards
I started researching these types of methods towards the end of last year. I think it's possible they gained insight into such techniques from my fat mouth and expanded on it with proof of concept and expanded ideas... Remember my post about how Zemana was potentially vulnerable to compromise or abuse;
Insight into Zemana's strange cloud scanning..
Nevertheless for this proof of concept to work I think it would require compromises in several areas which might prove unlikely to come to fruition.. I'm most curious about this statement "Amit Klein, found that at least four antivirus companies had cloud sandboxes that could be abused to allow the transmission of data". Could being the operative word here. How did they determine which ones 'could'? Did they create a program to dispatch irrelevant data through the sandboxes to a remote server? I'd like to read more details.
Edit: Found Cruels source material for the expanded information, which does read a bit like another Kaspersky hit piece, which Forbes is known for;
Kaspersky Anti-Virus Can Actually Help Spies Steal Data, Warn Researchers
Also, the counter intel alarms keep going off about this story.. The timing is.. Interesting.. Around the same time Kaspersky Free comes out, right? Also this story could be leveraged to try and scare people to 'weaken' their security with Kaspersky by disabling KSN. Finally, we should probably all examine Safe Breach and their links to the intelligence aparatus. For example their CEO is from Israeli Intelligence (Unit8200, IAF Red Team). Quick! Disable KSN because we put out a 'paper'.. Or don't use Kaspersky! <because it annoys us and doesn't whitelist our state tools>
Israeli cyber security co SafeBreach raises $15m - Globes English
Based in Tel Aviv, CEO Guy Bejerano and CTO Itzik Kotler, veterans of the IDF Air Force and IDF Intelligence unit 8200, founded SafeBreach in 2014.
Insight into Zemana's strange cloud scanning..
Nevertheless for this proof of concept to work I think it would require compromises in several areas which might prove unlikely to come to fruition.. I'm most curious about this statement "Amit Klein, found that at least four antivirus companies had cloud sandboxes that could be abused to allow the transmission of data". Could being the operative word here. How did they determine which ones 'could'? Did they create a program to dispatch irrelevant data through the sandboxes to a remote server? I'd like to read more details.
Edit: Found Cruels source material for the expanded information, which does read a bit like another Kaspersky hit piece, which Forbes is known for;
Kaspersky Anti-Virus Can Actually Help Spies Steal Data, Warn Researchers
Also, the counter intel alarms keep going off about this story.. The timing is.. Interesting.. Around the same time Kaspersky Free comes out, right? Also this story could be leveraged to try and scare people to 'weaken' their security with Kaspersky by disabling KSN. Finally, we should probably all examine Safe Breach and their links to the intelligence aparatus. For example their CEO is from Israeli Intelligence (Unit8200, IAF Red Team). Quick! Disable KSN because we put out a 'paper'.. Or don't use Kaspersky! <because it annoys us and doesn't whitelist our state tools>
Israeli cyber security co SafeBreach raises $15m - Globes English
Based in Tel Aviv, CEO Guy Bejerano and CTO Itzik Kotler, veterans of the IDF Air Force and IDF Intelligence unit 8200, founded SafeBreach in 2014.
Last edited by a moderator:
Similar threads
