Changing the system date kills KAV dead

First off, try this for yourself and see if it works: set your system clock to the year 1980, and see if KAV resident protection is still active.

If not, then good, because this problem is happening for me. I've forgotten most of my knowledge of DOS commands, but I do know that it's possible to write a batch file using the DATE command to change the system time. So here's the theoretical possibility: a piece of malware that includes such a batch file to kill the KAV on-access scanner, then drops its payload.

Thoughts?

 

well i aint a KAV user, but im pretty sure the year is 2007.

and in changing the date to 1980, your probably up-to something you shouldnt be, and if your not, what does it matter?

i doubt any malware will be able to change the date anyway using kaspersky, the proactive defense will stop that for sure, plus all the other registry things kaspersky offers.

 

Please read my whole post carefully: the whole point was that malicious software could use changing the system date as a method to disable KAV and successfully infect a system.

 

I did see a trojan before, which changed system date and disabled kav's protection.

 

Why are you so sure? What aspect of the PDM would cover changing the system clock? Surely it cannot be considered 'Dangerous Behaviour' or 'Suspicious system activity' just to change your clock?

As for Registry protection, KAV's Reg Guard does not, by default, cover the relevant Keys, which I believe to be:-

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation

Having said that, there may be other aspects of the malware's behaviour that would trigger a response from KAV before it could make those changes; so in practical terms it may not be inevitable that this attack could succeed.

I've not tried this clock business myself, but I'm wondering whether having KAV's self defence mechanism enabled would make a difference?

 

this has been discussed in the kaspersky forum lots of times.
the idea is so you cant cheat kaspersky and have an unlimited license by changing the clock back.
so far no one has created malware to change the clock to get past kaspersky.
if people keep talking about it on public forums maybe people will and i dont want that.
maybe someone can ask the question at the kaspersky fan club forum to ask Eugine?
infact hold that thought i will post the message myself
lodore

 

Sorry to burst your bubble, Iodore, but it's already been done.
Refer to Chinese virus writers using exactly such a method on Fujacks variants to bypass Kaspersky.

 

Interesting discussion but no one has yet answered the question as to whether KIS protects itself from this potential type of attack or if new rules should be added to the Registry Guard as per Topper's suggestion.

 

I thought it might of been done and it has thanks for correcting me.
i have put a message on the kaspersky fan club forum under ask Eugine and see what he says
lodore

 

Hi, folks: If KAV's PDM does not protect those three registy keys as pointed out by TopperID, perhaps some HIPSs such as SSM, Prosecurity or even Process guard should be able to detect reg changes. If so, multiple layered defense concept does have its high merits. If not, we all likely sit in a very dark place, and probalby will be a long while before seeing light at the other end of tunnel. Bless us all.

 

They also don't cover Security Center notification settings. So disabling KAV and disabling these notifications and user won't even know that AV is just gone...

 

Why would you want to change your system clock to 1980 Unless your up to no good trying to use the Vista Time Stopper Crack (which I may Add doesnt work) so buy it you rougue Anyway resetting your clock will KILL your restore as it wont know what the hell day or year it is,even when you set back to the present date, the damage is done The same goes for AV signatures, your confusing the hell out of your AV and it too wont know where to run or hide cause you've corrupted it.

 

This is indeed very interesting thread. I'm no expert, but creating a malware which changes system date seems like a pretty simple task to me. I'm not a KAV user either, but if KAV is really behaving like solcroft described, than heuristics are the only defense? How are KAV's heuristics?

 

One thing I imagine that works against a malware that changes the system date so far back is that it makes it easier for the user to notice that something fishy is going on.

 

Solution: just add those registry keys to the PDM registry guard...

 

To BillyBlaze

"Fishy"

 

My first reaction is why would I wanna do that? It's 2007 and not 1980.

 

Some people can't read.

 

TonyW, you don't want to do it, malware does. Just recreate (simulate) the action. Imagine that you are malware.
P.S. I really believe such malware exsists.

 

I can read. I just don't see the point of performing such a test, and I can't be bothered changing my time back 27 years.

There is possibly malware that can change the system date, but the trick is to make sure you're not in a position to catch malware in the first place.

 

Code:

@echo off
set date=%date%
date 1981-01-12
ping -n 45 localhost > nul
date %date%

It's quite a sensitive topic.

 

Yep, that would be a .bat

"@echo off" ->

 

Really problematic. Pack the BAT into SFX which contains another super encrypted SFX (lets say AES-256 encryption with 30 characters long ASCII password).
No antivirus in the whole world could decrypt this. Then just leave the user to do the rest. User will run the file, first SFX layer will change the date, second will decrypt the payload and run it after. Any noob could do this and you can even use already detected malware as it will be unpacked ater AV is already dead. Then it's up to AV companies to heuristically or generically detect this BAT file in the first place or avoid being killed by simple date change. Third option is to make behavior blocker capable of tracking such things and prevent them...

 

Very interesting topic indeed. Conjures up memories of some viruses i've seen fashioned by code experts and noobs when you could enter a virii forum InCoGnItO and have a ringside seat plus access to all kinds of virus samples. I should know, a single .bat file named HardDrive Killer i accidently set off one night while reviewing other code and it corrupted the laptop drive i kept samples on. It run the code in a matter of seconds and out of panic i rebooted and that finished the deletion of C:\

Later i found out that it was designed to delete the entire drive upon reboot, lucky me.

Anyway i think the main point here is a relevant one and worthy of a concrete answer. Because on Win98 and Millenium etc. malicious batch files created all kinds of havoc and the only deterent i can think of if your AV is blind to malicious batch code or made blind by a dropper/avKiller, would be some sort a script blocking program.

 

(I'm sorry EASTER. I'm picturing your face right now in that situation. I really needed a good laugh. I sincerely hope that you didn't lose any important data in that mishappen.)

But what about heuristics, please can someone comment that. Is that worth anything in our nasty situation? Does KAV have it at all? What is KAV's ProActive Defense (if that's the correct term)? I am not KAV user, I don't know that...

EDIT: Luckily, we have firewalls (HIPS) and (mostly) common sense.