Changing the system date kills KAV dead

Discussion in 'other anti-virus software' started by solcroft, Mar 4, 2007.

Thread Status:
Not open for further replies.
  1. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    First off, try this for yourself and see if it works: set your system clock to the year 1980, and see if KAV resident protection is still active.

    If not, then good, because this problem is happening for me. I've forgotten most of my knowledge of DOS commands, but I do know that it's possible to write a batch file using the DATE command to change the system time. So here's the theoretical possibility: a piece of malware that includes such a batch file to kill the KAV on-access scanner, then drops its payload.

    Thoughts?
     
  2. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    well i aint a KAV user, but im pretty sure the year is 2007.

    and in changing the date to 1980, your probably up-to something you shouldnt be, and if your not, what does it matter?

    i doubt any malware will be able to change the date anyway using kaspersky, the proactive defense will stop that for sure, plus all the other registry things kaspersky offers.
     
  3. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Please read my whole post carefully: the whole point was that malicious software could use changing the system date as a method to disable KAV and successfully infect a system. :rolleyes:
     
  4. shek

    shek Registered Member

    Joined:
    Mar 27, 2005
    Posts:
    342
    Location:
    SE CHINA/NYC USA
    I did see a trojan before, which changed system date and disabled kav's protection.
     
  5. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Why are you so sure? What aspect of the PDM would cover changing the system clock? Surely it cannot be considered 'Dangerous Behaviour' or 'Suspicious system activity' just to change your clock?

    As for Registry protection, KAV's Reg Guard does not, by default, cover the relevant Keys, which I believe to be:-

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation

    Having said that, there may be other aspects of the malware's behaviour that would trigger a response from KAV before it could make those changes; so in practical terms it may not be inevitable that this attack could succeed.

    I've not tried this clock business myself, but I'm wondering whether having KAV's self defence mechanism enabled would make a difference?
     
  6. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,007
    this has been discussed in the kaspersky forum lots of times.
    the idea is so you cant cheat kaspersky and have an unlimited license by changing the clock back.
    so far no one has created malware to change the clock to get past kaspersky.
    if people keep talking about it on public forums maybe people will and i dont want that.
    maybe someone can ask the question at the kaspersky fan club forum to ask Eugine?
    infact hold that thought i will post the message myself
    lodore
     
  7. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Sorry to burst your bubble, Iodore, but it's already been done.
    Refer to Chinese virus writers using exactly such a method on Fujacks variants to bypass Kaspersky.
     
  8. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    Interesting discussion but no one has yet answered the question as to whether KIS protects itself from this potential type of attack or if new rules should be added to the Registry Guard as per Topper's suggestion.o_O
     
    Last edited: Mar 4, 2007
  9. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,007
    I thought it might of been done and it has thanks for correcting me.
    i have put a message on the kaspersky fan club forum under ask Eugine and see what he says
    lodore
     
  10. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, folks: If KAV's PDM does not protect those three registy keys as pointed out by TopperID, perhaps some HIPSs such as SSM, Prosecurity or even Process guard should be able to detect reg changes. If so, multiple layered defense concept does have its high merits. If not, we all likely sit in a very dark place, and probalby will be a long while before seeing light at the other end of tunnel. Bless us all.
     
  11. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    They also don't cover Security Center notification settings. So disabling KAV and disabling these notifications and user won't even know that AV is just gone...
     
  12. DVD+R

    DVD+R Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    1,979
    Location:
    The Antipodes
    Why would you want to change your system clock to 1980 :cautious: Unless your up to no good trying to use the Vista Time Stopper Crack (which I may Add doesnt work) so buy it you rougue :p Anyway resetting your clock will KILL your restore as it wont know what the hell day or year it is,even when you set back to the present date, the damage is done :cautious: The same goes for AV signatures, your confusing the hell out of your AV and it too wont know where to run or hide cause you've corrupted it.
     
  13. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    This is indeed very interesting thread. I'm no expert, but creating a malware which changes system date seems like a pretty simple task to me. I'm not a KAV user either, but if KAV is really behaving like solcroft described, than heuristics are the only defense? How are KAV's heuristics?
     
    Last edited: Mar 4, 2007
  14. Billy Blaze

    Billy Blaze Registered Member

    Joined:
    Mar 12, 2005
    Posts:
    79
    Location:
    Vorticon VI
    One thing I imagine that works against a malware that changes the system date so far back is that it makes it easier for the user to notice that something fishy is going on.
     
  15. dah145

    dah145 Registered Member

    Joined:
    Jul 3, 2006
    Posts:
    262
    Location:
    n/a
    Solution: just add those registry keys to the PDM registry guard... :)
     
  16. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    To BillyBlaze

    "Fishy" :D :D :D :D :thumb:
     
  17. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,635
    Location:
    UK
    My first reaction is why would I wanna do that? It's 2007 and not 1980.
     
  18. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Some people can't read. :rolleyes:
     
  19. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    TonyW, you don't want to do it, malware does. Just recreate (simulate) the action. Imagine that you are malware.
    P.S. I really believe such malware exsists. :doubt:
     
  20. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,635
    Location:
    UK
    I can read. I just don't see the point of performing such a test, and I can't be bothered changing my time back 27 years.

    There is possibly malware that can change the system date, but the trick is to make sure you're not in a position to catch malware in the first place.
     
  21. proll

    proll Registered Member

    Joined:
    Aug 9, 2005
    Posts:
    55
    Code:
    @echo off
    set date=%date%
    date 1981-01-12
    ping -n 45 localhost > nul
    date %date%
    It's quite a sensitive topic.
     
  22. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Yep, that would be a .bat

    "@echo off" -> :D :D :D :D
     
  23. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Really problematic. Pack the BAT into SFX which contains another super encrypted SFX (lets say AES-256 encryption with 30 characters long ASCII password).
    No antivirus in the whole world could decrypt this. Then just leave the user to do the rest. User will run the file, first SFX layer will change the date, second will decrypt the payload and run it after. Any noob could do this and you can even use already detected malware as it will be unpacked ater AV is already dead. Then it's up to AV companies to heuristically or generically detect this BAT file in the first place or avoid being killed by simple date change. Third option is to make behavior blocker capable of tracking such things and prevent them...
     
  24. EASTER.2010

    EASTER.2010 Guest

    Very interesting topic indeed. Conjures up memories of some viruses i've seen fashioned by code experts and noobs when you could enter a virii forum InCoGnItO :ninja: and have a ringside seat plus access to all kinds of virus samples. I should know, a single .bat file named HardDrive Killer i accidently set off one night while reviewing other code and it corrupted the laptop drive i kept samples on. It run the code in a matter of seconds and out of panic i rebooted and that finished the deletion of C:\ :doubt:

    Later i found out that it was designed to delete the entire drive upon reboot, lucky me. :oops:

    Anyway i think the main point here is a relevant one and worthy of a concrete answer. Because on Win98 and Millenium etc. malicious batch files created all kinds of havoc and the only deterent i can think of if your AV is blind to malicious batch code or made blind by a dropper/avKiller, would be some sort a script blocking program.
     
  25. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    :D :D :D :'( :'( :'( (I'm sorry EASTER. I'm picturing your face right now in that situation. I really needed a good laugh. I sincerely hope that you didn't lose any important data in that mishappen.)

    But what about heuristics, please can someone comment that. Is that worth anything in our nasty situation? Does KAV have it at all? What is KAV's ProActive Defense (if that's the correct term)? I am not KAV user, I don't know that...

    EDIT: Luckily, we have firewalls (HIPS) and (mostly) common sense.
     
    Last edited: Mar 5, 2007
Loading...
Thread Status:
Not open for further replies.