Security tools versus SSL hijackers with root certs

Discussion in 'other anti-malware software' started by BoerenkoolMetWorst, Feb 26, 2015.

  1. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,765
    Location:
    Outer space
    With all the fuss about SuperFish/Komodia/PrivDog root certs etc I decided to do a small test with some browser protection softwares to see if they warn about the Man in the Middle attack.

    Note that the scope of this test is limited to software performing a Man in the Middle attack with a self installed root certificate. Most financial malware for example uses other techniques like Man in the Browser attacks as far as I know.

    Test setup: Up to date Windows 7 SP1 64 bit VM(VMware)
    Installed software: Qustodio parental control software v1.170.6.342.0(uses Komodia engine), IE 11, FF 36.


    Zemana AL Free 1.8.2.198
    -Zemana blocks root cert in cert store, so the browser will give invalid certificate warning, but it only protects the Microsoft certificate store, so Firefox(which has it's own certificate store) is not protected.

    IBM/Trusteer Rapport (ING Bank Netherlands version) Emerald build 1404.75
    -On visiting the website of ING Bank, Rapport gives a warning about a bad certificate. However any websites manually added to Rapport do not get a warning, so protection scope is very limited.

    HitmanPro Alert 3.0.24 Build 155 Release Candidate
    -No warnings. It should be noted though that the HMP scan itself detects various registry keys from Qustodio as Superfish, however not the root cert registry key.

    Webroot SecureAnywhere Complete 8.0.7.28(Included because of it's Identity Shield; "Prevent man-in-the-middle attacks")
    -Fails to protect/warn

    EMET 5.1
    -Warns when pinned certificates from Certificate Trust rules are not matching, but it's buggy.

    Kaspersky IS 15.0.2.361
    -Doesn't do anything during normal browsing, but the Safe Money protected Firefox does not trust the Root Cert so Firefox will give invalid certifcate warning. No effect on Safe Money protected Internet Explorer.
     
    Last edited: Feb 28, 2015
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Best way to protect yourself if your using IE is to use the certificate pinning feature in EMET 5.1. I set up all my financial web sites in EMET. Here is an article on how to use Gibson's web site to get the thumbprint of the root cert. you need if your truly paranoid. I just go to the web site I need and manually verify the certificate path before setting it up in EMET.

    https://www.tenforums.com/windows-1...-man-middle-adware-breaks-https-connec-3.html

    Also your can use the QUALS site to get the thumbprint of the root cert. and also verify the web site at the same time.

    https://www.ssllabs.com/ssltest/index.html
     
    Last edited: Feb 26, 2015
  3. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    It's tough to fully protect against this. We do Root CA replacement to sniff HTTPS traffic on corporate networks, hired by these corporations. Essentially we're hired by some corporations to document traffic, and to do handy things like DLP (data loss prevention) where we DNA scan documents to determine if someone is sending out corporate secrets. We can inject Root CA's into the client, and then from that point do seamless SSL inspection on all employee activities. Again we do this simply as a service to companies desiring to secure their infrastructures. This requires us to have a 'device' on the network, an inspection appliance/analyzer if you will acting as a MITM of sorts.

    Imagine what the bad guys have? (and I classify state sponsored actors as bad guys - by the way) I'll tell you a few ways that may reveal if you are being snooped. Watch for anomalies like your mouse cursor flashing/flickering/jumping. Watch for delays in typing. For certificate hijacking watch for incomplete page loads. I used to keep sample screenshots to help people see what it looks like - we generated these shots by staging our own NSA-Like MITM activity to watch for anomalies that would help us identify this activity from people acting against us. Essentially you will notice 'anomalies' in page loads, frames not appearing right, etc. Not always, but random and infrequent. If I start to get page load errors on any machine, and can't pin it down then I reformat the machine with some haste.

    I've only tested a few products against true MITM type, CA activity. Kaspersky is quite good against this, other products I generally recommend tested quite well against it. Boeren if you ever run this test again, try Kaspersky and Norton 2015 (aggressive) and see what you find.
     
  4. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    EMET cert pinning is not limited to IE, by modifing HKLM\SOFTWARE\Microsoft\EMET: EMET_CE value, you can protect any 3rd party browser as long as it uses OS cert store. I protect Chrome, and guess probably it is not limited to browser as long as it uses SSL via TCP443 but not yet tried.
    SSL Eye is another great tool, as well as Perspective Firefox addon.
     
  5. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    I understand in enterprise situation differs, you have to MITM and monitor SSL traffic otherwise how can they prevent an employee to post troublesome comment on Twitter or Facebook, tho probably you have to allow publicity dep to access Twitter/FB.

    But for home user, protecting you from this kind of MITM is easy even w/out those anti-MITM tools. Only problem is most people don't know much about SSL, so still there's need for those tools.
     
  6. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,765
    Location:
    Outer space
    I've set up EMET 5.1 to test it, but it doesn't seem to do anything at all. Not sure if something is wrong, or it is just out of the scope of the Certificate Trust feature. I made the default rules more strict and created some of my own, but nothing so far.

    Btw, I don't have an account on the tenforums, but the post you linked to mentions it's only a small warning that's easy to miss, but since EMET 5.0, you can also set it to Block, which will terminate the connection:
    http://blogs.technet.com/b/srd/archive/2014/07/31/announcing-emet-v5.aspx
     
  7. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,765
    Location:
    Outer space
    I'll try these as well.
     
  8. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Did you confirm you see fake cert (certs re-signed by MITM program) when connected to those SSL sites? EMET don't warn about installing fake root CA. It warns/blocks you when it sees cert belonging to different rootCA from predefined one.
     
  9. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,765
    Location:
    Outer space
    Yes, the certs are issued by "Qustodio (501)" fake CA.
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    I guess we need more detail on how you are doing your testing. The way EMET cert. verification works is to use the root cert. CA defined in EMET to verify that the web site cert. matches the one indicated by traversing the certification verification path from the root CA. If the web site your accessing was defined with a VeriSign GA5 root cert. for example, I don't see how it could be accessed via the Qustodio CA.

    Note: Rule Expiration, Minimum Key Size, Allowed Country, and Blocked Hashes should all be set to N/A. Public Key Match should be blank. And finally, Blocking Rule should be checked marked. This is the most restrictive pinning rule and will prevent the browser from connecting to the web site in the instance of a certificate mismatch.

    EMET's pinning restrictions use the concept of least restriction. For example, Public Key Match is less of a restriction than Blocking Rule. Ditto for the other settings. For example if both Public Key Match and Blocking Rule are check marked, the Public Key Match rule will be used for verification. All this is explained in the EMET 5.1 documentation.

    Verify that both your protected web site and pinning rules are set up correctly.
     
    Last edited: Feb 27, 2015
  11. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,283
    Location:
    England
    Off-topic remarks removed

    Topic is Security tools versus SSL hijackers with root certs
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
  13. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,765
    Location:
    Outer space
    All is set up correctly, seems to be some problem with EMET on this machine. And it isn't just graphical, there are no pinning events in Event Log. Checked another machine with EMET, created a custom rule matching a site with a cert it didn't use and got a warning straight away. Same rule doesn't work in the test VM, also if I uninstall Qustodia.
    I'll probably try installing Qustodia on that physical machine later.

    Just tried this, doesn't work for Qustodia. It still shows a different serial number, and page is is only 3 seconds(accurate system time)
     
  14. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,765
    Location:
    Outer space
    Just tried KIS 15.0.2.361, doesn't do anything during normal browsing, but the Safe Money protected Firefox does not trust the Root Cert. Safe Money protected Internet Explorer still does.
    Btw, how do KIS and others protect against true MitM? You mean when an attacker is MitMing your connection remotely and using a legit certificate from a different CA?
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Try this one and see if it detects anything:http://www.lagado.com/proxy-test

    Also this site will detect Superfish, Komodia, and Privdog: https://filippo.io/Badfish/
     
    Last edited: Feb 27, 2015
  16. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Hmmm....maybe EMET's bug??
    Just to make sure, did you use IE?
    I think KIS can block MITB by monitoring code injection and unusual hooking, but maybe not much helpful to other MITM like this or by compromised cert.
    Another reason to manually check cert and not to use their SSL scanning.
     
  17. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,765
    Location:
    Outer space
    Seems EMET is being buggy. On the physical machine, before Qustodio is installed, EMET alerts just fine. After it is installed, I get some alerts but then it suddenly stops alerting at all. Also to sites it just alerted a few minutes ago. A reboot does not fix this. I can confirm though that it also alerts when Avast HTTPS scanning is enabled, so it seems EMET can protect against this just fine, but it's buggy.

    Yes, I did.

    No results on these either. Tried all 3 on the other machine as well, both with IE and FF, but no detections.
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Here's an interesting read on the mitmproxy project: https://mitmproxy.org/doc/howmitmproxy.html

    If your in a rush, just skip to the Explicit HTTPS section. Also what is unique with this software is the ability to generate your own root certs to be used to spawn intermediate CAs as needed although the root CAs have to manually installed. This will give you the details on what Superfish and Company are doing.
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Not in this Superfish instance since it was installed at the factory and activated upon first boot of the new PC. I assume a Levono EULA was displayed in the gobbly gook language they are written in and unless your a lawyer that specializes in IT EULA's, you would not realize what your agreeing to.

    So later you install your AV and/or HIPS. When the training mode of the HIPS is activated immediately after installation, it will auto allow Superfish. I also question whether behavior blockers will catch it since it is technically legit software. Guess we will have to ask Emsisoft if their BB would catch it.
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Here's another eye opener. Anyone using Comodo Dragon? Why am I not surprised by this .....

    Ref:https://gigaom.com/2015/02/23/beyond-superfish-turns-out-ssl-trashing-spyware-is-widespread/

    That’s kind of ironic, seeing as so many of these software applications are intended to protect their users. The same goes for Comodo, an actual certificate authority that also puts out a security-focused browser called Comodo Dragon. As researcher Hanno Böck wrote on Monday, this and other Comodo products ship with a “privacy” tool called PrivDog that supposedly replaces ads in webpages with ads from “trusted sources” – and as with Komodia’s tools, this one also verifies dodgy certificates when it shouldn’t.
     
  21. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,695
    Location:
    Zagreb, Croatia
    It's already fixed.
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Here are two links that really get in to the nitty gritty of Komodia:

    https://blog.filippo.io/komodia-superfish-ssl-validation-is-broken/

    http://www.howtogeek.com/210265/dow...bundle-superfish-style-https-breaking-adware/

    The HowToGeek one actually shows a connection to Bank of America using a hacked Superfish root cert.. More detail on this here:

    https://twitter.com/ErrataRob/status/568556702234050560

    Also did some more research on EMET cert. pinning. Here is a good explanation of it from a DefCon presentation:

    https://www.google.com/url?sa=t&rct=j&q=&esrc=s&frm=1&source=web&cd=6&ved=0CEAQFjAF&url=https://www.defcon.org/images/defcon-21/dc-21-presentations/Sikka/DEFCON-21-Sikka-EMET-4.0-PKI-Mitigation-Updated.pdf&ei=6fLxVIa3D8jIsASV_4BQ&usg=AFQjCNHjWzqypqZ5IRRfFGMon6UNNdqZ6Q&bvm=bv.87269000,d.cWc

    EMET LIMITATIONS
    •Mitigation is specifically for SSL/TLS
    •Since we just check End and Root Certificates, we don’t run heuristics on intermediate certificates
    •Pin configuration is statically shipped with EMET, so they could get outdated
    •If spoofed certificate chained to same root certificate as original, it might not be caught
    •EMET’s mitigations are not 100% “bullet proof”
    •They just try to raise the bar for attackers


    Everything I am seeing says EMET cert. pinning will protect you against Komodia and company proxy servers.

    As far as BoerenkoolMetWorst's testing with Qustodio, I don't know if that is really the way to test this stuff. The software after all is legit and is not performing adware and like activities as Superfish does as far as I am aware of.
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Here's another idea to detect a proxy server. Fire up TCPView and see if you see connections to/from whatever service Qustodio is using to perform it's proxy activities. You should also see strange connections to/from whatever browser you are using.
     
  24. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,765
    Location:
    Outer space
    @Mayahana
    I tested Norton Security 22.1.0.9 with Sonar on Agressive and the Web security toolbar enabled, but no results on IE and FF.

    Yes, but I meant @Mayahana 's claim: "I've only tested a few products against true MITM type, CA activity. Kaspersky is quite good against this, other products I generally recommend tested quite well against it."

    Yes, it's not ideal, but I'm also not trying to see if products can detect it as malicious, but more as a second layer of defense. For EMET for example it should make no difference whether it's legit or not, it just looks if the certificate matches it's rule. I'm also confident that EMET can protect against Komodia et al, just seems it may be a little buggy in some situations.

    Yes, it shows the browser connecting to localhost:12344 and qengine.exe making the actual HTTPS connections to the website.
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    When this fiasco began public on 2/19, only 6 AVs at VirusTotal detected Super Fish installer, superfish_setup.zip . Of the major players, only Symantec, Avira, and surprisingly Trend Housecalls.

    As of today, almost all the major players detect the installer except Kapersky. Go figure?
     
Loading...