Tag Archives: Kaspersky

Evaluating Anti-ransomware Tools

With ransomware still very much prevalent in the headlines I wanted to test the effectiveness of complimentary products designed to work alongside your anti-malware solution.

For the results presented in the attached Excel file, I turned off all protections of Windows 10/Windows 7 and opened real ransomware samples on an updated version of Windows.

These products are mostly free but paid options are available. They clearly show how effective they can be even when the user follows no security best practices and opens ransomware. I wanted to provide the toughest challenge I could for these products and so chose ransomware that has made the headlines over the past 2 – 3 years.

I hope you find the results useful.

Excel file: Results

Thank you.


Products tested:
Please note that these tools are primarily targeted at client rather than server systems. Please check the license before deploying in a commercial environment:

Acronis Ransomware Protection : https://www.acronis.com/en-us/personal/free-data-protection/

Cyberreason RansomFree (discontinued: November 2018)

CheckMAL AppCheck (Free and Pro editions): https://www.checkmal.com/product/appcheck/

Kaspersky Anti-Ransomware Tool for Business: https://www.kaspersky.com/anti-ransomware-tool

Heilig Defense RansomOff: https://www.ransomoff.com/

ZoneAlarm Anti-Ransomware: https://www.zonealarm.com/anti-ransomware/


Responding to the Asus Live Update Supply Chain Compromise

Earlier last week the security vendor Kaspersky detailed their initial findings from the compromised supply chain of the Taiwanese hardware vendor Asus.

TL DR: If you own or use any Asus laptop or desktop system, please check if your device is affected using the downloadable tool from Kaspersky (which checks the MAC address (defined) of your network card). If you know how to obtain the MAC address of your network card manually you can use the online tool. This is the link for both tools: https://securelist.com/operation-shadowhammer/89992/

If you are affected, contact Kaspersky, contact Asus or use the anti-malware tools to try attempt removal of the backdoor (defined) yourself.

When did this attack take place and what was affected?
This incident took place from June to November 2018 and was initially thought to have affected approximately 60,000 users. This number was later revised to possibly affecting just over a million users. While primarily users in Asia and Russia were targeted; a graph of victim’s distribution by country shows users within South America, Europe and the US. It was later disclosed that mainly Asus laptops were affected by this incident.

What Asus infrastructure was affected?
An older version of the Asus Live Update utility was compromised by unknown attackers so that it would inject a backdoor within the Asus Live Update utility when it was running. The compromised Asus Live Update utility was signed with an older but still legitimate Asus digital signature. The compromised Asus utility was available for download from two official Asus servers.

What were the attacker’s intentions?
Unfortunately, even after extensive analysis it is unknown why the attackers targeted their chosen victim systems or what their eventual goal was. The backdoor would have likely allowed the attackers to steal files of their choice, remote control the system (if the second stage had been installed) and deploy compromised updates to systems which in the case of a UEFI update may have rendered the system unbootable.

It appears the goal of the attackers was to target approximately 600 systems of interest to them with the initial intention to carry the above-mentioned actions. We know it is approximately 600 systems since upon installation the malware would check if the system had a MAC address of interest; if yes it would install the stage 2 download (which unfortunately Kaspersky was unable to obtain a sample of). The server which hosted the stage 2 download was taken offline in November 2018 before Kaspersky became aware of this attack.

If the system was not of interest, the backdoor would simply stay dormant on the system. It’s unclear how the attackers may choose to leverage this in the future (assuming it remains intact on a system which installed the compromised utility).

Do we know who is responsible?
It is not possible to determine with absolute certainty who these attackers were but it is believed it is the same perpetrators as that of the ShadowPad incident of 2017. Microsoft identifies this advanced persistent threat (APT) (defined) group with the designation of BARIUM (who previously made use of the Winnti backdoor).

How have Asus responded to this threat?
Initially when Kaspersky contacted Asus on the 31st of January 2019 Asus denied their servers were compromised. Separately a Kaspersky employee met with Asus in person on the 14th of February 2019. However, Asus remained largely until earlier this week.

On the 26th of March Asus published a notice which contains an FAQ. They issued an updated version (3.6.8) of the Asus Live Update utility. Additionally, they have “introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future”.

They have also made available a utility to check if your system was affected. It is downloadable from the above linked to notice.

How can I remove the backdoor from my system if I installed the compromised Asus utility?
While Asus in their announcement recommends a full backup and full reset of your system; for some that may not be a preferred choice. If you use Kaspersky security suite it will very likely easily remove it since they were the first to detect it.

Please which ever approach is more convenient for you.

If you want to leave your system as it is:
I would first recommend a scan of your system with your current anti-malware product. I would then recommend using free anti-malware scanners such as RogueKiller, AdwCleaner and PowerEraser since they use cloud based forensic analysis and compare known safe files on your system with VirusTotal to check if any file has been tampered with or is new/suspicious. It is very unlikely the backdoor could hide from all of these utilities. Yes, this is overkill but will ensure a thorough check.

A link to full original story of this malware is available here.

You use an Asus system; how were you affected?
Since my high-end Core i9 7980 Extreme desktop uses an Asus desktop motherboard (ROG Rampage VI Apex); I ran the Asus utility to check my system; It displayed the message “Only for Asus systems” before closing. I’ll make an educated guess and assume that since the threat mainly affects laptops running this tool on a desktop system resulted in this message.

The offline and online tools from Kaspersky showed no issues with my system. I wasn’t surprised since I don’t use the Asus Live Update utility. Their drivers are available manually from their website and that’s how I stay updated.

I upload every downloaded file for my system to VirusTotal, verify the checksums and digital signatures, use two reputation based scanners on new downloads and have application whitelisting enabled. In summary; my system will be more difficult to compromise.

Thank you.

Security Vulnerabilities Disclosed in Kaspersky and FireEye Products

Over the weekend a security researcher, Tavis Ormandy discovered a zero day security vulnerability in Kaspersky Anti-virus 2015 and 2016. The issue was a buffer overflow issue (defined) and could be exploited remotely by visiting a website of an attacker’s choice or receiving specifically crafted data packets from an attacker via the internet connection of the device the Kaspersky product is protecting.

Kaspersky quickly responded to update it’s products to resolve this issue and mentioned that they wish to add further mitigation strategies to prevent an issue such as this being found in their products in the future. In addition, Kaspersky already uses Data Execution Prevention (DEP)(defined here and here) and Address Space Layout Randomization (ASLR)(defined) in order to complicate the exploitation of such overflow attacks. A copy of the statement released by Kaspersky is available at the end of this blog post.

If you are using any of Kaspersky’s security products to protect your device, please ensure that it is up to date to protect against this vulnerability being exploited. Further information on updating a selection of Kaspersky products is provided below:

Updating Kaspersky Anti-Virus 2016
Updating Kaspersky Internet Security 2016
Updating Kaspersky Total Security 2016

Links to 2015 and previous products are also provided within the above pages.

If you have any questions, you can contact Kaspersky for assistance. Links to their product forums are provided on the right hand side of this page with contact links for their support teams for business and home users located at the end of the same page.


In a separate disclosure Kristian Erik Hermansen, a security researcher provided details of 4 vulnerabilities in FireEye’s security appliances. In addition, a further 30 flaws were discovered by his joint work with another researcher Ron Perris.

An official advisory (PDF) was published by FireEye with regards to the initial 4 vulnerabilities disclosed by Hermansen. This document provides further information as well as how to obtain the appropriate updates and further recommended best practices. If you use any of the affected products, please follow the steps within the advisory to patch these issues as soon as possible.

I will continue to monitor these issues and will update this blog post as more information becomes available.

Update: 15th September 2015: Further vulnerabilities were patched by FireEye in their products as documented in this advisory. However no further details concerning the issues previously discussed have been made available. If you use any of FireEye’s NX, EX, CM, AX or FX products please ensure that they are running the most current release available from FireEye as mentioned in both FireEye advisories.

Thank you.