03-09-2017 , 09:40 AM
Vault 7: WikiLeaks Docs Hint CIA Could Bypass 21 Security Products
One of the hidden gems included in the Vault 7 data, dumped yesterday by WikiLeaks, is a document detailing bypass techniques for 21 security software products.
The document is part of a data dump of nearly 9,000 other files, all documentation files and manuals for various hacking tools, which WikiLeaks claims belong to the CIA.
One particular document, labeled "Personal Security Products (PSPs)" lists 21 security products, each linking to a separate document, containing descriptions of various exploits and techniques that could be used to bypass the named security tools.
The list covers almost all major antivirus vendors, including Comodo, Avast, Kaspersky, AVG, ESET, Symantec, and others.
For most security products included in this list, the bypass/exploit technique has been redacted. Yesterday, when it announced the Vault 7 leak, WikiLeaks said it made 70,875 redactions in total, mainly to remove any harmful code and personal details, such as names and IP addresses.
Bypass and exploit techniques were only listed for three vendors: F-Secure, Avira, and AVG (partial info).
In OSB's experience, F-Secure has generally been a lower tier product that causes us minimal difficulty. The only annoyance we have observed is that F-Secure has an apparent entropy-based heuristic that flags Trojaned applications or other binaries containing encrypted/compressed payloads. Two defeats are known to exist: On involves using RAR file string tables in the resource section, the other involves cloning a RAR file manifest file – the manifest technique also works against Avira's entropy-based heuristics.
AVG Catches a Payload Dropped to Disk and Launched via Link File Well After Execution (Process Hollowing)
The full list of security products included in the WikiLeaks Vault 7 dump are as follows:
One of the hidden gems included in the Vault 7 data, dumped yesterday by WikiLeaks, is a document detailing bypass techniques for 21 security software products.
The document is part of a data dump of nearly 9,000 other files, all documentation files and manuals for various hacking tools, which WikiLeaks claims belong to the CIA.
One particular document, labeled "Personal Security Products (PSPs)" lists 21 security products, each linking to a separate document, containing descriptions of various exploits and techniques that could be used to bypass the named security tools.
The list covers almost all major antivirus vendors, including Comodo, Avast, Kaspersky, AVG, ESET, Symantec, and others.
For most security products included in this list, the bypass/exploit technique has been redacted. Yesterday, when it announced the Vault 7 leak, WikiLeaks said it made 70,875 redactions in total, mainly to remove any harmful code and personal details, such as names and IP addresses.
Bypass and exploit techniques were only listed for three vendors: F-Secure, Avira, and AVG (partial info).
In OSB's experience, F-Secure has generally been a lower tier product that causes us minimal difficulty. The only annoyance we have observed is that F-Secure has an apparent entropy-based heuristic that flags Trojaned applications or other binaries containing encrypted/compressed payloads. Two defeats are known to exist: On involves using RAR file string tables in the resource section, the other involves cloning a RAR file manifest file – the manifest technique also works against Avira's entropy-based heuristics.
Avira has historically been a popular product among [Counter Terrorism] targets, but is typically easy to evade. Similar to F-Secure, Avira has an apparent entropy-based heuristic that flags binaries containing encrypted/compressed payloads, but there are two known defeats.
The full list of security products included in the WikiLeaks Vault 7 dump are as follows:
- Comodo
- Avast
- F-Secure
- Zemana Antilogger
- Zone Alarm
- Trend Micro
- Symantec
- Rising
- Panda Security
- Norton
- Malwarebytes Anti-Malware
- EMET (Enhanced Mitigation Experience Toolkit)
- Microsoft Security Essentials
- McAfee
- Kaspersky
- GDATA
- ESET
- ClamAV
- Bitdefender
- Avira
- AVG