pouët.net

Digitally signing kkrunchy compressed releases

category: code [glöplog]
Quote:
You cannot trust an executable signed by a centralized organization/community for many reasons.

What you really mean is "you can't trust digital certificates 100%, but people still do it"
Quote:
This idea only works at all, if all antivirus assume any signed binary does not need to be scanned. I'm pretty sure that is not the case.

In the antivirus industry (e.g. virus reverse-engineers sending samples to each other), the standard way of sharing detectable files is just to compress them with a simple preshared password. e.g. posting .zip with password "scene.org" should be fine.


The whole idea came from a response to one of our white-list requests that stated that a digital signature would better help them recognize a false positive. Noone said they wouldn't be scanned. But obviously the only way av companies can flag these executables is via some error-prone heuristic, and they know it too - a digital signature would at least establish a recognizable set among the random binaries they analyze, which (if we do this properly) would only contain clean files and as such establish credibility. No, it's not a magic wand that makes the problem disappear, but it's currently the only way I know of that would possibly help the situation.

Sharing password protected zips doesn't solve anything, just introduces an extra, inconvenient step. Someone will still upload the unpacked exe to virustotal and start yelling wolf anyway.
added on the 2015-04-25 16:22:06 by BoyC BoyC
Just some brain storming: how about packing the executable of a demoscene production into another executable that is digitally signed and maybe even functions as a sandbox. Would this even be possible?
added on the 2015-04-25 16:42:53 by benJam benJam
Quote:
No, it's not a magic wand that makes the problem disappear, but it's currently the only way I know of that would possibly help the situation.


this.
added on the 2015-04-25 17:26:47 by Defiance Defiance
Quote:
a digital signature would better help them recognize a false positive

I propose a test. Let's digitally sign a few intros (I'm sure someone has access to a legit key) that have a lot of false positives, and then upload those for scanning. See if there's a point in the first place.
added on the 2015-04-25 18:40:02 by Gargaj Gargaj
Allright.

Seems like we have an answer to this question, albeit not a good one.
I googled a bit and contacted the creator of PEcompact as they emphasize on their page that their packer is compatible with digital signatures, and I actually got a response! A response that reeked of resentment of the powers that be - it seems this is a sore issue elsewhere too.
There's a single sentence that I will quote here:
Quote:
The compression you apply is seen is obfuscation, and thus will make your executable prone to false positives, DS or not.

/thread
added on the 2015-04-25 21:11:37 by BoyC BoyC
The answer is not breaking news, imho, this is known for years to people meddling with compression I suppose...

Compressing an executable alters, in a way, the original machine code structure, a fact which antivirus companies certainly don't like. If a technique alters the original contents of a file (no matter the benefits) then yes, it is considered a threat by them no matter what (signed or not). If it is unsigned (most cases) then the entire file structure (original machine code) is been analyzed and compared against the virus signature database and then comes the verdict.

To avoid this (altered code structure by a compression technique), Avast (and several other avs), for instance, has a built in upx decompressor so that it can decompress executables on the fly (before they are executed) and 'see' that original code structure. If kkrunchy (or any other packer) was used widely by other manufacturers, as well, then a kkrunchy decompressor would have been implemented on the software to decompress an exe packed with it, thus making e.g. offscreen colonies or other intros run without any annoying virus messages.

But since it doesn't, the altered structure is be default considered a virus (or potentially unwanted).

Signing an exe though has some benefits, and of course all is not lost. A lot of antivirus software (e.g. Avast) upon meeting a signed executable tend to check only the pe header and not the entire executable structure, and, of course, not even compare it at all with the virus signatures at most situations. This leads to less false positives for certain if it is signed, but of course, not all the antiviruses out there work that way.

Like BoyC said: "No, it's not a magic wand that makes the problem disappear, but it's currently the only way I know of that would possibly help the situation."
added on the 2015-04-25 22:29:16 by Defiance Defiance
Defiance: the problem is that nowadays even malware is signed, so basically all a signature is good for is to prove that the binary came from you, and to maybe bypass the windows smartscreen warning. All this is not news of course, but what I was hoping for is that we could get the certificate itself whitelisted (hence the non magic-wand statement), which would have solved all the issues. However the PEcompact guy also explained to me that the chance of this happening is exceedingly rare, let alone for several AV companies, and if we ever needed to renew the certificate it would have to be done again and again.

Basically: signing sadly wouldn't solve the issue, and we're better off with what we've been doing (going through all the av companies and asking for whitelisting), and using those extra kbytes for content.
added on the 2015-04-25 23:02:52 by BoyC BoyC
Quote:
the problem is that nowadays even malware is signed


yeah, this explains the introduction of the pe header check on the signed executables, I guess... a few years back signed exe meant no virus, so no check at all.

Quote:
what I was hoping for is that we could get the certificate itself whitelisted


they don't care about whitelisting certificates, since the analysis of the code structure is the most important part of the antivirus detection to them. I mean they give more points and attention to that, rather than the certificates. After all, any sign of alternate code structure bypasses any certificate white listing immediately, no matter what. Over the years coders of malicious software have managed to even emulate valid certificates for their software so the av companies won't fall for that. Certificates mostly help software publishers and end users trust your software, rather than antivirus companies and their products. :(
added on the 2015-04-25 23:50:08 by Defiance Defiance
i wonder if it is possible to create a demo container format (with some non mainstream packer algo that no AV software can read) and extract/run it in a custom tool without triggering the realtime protection of the antivir...
added on the 2015-04-26 01:01:17 by wysiwtf wysiwtf
Defiance: out of curiousity what's your background on this?
added on the 2015-04-26 01:27:28 by Gargaj Gargaj
personal experiences mostly. white listing and contacting them for false positives happened to me a bit frequently the recent years, thus giving me some insight about their way of thinking. it seems that there is also a very different way they handle open source and closed source software white listing requests. open source seems to be considered almost immediately safe, whereas closed source takes some time to be on their white list, probably due to testing (but this can be derived by simple logic, as well).
added on the 2015-04-26 01:45:07 by Defiance Defiance
So you're an end-user at best.
added on the 2015-04-26 01:45:32 by Gargaj Gargaj
well, i had this at some recent point considered as a virus simply because it opened a debug file in notepad and because they didn't like the language since it had been used for malicious stuff as well, so white listing it took a little. trust me i know how it is to have something you created considered a virus...
added on the 2015-04-26 01:58:55 by Defiance Defiance
Quote:
Sharing password protected zips doesn't solve anything, just introduces an extra, inconvenient step. Someone will still upload the unpacked exe to virustotal and start yelling wolf anyway.


Yes, it allows people to actually retain a file locally. If they go to extract it and see that the extraction fails because of antivirus issues, then they can take proper steps to be able to extract and run the file. This is normally preferred to having the file insta-deleted as soon as it touches your filesystem / browser cache.

Seems like you found the answer anyways - that DS really wouldn't help this issue.

benJam: that exact idea would not be possible, but you can just make a single signed binary which loads other files (which don't look like executable files) and executes them in some way. This also happens to be one of the reasons signatures are pointless. Most modern malware uses this method.

Quote:
I propose a test. Let's digitally sign a few intros (I'm sure someone has access to a legit key) that have a lot of false positives, and then upload those for scanning. See if there's a point in the first place.

could be enlightening
added on the 2015-04-26 02:06:07 by shuffle2 shuffle2
Quote:
Seems like you found the answer anyways - that DS really wouldn't help this issue.

It was well worth a few days of investigating. And, thanks to the kkrunchy header fix we did end up with a sort of signature in our exes going forward, which we decided to keep :)

BB Image
added on the 2015-04-26 02:45:50 by BoyC BoyC
excellent. now lets make a rootkit with that header!
cute :D
added on the 2015-04-26 03:07:20 by shuffle2 shuffle2
When you find things like this: http://www.pctechanswer.com/How-to-remove-Kkrunchy+Packed-Removal-Guide_14_10835 9.html all hope is lost.

Quote:
Kkrunchy Packed is a Trojan virus which is reported to be the a kind of security killer of computer system. It is turn out to be a aggressive computer infection which has the ability to confront the security functional tools installed on the computer. This Trojan virus not only can end the process of antivirus program but also capable of deleting parts of security tool service as well as shuting down the windows firewall and windows defender. After turning off the security defense and disabling almost all system protection tool, users will not able to receive security alert and they will not know how many infections are installed onto the computer and what will these threats perform in the system.
added on the 2015-04-26 11:39:06 by Jcl Jcl
Quote:
And, thanks to the kkrunchy header fix we did end up with a sort of signature in our exes going forward, which we decided to keep :)


that's sweet :)

jcl: their article is end user terrorism at its best...
added on the 2015-04-26 12:34:03 by Defiance Defiance
Quote:
Allright.

Seems like we have an answer to this question, albeit not a good one.
I googled a bit and contacted the creator of PEcompact as they emphasize on their page that their packer is compatible with digital signatures, and I actually got a response! A response that reeked of resentment of the powers that be - it seems this is a sore issue elsewhere too.
There's a single sentence that I will quote here:
Quote:
The compression you apply is seen is obfuscation, and thus will make your executable prone to false positives, DS or not.

/thread


I thought the compressor taggant scheme was meant to be a effective tool for exactly this situation. Or is the taggant scheme proved to be a complete load of bullshit?
added on the 2015-04-26 16:01:29 by mudlord mudlord
Quote:
I thought the compressor taggant scheme was meant to be a effective tool for exactly this situation. Or is the taggant scheme proved to be a complete load of bullshit?


I'll quote some more from the email I got.

Quote:
Maybe this improves with the taggant being implemented (has taken years for these corporate people to get this project done
Quote:
new entrants (e.g. new packer vendors) must pay $4500 to get in.
Quote:
only 1 or 2 security software companies support the taggant yet themselves, so it's a chicken before the egg problem. We will see.
Quote:
Also, we packer vendors found out they are - at least for now - using the taggants only for blacklisting, no whitelisting. In other words, again more concerned about missing bad things than false positives.
added on the 2015-04-26 16:17:08 by BoyC BoyC
In short the taggant system is nothing but bad news for us if it gets implemented widely - we either get kkrunchy in that system (yeah, right...) or our releases will suffer from a lot more false positives.
added on the 2015-04-26 16:31:57 by BoyC BoyC
Quote:
the idea would be to check uploaded files with some service like virustotal, and only compress+sign them server side if they are completely clean. Since the uncompressed executable would be available to the service we could even implement our own arbitrary checks (checking to see if the exe uses any of the major gfx apis would be an obvious candidate for example)

wat. i seriously hope you are joking. what a terrible idea /o\

unless the source code is reviewed by a knowledgeable person and then compiled into the binary that is going to be signed it is *very easy* to hide some malicious code in it. thats pretty much why all this stupid heuristics exist afterall.
added on the 2015-04-26 16:42:24 by groepaz groepaz
Quote:
When you find things like this: http://www.pctechanswer.com/How-to-remove-Kkrunchy+Packed-Removal-Guide_14_10835 9.html all hope is lost.

Quote:
Kkrunchy Packed is a Trojan virus which is reported to be the a kind of security killer of computer system. It is turn out to be a aggressive computer infection which has the ability to confront the security functional tools installed on the computer. This Trojan virus not only can end the process of antivirus program but also capable of deleting parts of security tool service as well as shuting down the windows firewall and windows defender. After turning off the security defense and disabling almost all system protection tool, users will not able to receive security alert and they will not know how many infections are installed onto the computer and what will these threats perform in the system.


this is just an auto generated site. check it out:
http://www.pctechanswer.com/greetings-to-pouet-Guide_14_108357.html
only the ID at the end matters. probably just generated from some search engine statistics.
added on the 2015-04-27 09:12:35 by shuffle2 shuffle2

login