Another great LiveCD is one from Kaspersky Labs called Kaspersky Rescue Disk 10 downloadable from here : rescuedisk.kaspersky-labs.com/rescuedisk/updatable/kav_rescue_10.iso
It is a powerful antivirus scanning engine with many interesting and useful tools, which I wanted to try running locally on my Debian amd64 host. Disassembling the ISO was a little more trickier than the one from F-Secure, for those interested I am posting a little howto on my progress. Of course there is a question why doing all this when I can just run the LiveCD with GUI and do everything from there ? In some cases it was more convenient for me to do manual scans from my local machine and it was just too much of a hassle to do this via LiveCD and VirtualBox, so I decided to extract the needed files from the LiveCD and try to run this separately.
First we download the Kaspersky Rescue Disk and mount the iso in our filesystem
# mount -o loop kav_rescue_10.iso /mnt/iso
Next we copy the following squashfs file from /mnt/iso/rescue/LiveOS/squashfs.img to some working directory @ home for example KASPERSKY
cp /mnt/iso/rescue/LiveOS/squashfs.img /home/user/KASPERSKY
Next we check what the file squashfs.img actually is
root@Obelix:/home/user/KAV# file squashfs.img squashfs.img: Squashfs filesystem, little endian, version 4.0, 32095920895 bytes, 3 inodes, blocksize: 7 bytes, created: Thu May 18 03:10:24 2034
We need quite recent squashfstools, and I would not recommend the version from Debian stable. Just download the sources from sourceforge.net/projects/squashfs/files/ , extract and modify the Makefile to enable xz compression support by uncommenting the following line
XZ_SUPPORT = 1
In order to compile with xz support we need some additional libs so on Debian I did
apt-get install liblzma-dev apt-get install libzma apt-get install xz-lzma
Now we do make and if the compilation was successful we can copy the unsquashfs binary to /usr/local/bin
cp unsquashfs /usr/local/bin
Now we can extract the squashfs.img file copied from the CD
root@Obelix:/home/user/KASPERSKY# unsquashfs squashfs.img Parallel unsquashfs: Using 4 processors 1 inodes (474 blocks) to write [====================================================|] 474/474 100% created 1 files created 2 directories created 0 symlinks created 0 devices created 0 fifos root@Obelix:/home/user/KASPERSKY#
OK, we end up with a directory squashfs-root containing LiveOS subdirectory which contains another compressed image
root@Obelix:/home/user/KASPERSKY/squashfs-root/LiveOS# file ext3fs.img ext3fs.img: Linux rev 1.0 ext3 filesystem data, UUID=85dd4ebe-fd1b-420b-8d20-bef37149b4ec
We can now mount this file using regular linux mount command like so ..
mount -o loop ext3fs.img /mnt/disk
Next we copy the whole contents from the /mnt/disk to our home working dir KASPERSKY
cp -rv /mnt/disk /home/user/KASPERSKY
Once finished chown the whole directory to your user so you can edit files. OK we are almost there, because the Kaspersky Antivirus Engine for Linux is compiled in such a way the it relies on a lot of custom libraries from Kaspersky Labs there are some scripts that load the GUI scanner and the are located in /home/user/KASPERSKY/disk/usr/bin The file we are interested in is kav.exe a shell script that does LD_LIBRARY_PATH stuff etc so proper libraries are used when the application is launched. I decided not to touch these scripts as it proved very difficult to modify. If we try to run the script locally like this
user@Obelix:~/KASPERSKY/disk/usr/bin$ ./kav.exe ./kav.exe: line 3: script_l10n.sh: No such file or directory ./kav.exe: line 37: source: /var/log/winsysdir: is a directory ./kav.exe: line 38: /usr/lib/kl/kav: No such file or directory
We can see that the script looks in its designed folders, so lets try chroot the directory and see what we get. Before we run chroot, copy over the /etc/resolv.conf to /home/user/KASPERSKY/disk/etc so that the chrooted system can resolve DNS. Also an important note is to create custom mountpoints for the chroot environment in the /home/user/KASPERSKY/disk/discs directory
mkdir /home/user/KASPERSKY/disk/discs/disk0 mkdir /home/user/KASPERSKY/disk/discs/disc1 mkdir /home/user/KASPERSKY/disk/discs/disk2 mkdir /home/user/KASPERSKY/disk/discs/disk3 #
and mount whatever directory you wish to scan with Kaspersky
mount -o bind /directory/to/scan /home/user/KASPERSKY/disk/discs/disk0
Now we are ready to chroot to the extracted filesystem..
root@Obelix:/home/user/KASPERSKY# chroot disk/ Obelix / #
OK, this worked, lets try and run the kav.exe shell script..
Obelix bin # ./kav.exe grep: /proc/cmdline: No such file or directory ./kav.exe: line 37: source: /var/log/winsysdir: is a directory No protocol specified No protocol specified rd: cannot connect to X server :0.0
OK, we need to set the chroot display system to be identical with our root display on the host X server and provide access to it. On the host you need to enable it from a terminal like this:
user@Obelix:~$ xhost + access control disabled, clients can connect from any host
And in the chroot system set the DISPLAY variable like this:
Obelix bin # export DISPLAY=:0.0
Now we can try and run the kav.exe binary
It works, so we can now update the AV signatures either from the console or via GUI, I choose console before the kav.exe is executed
Obelix bin # ./kav_update grep: /proc/cmdline: No such file or directory ./kav_update: line 12: source: /var/log/winsysdir: is a directory 2013-07-25 1x:x6:xx Updater starting 0% ; --- Settings --- ; Notify before update: Yes ; Rescan quarantine: No ; Update sources: ; ; ------------------ 2013-07-25 1x:x6:xx Task started event 2013-07-25 1x:x6:xx Update source is selected http://dnl-10.geo.kaspersky.com/ 2013-07-25 1x:x6:xx Updater running 0% 2013-07-25 1x:x6:xx File downloaded index/u0607g.xml.dif 2013-07-25 1x:x6:xx Generate list of files to download 2013-07-25 1x:x6:xx File downloaded index/../bases/av/kdb/i386/kdb-i386-1211g.xml.dif 2013-07-25 1x:x6:xx 2013-07-25 1x:x6:xx Updater completed ; --- Statistics --- ; Time Start: 2013-07-25 1x:x6:xx ; Time Finish: 2013-07-25 1x:x6:xx ; Completion: 100% ; Estimated traffic size: 11798 ; Downloaded size: 11798 ; Speed: 76.81 KB/sec ; ------------------ Obelix bin #
Now lets test the Antivirus against some Metasploit generated payloads for example…
As you can see it does its job, compared with the F-Secure setup from the last article
root@Obelix:/opt/f-secure/fssp/bin# ./fsav /home/user/Malware/ F-Secure Security Platform version 2.50 build 12970 Scan started at Thu Jul 25 1x:x6:xx 2013 Database version: 2013-07-24_07 /home/user/Malware/test1.exe: Infected: Backdoor.Shell.AC [Aquarius] /home/user/Malware/test1.exe: Disinfect? (Yes, No, yes to All) No /home/user/Malware/test1.exe: [disinfect failed] /home/user/Malware/test1.exe: Infected: Backdoor.Shell.AC [Aquarius] /home/user/Malware/test1.exe: Rename? (Yes, No, yes to All) No /home/user/Malware/test1.exe: [rename failed] /home/user/Malware/ComplexPath.exe: Infected: Trojan.GenericKDZ.20684 [Aquarius] /home/user/Malware/ComplexPath.exe: Disinfect? (Yes, No, yes to All) No /home/user/Malware/ComplexPath.exe: [disinfect failed] /home/user/Malware/ComplexPath.exe: Infected: Trojan.GenericKDZ.20684 [Aquarius] /home/user/Malware/ComplexPath.exe: Rename? (Yes, No, yes to All) No /home/user/Malware/ComplexPath.exe: [rename failed] /home/user/Malware/test2.exe: Infected: Backdoor.Shell.AC [Aquarius] /home/user/Malware/test2.exe: Disinfect? (Yes, No, yes to All) No /home/user/Malware/test2.exe: [disinfect failed] /home/user/Malware/test2.exe: Infected: Backdoor.Shell.AC [Aquarius] /home/user/Malware/test2.exe: Rename? (Yes, No, yes to All) No /home/user/Malware/test2.exe: [rename failed] Scan ended at Thu Jul 25 1x:x6:xx 2013 4 files scanned 3 files infected
Both AVs perform well, I still prefer the F-Secure though.
