Looting LiveCDs part 2.

hoard

Another great LiveCD is one from Kaspersky Labs called Kaspersky Rescue Disk 10 downloadable from here : rescuedisk.kaspersky-labs.com/rescuedisk/updatable/kav_rescue_10.iso

It is a powerful antivirus scanning engine with many interesting and useful tools, which I wanted to try running locally on my Debian amd64 host. Disassembling the ISO was a little more trickier than the one from F-Secure, for those interested I am posting a little howto on my progress. Of course there is a question why doing all this when I can just run the LiveCD with GUI and do everything from there ? In some cases it was more convenient for me to do manual scans from my local machine and it was just too much of a hassle to do this via LiveCD and VirtualBox, so I decided to extract the needed files from the LiveCD and try to run this separately.

kav-rescue01

First we download the Kaspersky Rescue Disk and mount the iso in our filesystem

# mount -o loop kav_rescue_10.iso /mnt/iso

Next we copy the following squashfs file from /mnt/iso/rescue/LiveOS/squashfs.img to some working directory @ home for example KASPERSKY

cp /mnt/iso/rescue/LiveOS/squashfs.img /home/user/KASPERSKY

Next we check what the file squashfs.img actually is

root@Obelix:/home/user/KAV# file squashfs.img 
squashfs.img: Squashfs filesystem, little endian, version 4.0, 32095920895 bytes, 3 inodes, blocksize: 7 bytes, created: Thu May 18 03:10:24 2034

We need quite recent squashfstools, and I would not recommend the version from Debian stable. Just download the sources from sourceforge.net/projects/squashfs/files/ , extract and modify the Makefile to enable xz compression support by uncommenting the following line

XZ_SUPPORT = 1

In order to compile with xz support we need some additional libs so on Debian I did

apt-get install liblzma-dev
apt-get install libzma
apt-get install xz-lzma

Now we do make and if the compilation was successful we can copy the unsquashfs binary to /usr/local/bin

cp unsquashfs /usr/local/bin

Now we can extract the squashfs.img file copied from the CD

root@Obelix:/home/user/KASPERSKY# unsquashfs squashfs.img 
Parallel unsquashfs: Using 4 processors
1 inodes (474 blocks) to write

[====================================================|] 474/474 100%
created 1 files
created 2 directories
created 0 symlinks
created 0 devices
created 0 fifos
root@Obelix:/home/user/KASPERSKY#

OK, we end up with a directory squashfs-root containing LiveOS subdirectory which contains another compressed image

root@Obelix:/home/user/KASPERSKY/squashfs-root/LiveOS# file ext3fs.img 
ext3fs.img: Linux rev 1.0 ext3 filesystem data, UUID=85dd4ebe-fd1b-420b-8d20-bef37149b4ec

We can now mount this file using regular linux mount command like so ..

mount -o loop ext3fs.img /mnt/disk

Next we copy the whole contents from the /mnt/disk to our home working dir KASPERSKY

cp -rv /mnt/disk /home/user/KASPERSKY

Once finished chown the whole directory to your user so you can edit files. OK we are almost there, because the Kaspersky Antivirus Engine for Linux is compiled in such a way the it relies on a lot of custom libraries from Kaspersky Labs there are some scripts that load the GUI scanner and the are located in /home/user/KASPERSKY/disk/usr/bin   The file we are interested in is kav.exe a shell script that does LD_LIBRARY_PATH stuff etc so proper libraries are used when the application is launched. I decided not to touch these scripts as it proved very difficult to modify.  If we try to run the script locally like this

user@Obelix:~/KASPERSKY/disk/usr/bin$ ./kav.exe 
./kav.exe: line 3: script_l10n.sh: No such file or directory
./kav.exe: line 37: source: /var/log/winsysdir: is a directory
./kav.exe: line 38: /usr/lib/kl/kav: No such file or directory

We can see that the script looks in its designed folders, so lets try chroot the directory and see what we get. Before we run chroot, copy over the /etc/resolv.conf to /home/user/KASPERSKY/disk/etc so that the chrooted system can resolve DNS. Also an important note is to create custom mountpoints for the chroot environment in the /home/user/KASPERSKY/disk/discs directory

mkdir /home/user/KASPERSKY/disk/discs/disk0
mkdir /home/user/KASPERSKY/disk/discs/disc1 
mkdir /home/user/KASPERSKY/disk/discs/disk2
mkdir /home/user/KASPERSKY/disk/discs/disk3
#

and mount whatever directory you wish to scan with Kaspersky

mount -o bind /directory/to/scan /home/user/KASPERSKY/disk/discs/disk0

Now we are ready to chroot to the extracted filesystem..

root@Obelix:/home/user/KASPERSKY# chroot disk/
Obelix / #

OK, this worked, lets try and run the kav.exe shell script..

Obelix bin # ./kav.exe 
grep: /proc/cmdline: No such file or directory
./kav.exe: line 37: source: /var/log/winsysdir: is a directory
No protocol specified
No protocol specified
rd: cannot connect to X server :0.0

OK, we need to set the chroot display system to be identical with our root display on the host X server and provide access to it.  On the host you need to enable it from a terminal like this:

 user@Obelix:~$ xhost +
access control disabled, clients can connect from any host

And in the chroot system set the DISPLAY variable like this:

Obelix bin # export DISPLAY=:0.0

Now we can try and run the kav.exe binary

rescue01It works, so we can now update the AV signatures either from the console or via GUI, I choose console before the kav.exe is executed

Obelix bin # ./kav_update 
grep: /proc/cmdline: No such file or directory
./kav_update: line 12: source: /var/log/winsysdir: is a directory
2013-07-25 1x:x6:xx     Updater                   starting   0%         
; --- Settings ---
; Notify before update: Yes
; Rescan quarantine:    No
; Update sources:
; 
; ------------------
2013-07-25 1x:x6:xx     Task started event  
2013-07-25 1x:x6:xx     Update source is selected http://dnl-10.geo.kaspersky.com/ 
2013-07-25 1x:x6:xx     Updater                   running    0%         
2013-07-25 1x:x6:xx     File downloaded index/u0607g.xml.dif 
2013-07-25 1x:x6:xx     Generate list of files to download  
2013-07-25 1x:x6:xx     File downloaded index/../bases/av/kdb/i386/kdb-i386-1211g.xml.dif 
2013-07-25 1x:x6:xx       
2013-07-25 1x:x6:xx     Updater                   completed             
;  --- Statistics ---
; Time Start:           2013-07-25 1x:x6:xx
; Time Finish:          2013-07-25 1x:x6:xx
; Completion:           100%
; Estimated traffic size:       11798
; Downloaded size:      11798
; Speed:        76.81 KB/sec
;  ------------------
Obelix bin #

Now lets test the Antivirus against some Metasploit generated payloads for example…

rescue02As you can see it does its job, compared with the F-Secure setup from the last article

root@Obelix:/opt/f-secure/fssp/bin# ./fsav /home/user/Malware/
F-Secure Security Platform version 2.50  build 12970

Scan started at Thu Jul 25 1x:x6:xx 2013
Database version: 2013-07-24_07

/home/user/Malware/test1.exe: Infected: Backdoor.Shell.AC [Aquarius]
/home/user/Malware/test1.exe: Disinfect? (Yes, No, yes to All) No
/home/user/Malware/test1.exe: [disinfect failed]
/home/user/Malware/test1.exe: Infected: Backdoor.Shell.AC [Aquarius]
/home/user/Malware/test1.exe: Rename? (Yes, No, yes to All) No
/home/user/Malware/test1.exe: [rename failed]
/home/user/Malware/ComplexPath.exe: Infected: Trojan.GenericKDZ.20684 [Aquarius]
/home/user/Malware/ComplexPath.exe: Disinfect? (Yes, No, yes to All) No
/home/user/Malware/ComplexPath.exe: [disinfect failed]
/home/user/Malware/ComplexPath.exe: Infected: Trojan.GenericKDZ.20684 [Aquarius]
/home/user/Malware/ComplexPath.exe: Rename? (Yes, No, yes to All) No
/home/user/Malware/ComplexPath.exe: [rename failed]
/home/user/Malware/test2.exe: Infected: Backdoor.Shell.AC [Aquarius]
/home/user/Malware/test2.exe: Disinfect? (Yes, No, yes to All) No
/home/user/Malware/test2.exe: [disinfect failed]
/home/user/Malware/test2.exe: Infected: Backdoor.Shell.AC [Aquarius]
/home/user/Malware/test2.exe: Rename? (Yes, No, yes to All) No
/home/user/Malware/test2.exe: [rename failed]

Scan ended at Thu Jul 25 1x:x6:xx 2013
4 files scanned
3 files infected

Both AVs perform well, I still prefer the F-Secure though.

Advertisements
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

4 Responses to Looting LiveCDs part 2.

  1. Did you ever try to get this working by extracting the scanner and running it locally like you did the F-Secure boot disc? I’m looking to do something similar by injecting the Kaspersky and F-Secure scanners into a custom Arch bootable disc.

    • astr0baby says:

      No, Kaspersky binaries ran well only in chroot, but I guess by extracting all the libs from the LiveCD and preparing a LDD loader for the scanner might do the trick. Anyways I have found that F-Secure and Kaspersky scanners scan about equally (0-day threats,exploits and shellcode..)

  2. costinel says:

    2016 update:
    you can directly mount everything without having to patch:
    – the iso (i like devmon/udiskctl command because I don’t need to create the mount directory, it creates/mounts/deletes automagically)
    – the squashfs file (mount -t squashfs)
    – the ext3 image (mount -t ext3)

    then merge everything for read-write access like this:
    mount -t overlay overlay -olowerdir=/mnt/ext3,upperdir=/mnt/upper,workdir=/mnt/work /mnt/merged

    next
    bind mount the cdrom into /mnt/merged/mnt/cdrom or else it will complain about corrupted virus database

    bind mount the /tmp into /mnt/merged/tmp

    bind mount the /proc into /mnt/merged/proc

    bind mount the directory target(s) to scan into /mnt/merged/discs/disc0, 1, 2….N

    this way you store only the iso on the filesystem, no additional files left around. when finished, unmount everything.

    you don’t need to export DISPLAY, just xhost command is enough

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s