Article "Exposes" Adaware SE problems???
Results 1 to 9 of 9

Thread: Article "Exposes" Adaware SE problems???

  1. #1
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    Posts
    1,564

    Article "Exposes" Adaware SE problems???

    I have been using this app since it came out, although since Windows Antispyware beta and Windows Defender, I haven't really kept it up to date, and feel it is a bit redundant now with everything else that is out there.

    But this article purports to show that Adaware SE has some glaring vulnerabilities....forsooth...

    Ad-Aware PR
    By: roy_batty

    [Abstract]
    Ad-Aware is a poorly written anti-spyware program from Lavasoft. Running
    it gives you a false sense of safeness. There can be done numerous attacks
    against this software. I'll show some of the problems and attacks in this
    write-up. Here's just a summary of the most visible problems I've run into.

    1. Definition file
    1.1. "Encrypted" with xor \
    1.2. Packed with ZIP with simple password - trivial to intercept def
    updates and change the defs
    to make the malware invisible
    1.3. No checksum in the def file /
    1.4. Big redundancy in the def file
    1.5. !!! Multiplying the number of entries in the def file with constant
    1.46 to make it look it has more definitions !!!

    2. Program
    2.1. Poorly written checksum algo
    2.2. Poorly written scanning algo (slow as hell)
    2.3. CSI works only for in-memory images and is useless

    You want the proofs? Read the following text ...



    ---------------------------------------------------------------------------

    1. [Intro]
    "Lavasoft is the industry leader and most respected provider of
    anti-spyware solutions. Lavasoft develops and delivers the highest quality
    antispyware solutions to keep your computer or network free of
    compromising and intrusive threats to your privacy."

    --

    This write-up reviews the industry leading antispyware solution from the most
    respected provider of anti-spyware solutions - Ad-Aware from Lavasoft. I
    will show that this software is just a piece of crap, nothing more,
    nothing less. PR sells, right?

    2. [Ad-Aware SE]
    "Ad-Aware SE is the latest version of our award winning and industry
    leading line of antispyware solutions and represents the next generation
    in Spyware detection and removal. It is quite simply the most advanced
    solution available to protect your privacy. With the all new Code Sequence
    Identification (CSI) technology that we have developed, you will not only
    be protected from known content, but will also have advanced protection
    against many of their unknown variants. "

    --

    2.1. "Encrypted" with xor
    The reference file defs.ref is just a plain ZIP file that is then
    "encrypted" using following algo.

    void decode_mem(char *b, unsigned int b_s)
    {
    static char decode_string[] = "\x00\x50\x50\x50\x50\x50\x50\x50\x68\x69\x73\x20\x70\x67\x67\x67\x67\x67\x67\x20\x6d\x75\x73\x74\xe0\xe0\xe0\xe0\xe0\xe0\x6e";

    int unsigned y = 0;
    for(unsigned int x = 0; x < b_s; x++)
    {
    b[x] ^= decode_string[y];
    if(++y == (sizeof(decode_string) - 1))
    y = 0;
    }
    }


    Pointer b points to memory with the content of defs.ref and b_s is just
    size of the buffer.

    2.2. Packed with ZIP with simple password
    After "decrypting" there is a ZIP file with file 29388543757543549 inside.
    The file name is visible in ad-aware.exe. The ZIP file is password
    protected and the password is "This program ^u@_LSstreams145681902". First
    part of the password [This program ^u@_LSstreams] is in plaintext inside
    ad-aware.exe, second part is created runtime.

    2.3. No checksum in the def file
    After "decrypting" and decompressing there is a definition file with
    following structure.

    [header]
    [family names]
    [www names]
    [family descriptions]
    [obj_stream]

    offset size description
    32h WORD? internal build
    80h ???? version of ref file, ends with 0ffh
    100h ???? family names, separated by 0ffh, ends with 0ffffh
    ???? ???? www names, separated with 0ffh, ends with 0ffffh
    and content of ini file
    (comments for family names)
    gets stored to description.ini

    ???? ???? stream of objects ... starts with word OBJ_STREAM(n)[x]
    where n is prolly number of the stream streamu (1 for now)
    - IMHO preparation for incremental updates -
    and x is nunmber of objects in the stream
    at the end of stream there is 0ffffh again

    [Example of reference file, info gives ad-aware directly]
    Definitions File Loaded:
    Reference Number : SE1R47 24.05.2005 offet 80h
    Internal build : 55 offst 32h
    File location : G:nadanadadefs.ref ...
    File size : 435074 Bytes file size before decompression
    Total size : 1439523 Bytes file size after decompression
    Signature data size : 1408291 Bytes sizeof(family descriptions) + sizeof(obj_stream)
    Reference data size : 30720 Bytes family names size
    Signatures total : 40174 [x] * 1.46 + www names
    CSI Fingerprints total : 886 entries in OBJ_STREAM with type 0f0h
    CSI data size : 30371 Bytes sizeof entries with type 0f0h
    Target categories : 15 known before
    Target families : 679 count of family names



    There is no checksum of the content of the definition file nor is the file
    signed. It is trivial to modify the content of the file, for example
    modifying checksums of malware binaries by malware that wants to hide
    itself from Ad-aware is thus really _very_ easy.

    2.4. Big redundancy in the def file
    The definitions consist of registry keys, www sites, file names and the
    most visible part form the checksums of malware binaries.


    [ Snippet from defs.ref]
    ...
    3830397280 10842529196097280 97280
    3657194622 106199918742094622 94622
    3830994208 1059056701129094208 94208
    3697194208 105862934264094208 94208
    3697194210 1058568963132094210 94210
    ...


    Every checksum entry consists of a header, reference to family name and
    three ASCII numbers. Two of the numbers are checksums concatenated with file
    size and the third one is the file size.


    ...
    38303[97280]
    108425291960[97280]
    [97280]
    ...


    2.5. Poorly written checksum algo
    Computation of first level checksum


    unsigned int compute_first_level_fingerprint(unsigned char *b)
    {
    unsigned int checksum = 0;

    for(unsigned int x = 0; x < 0x600; x += 0x20)
    {
    checksum += b[x];
    checksum += x;
    }

    return checksum;
    }


    Computation of second level checksum


    unsigned int compute_second_level_fingerprint(unsigned char *b, int l)
    {
    unsigned int checksum = 0;
    unsigned int x = 0;

    for(; x < 0x2000; x += 0x2)
    {
    checksum += b[x];
    checksum += x;

    if(x >= (l - 2))
    break;
    }

    for(x = (l >> 1); x < (l >> 1) + 0x7ffc; x += 0x2)
    {
    checksum += b[x];
    checksum += x;

    if(x >= (l - 2))
    break;
    }

    return checksum;
    }


    Pointer b points to buffer holding content of the file, l is the
    buffer/file size.


    ...
    sprintf(size, "%d", x);
    sprintf(first_level, "%d%d", compute_first_level_fingerprint(b), x);
    sprintf(second_level, "%d%d%d%d", compute_second_level_fingerprint(b, x), (unsigned char) b[x >> 1], (unsigned char) b[x - 4], x);
    ...

    first_level now holds the first level checksum
    second_level now holds the second leve checksum
    size now holds the file size



    Now we can just do a string compare against checksum entries in data file.
    If match is found, the fourth word is a index into family names string
    list. There are also entries that have description incorporated, but the
    entry structure is very easy to guess - feel free to explore it on your
    own.

    As you can see, the checksum is really very basic one and could be easily
    spoofed. Colisions are easy to find. Next thing is the ASCII format of the
    checksums and file size concatenating.

    Lavasoft claims "Now Ad-Aware and Ad-Watch Use much smaller
    reference files" and I just have to say: you really want me to believe
    that?

    2.6. !!! Multiplying the number of entries in the def file with constant
    1.46 to make it look it has more definitions !!!
    And the last and the worst thing about definition file. They take the x
    number from OBJ_STREAM (ie. the real object/entries count in the
    definition file) and MULTIPLY it with number 1.46 and this value is then
    showed to the user as REAL number of definitions in the file. WTF?? They
    must be kidding me!

    2.7. Poorly written scanning algo (slow as hell)
    "Scanning speed increased" is written in PR blablas that come with
    Ad-Aware SE. I must laugh when I hear this. I must laugh _very_ loudly.

    The psudo-C code of Ad-Aware file scan algo follows.


    for entry from entries
    {
    alloc_mem(file_size);

    read_file_to_memory(); // no memory mapped files, ReadFile()
    count_checksums();

    if(does_match_entry(entry, checksums))
    break;

    free_mem();
    }


    The real "Scanning speed increased" algo follows.


    map_file_to_memory();
    count_checksums();

    for entry from entries
    {
    if(does_match_entry(entry, checksums))
    break;
    }
    unmap_file_from_memory();


    So if you run the Ad-Awares file scan and you hear disk making noisy
    sounds, it's not like Ad-Aware is doing a good job finding the malware on
    your drive. It's just it uses very poorly written algo, that makes a lot
    of unnecessary disk reads thus wasting resources of your computer.

    2.7. CSI works only for in-memory images and is useless
    "Uses our all new CSI (Code Sequence Identification) technology to
    identify new and unknown variants of known targets"

    Oh. What a technology! I wondered how they're doing this, I was thinking
    about some emulation engine, code shrinker, advanced pattern matching ...
    I also thought (everyone must think that) that CSI is used on file
    scanning basis. It's not. CSI scanning is used only when scanning memory
    and thus ... is useless. Another PR blabla.

    3. [Outro]
    "Lavasoft's Ad-Aware SE, the world's leading brand in antispyware
    solutions, has been acknowledged and awarded in variety of distunguished
    magazines and publications all over the world."

    --

    Acknowledged!

    btw it's not just a coincidence that the Ad-Aware engine uses another PR
    crap firm F-Secure in their products for fighting with spyware. Nice
    simbiotic.

    This text was written in the city of Sofia
    (C) 1999-06 Roy Batty, who is a stranger in the world he was made to live in
    roy.batty@phreaker.net

    Eddie lives...somewhere in time
    Source
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

  2. #2
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Registration Complete
    Your account has now been setup and your password has now been emailed to
    Only one way to find out? I just joined the beta test team for the 2006 product
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  3. #3
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    Posts
    1,564
    Originally posted here by nihil
    Only one way to find out? I just joined the beta test team for the 2006 product

    keep us in the loop nihil...regular reviews and such......
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

  4. #4
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    Greeting's

    Its not much of a shock to read something like this for Ad-Aware, anyway I have been with the BETA program of theirs for last 6-7 months. My personal experience with the program has been very bad. Here are some of the things that happen's on a regular basis.

    1. The first and most important one is that THE MD5 CHECKSUM FOR THE FILE FAILS ON A REGULAR BASIS WITH THE ACTUAL FILE THAT YOU DOWNLOAD. I have sent SHA512 of the file who's checksum did not match but with no avail

    2. Most of the Defs are filled with crap entries and will give lot of false-positives (and I mean a lot there have been more then one occasion where the file's were re-released). Well I do agree with the BETA testing risks but a company with such high name shouldn't perform this way. Its like they hand you the ALPHA file.

    Its been a month since I stopped taking part in the program. I have since uninstalled Ad-Aware. I will agree that I have used it till date everyday with Spy-Bot but after taking part in their BETA program, lavasofts image changed in my eye's..... Anyway Nihil take care using the apps and def file's
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  5. #5
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    And if we read some of the follow-on comments after the article...lol

    Hey braniacs, if Ad-Aware sucks as bad as you claim, then why don't you
    re-write it's supposedly horrendous coding to be more efficient and send it to Lavasoft so they can improve it?

    Or would you rather just sit on your high horses and yap about a product that is considered by 99% of most computer experts to be one of the best free anti-malware programs ever made?

    Again, it's freeware, you knuckleheads. Contribute to its improvement or shut your freakin' pieholes
    Connection refused, try again later.

  6. #6
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hey, ByTeWrangler thanks for the heads up. I shall test it on labrats/crash dummies not production machines..............I don't have a MAC OSX

    Relyt Yeah I saw those as well, nice little flame war developing I thought.

    I don't really know what to make of the article though as I have never heard of the guy, and a lot would depend on his skills at reverse engineering/decompiling.

    He seems to have a bit of an axe to grind, going by his dig at F-Prot?

    The article is supposed to have been written in Sofia, which is the capital of Bulgaria, and I think he got his name from "Blade Runner"

    But apart from that?
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  7. #7
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    Posts
    1,564
    Well I have tried to find something that would support this guy's findings, but there is nothing else out there at this time, would be interesting to see what Lavasoft has to say about it, if in fact these problems are legit.

    Not much in this guy's profile, so am curious why he would be anon...maybe an ex-employee of f-secure or Lavasoft???? does sound like a personal thing....

    Would like to see more come out on this, as I see a general decline in others as well...Spybot S & D is falling behind, Spywareblaster, almost like they are getting ready to merge with someone or go completely corporate?

    Maybe the day's of the "free" antispyware days are over and everyone is going for the $$$.
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

  8. #8
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    Posts
    1,564
    Just an update on this item...it appears that the Lavasoft Forum is back up and running...

    A vulnerability was recently discovered that could be used to compromise the definition file used with all versions of Ad-Aware SE.

    Once alerted to this risk, our development team together with our research team immediately assessed the threat and produced a solution (currently in BETA) that will ensure the integrity and authenticity of the installed definition file and thus negate any potential risk from this form of attack as long as the user has installed the Ad-Aware Authenticity Check software. Further, the user is guaranteed to receive a genuine definition file as long as they download the file directly from our servers and through the Ad-Aware update and authenticity check system.

    We are currently working towards releasing the first version of Ad-Aware 2006 for beta testing which will be available to experienced testers very soon. We have built in functionality that will provide the user with protection from this and other potential security threats.

    This leads to another area of concern that we address to the entire security industry. It is without a doubt a fact that no one can anticipate or even design for every potential vulnerability in a given security application. Though we and our competitors do everything humanly possible to account for and provide appropriate development that will eliminate known vulnerabilities, it is true that none of us can foresee all vectors of potential attack.

    With that said, independent researchers and testers are an essential part of product improvement when they find and then report potential issues. This however should be done in a responsible manor rather than to place millions of users at risk for nothing more than a sensational story.

    We are appalled at the level of irresponsibility and outright apathy being shown by those who pretend to be providing essential security information and public debate. All too often these organizations and individuals do not care that their information or publication could cause damage to users world wide; rather they look only for the headlines and/or gains they could get from exposing sensitive information and sit basking in the after-glow from the destructive content they helped to develop.

    Yes dear reader, this type of irresponsible behavior and lack of professional ethics helps foster new malicious code and exploit development rather than to bring about positive change or product improvements. How often have computer users been placed at risk just because someone decided it would be a good idea to publish this type of information and for what purpose; just to be first?

    We call on the security news and discussion industry to stop allowing publication of vulnerabilities before developers have an appropriate opportunity to provide corrections so that users remain protected.

    If you are not part of the solution you are part of the problem.
    And I take it, this is their response......

    Lavasoft Forums
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

  9. #9
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,242
    I've noticed checksum errors with Spybot (v1.4) updates at times. It's always temporary.

    Beta: it is what it is.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides