Monday, January 9, 2017

More finds from the Shadow Brokers dump

Yesterday, I blogged about the Shadow Brokers dump and some take aways.  I wanted to introduce another potential takeaway.  One of the lines in this screenshot published by Shadow Brokers says psp_avoidance.  What is Psp_Avoidance?  Is someone looking to avoid the Playstation Personal?  Paint Shop Pro?  Doubtful...


I downloaded the screenshots published by the Shadow Brokers (which oddly doesn't include this screenshot).  However, it does include the output of the find command across the dump.  After searching through the directory list output for the string "psp" we find a number of different XML files (among other Python files and others).  Note the output below.
WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/avast-actions.xml
WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/avast-fp.xml
WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/avira-fp.xml
WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/comodo-fp.xml
WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/drweb-fp.xml
WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/kaspersky-actions.xml
WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/kaspersky-fp.xml
WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/mcafee-actions.xml
WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/mcafee-fp.xml
WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/microsoft-fp.xml
WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/nod32-fp.xml
WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/panda-fp.xml
WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/rising-actions.xml
WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/rising-fp.xml
WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/symantec-fp.xml
WindowsWarez_All_Find.txt:./Resources/Ops/Data/pspFPs/trendmicro-fp.xml
We have no idea what a pspFPs is, but what we see here seems to indicate that psp is a security product.  We also get some idea of what antivirus products are of interest to the group Shadow Brokers stole the tools from.

This additional find command output data seems to support that psp is nomenclature for security product.  
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/lib/ops/psp
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/lib/ops/psp/actions.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/lib/ops/psp/genericPSP.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/lib/ops/psp/genericSafetyHandlers.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/lib/ops/psp/__init__.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/lib/ops/psp/kasperskyES8.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/lib/ops/psp/mcafee85To88.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/lib/ops/psp/mcafee-epo.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/lib/ops/psp/mcafeeISTP.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/lib/ops/psp/mcafeeLib.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/lib/ops/psp/mcafee.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/lib/ops/psp/mcafeeSafetyChecks.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/windows/checkpsp.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/windows/psp
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/windows/psp/kaspersky.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/windows/psp/shared.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/windows/psp/ver_eleven.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/windows/psp/ver_nine.py
WindowsWarez_All_Find.txt:./Resources/Ops/PyScripts/windows/psp/ver_six.py
A few Google searches later with, this one with the obvious terms "psp computer network operations" we get back as the fifth result this wonderful page from ManTech.  It details the ACTP CNO Programmer Course.  The course documentation indicates that PSP is an acronym for "Personal Security Product."


Thanks ManTech!

So, circling back around, what is Psp_Avoidance?  Obviously, we don't know - but if the acronym is correct, it would seem to be software built to evade personal security products, which directory listings suggest (as does ManTech) are antivirus programs.

Should you run antivirus products? Sure. At Rendition Infosec we tell customers that operating without AV is like driving a car with no airbags. But this dump suggests that advanced attackers have mitigations for antivirus products - a sobering reality for organizations without defense in depth.  Bottom line, AV is valuable but the new dumps casts a shadow on the effectiveness of antivirus against APT attackers.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.