Slashdot Mirror
Critical Flaw Found In Virtually All AV Software
Securityemo writes "The Register is running an article about a new method to bypass antivirus software, discovered by Matousec. By sending benign code to the antivirus driver hooks, and switching it out for malicious code at the last moment, the antivirus can be completely bypassed. This attack is apparently much more reliable on multi-core systems. Here's the original research paper."
El Reg notes that "The technique works even when Windows is running under an account with limited privileges," but "it requires a large amount of code to be loaded onto the targeted machine, making it impractical for shellcode-based attacks or attacks that rely on speed and stealth. It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC."
Everybody turn your PCs off NOW! Why are you still reading?
I don't run AV software! Ha!
They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
These problems have been known for a while and used to defeat e.g. systrace in OpenBSD (CVE-2007-4305). It also does not affect AV software per se, but anomaly-based detection, which kicks in only if something bad is already running on your machine. If this approach is actually used in the wild, detection logic will be added for it. Business as usual, really.
So it seems that relying on runtime checks doesn't just slow the system down, but also is vulnerable to concurrency attacks.
That may be alarming, but it's not like antivirus software was ever powerful enough to let users shut off their brains when using their computer.
All AV software seems a little broad. This only seems to cover virus utilities that prevent viruses from attaching in the first place. I fail to see how this vulnerability would affect the large portion of av utilities that are simply scanners... e.g. clamav, etc.
Since switching to Ubuntu, over three years ago, I haven't used AV.
I suppose that someday Linux will become a real target for virus writers; but between the good security model inherent ot UNIX-based OSes and common sense, I doubt I'll need one for a long time.
Sounds like its impractical for an actual attack unless you wanted to really pull something off on a machine that you probably already have access to since you can already run binaries on it. Interesting concept but not terrible useful.
Anti virus software has become increasingly ineffective? Potentially opens up even more venues for attack! The Windows system of limiting privileges isn't always effective??!!??!!
Next you'll be telling me that fire is hot, water is wet, sci.. you know the rest
I mean this is cool and all, it's a neat discovery... but I think the whole concept of anti virus software is critically flawed and has become completely ineffective.
All I see is an article that is applauding Apple for doing infrequent security updates for Safari, contrasted with Firefox, that does security updates with an - for that blogger - absolutely unbearable frequency and install time. Though, in objective reality, Firefox releases an update every two months or so and the update takes about a minute on any recent PC.
Also, I remember the rabid verbal attacks on Microsoft for NOT updating their browser fast and often enough. But Apple isn't perceived to leave known vulnerabilities unpatched like Microsoft did, they are seen as to spare their users from annoyances.
Their marketing dept is godlike.
It is far from being a "critical flaw". In the article they say that when running kernel code you can bypass any antivirus. Surprise. Did we missed the point that you first need to gain kernel level privileges?
The real problem behind the AV industry is that almost all Windows users tend to use a user with Administrator level privileges and when they gets infected the malware runs with full administrator privileges. If they would use a normal account and not the Windows environment's "root" equivalent we would not talk about this "critical problem" as the malware would need to infect and scalate privileges in order to install a kernel level componente, a rootkit.
As previously said, it is far from being a "critical flaw".
I don't understand how antivirus software is ever supposed to detect problems once the machine is already infected. Perhaps vendors should start shipping CDs that can scan the drive and repair without having to boot into the OS.
"It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC"
So, basically a user with administrator privileges or the ability to click "Allow"? Not much of a barrier.
They tested every obscure antivirus program out there, yet they did not test one of the most important ones -- Microsoft Security Essentials.
Seeing how obscure some of the tested AVs are, it's hard to believe their statement that "the only reason there are not more products in the following table is our time limitation."
Was MSE intentionally omitted because it is not vulnerable? Slashdot is more likely to reject such an article... It is actually very likely that MSE is not vulnerable, because Microsoft products do not patch the Windows kernel.
Judge for yourselves what they tested:
3D EQSecure Professional Edition 4.2
avast! Internet Security 5.0.462
AVG Internet Security 9.0.791
Avira Premium Security Suite 10.0.0.536
BitDefender Total Security 2010 13.0.20.347
Blink Professional 4.6.1
CA Internet Security Suite Plus 2010 6.0.0.272
Comodo Internet Security Free 4.0.138377.779
DefenseWall Personal Firewall 3.00
Dr.Web Security Space Pro 6.0.0.03100
ESET Smart Security 4.2.35.3
F-Secure Internet Security 2010 10.00 build 246
G DATA TotalCare 2010
Kaspersky Internet Security 2010 9.0.0.736
KingSoft Personal Firewall 9 Plus 2009.05.07.70
Malware Defender 2.6.0
McAfee Total Protection 2010 10.0.580
Norman Security Suite PRO 8.0
Norton Internet Security 2010 17.5.0.127
Online Armor Premium 4.0.0.35
Online Solutions Security Suite 1.5.14905.0
Outpost Security Suite Pro 6.7.3.3063.452.0726
Outpost Security Suite Pro 7.0.3330.505.1221 BETA VERSION
Panda Internet Security 2010 15.01.00
PC Tools Firewall Plus 6.0.0.88
PrivateFirewall 7.0.20.37
Security Shield 2010 13.0.16.313
Sophos Endpoint Security and Control 9.0.5
ThreatFire 4.7.0.17
Trend Micro Internet Security Pro 2010 17.50.1647.0000
Vba32 Personal 3.12.12.4
VIPRE Antivirus Premium 4.0.3272
VirusBuster Internet Security Suite 3.2
Webroot Internet Security Essentials 6.1.0.145
ZoneAlarm Extreme Security 9.1.507.000
"Matousec"? Hmm...
"To use Mac"? Hey!
Your evaluation of Trollaxor's article is spot on. Opening sentence tells us that his computer is left idle for "weeks at a time" - which might be a fortnight, or six months, or even a year. If he returns to his computer after weeks away from it, the system is going to offer updates anyway - be it Windows or Linux. The computing world doesn't stop just because he has his head up some mummy's ass, or whatever the hell he does at a dig. Hmmmm. Wonder what his wife or girlfreind is doing during all those weeks he is making chummy with old dead boners - I meant bones . . . .
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
If M$ would have only used the App Store model for software distribution we wouldn't need AV at all, and think of the profit!
Can someone tell me what the difference is between this and syscall wrapper exploits which have been known about long enough to be lectured in undergraduate security courses?
This attack requires that badware is already running inside the machine it's trying to attack.
If badware is already running then ... um, how exactly does this attack up the ante?
No sig today...
TFA has discovered "the rootkit".
Okay, so basically your PC has some type of rootkit on it already. Then your AV is ineffective due to some obscure attack. Rent a clue, editors! If you have a rootkit, you are fucked anyway. There is no magical piece of software that will protect you from your machine being owned.... that is the definition of owned.
I can understand the general populous not getting this. I cannot understand Slashdot editors not getting such a basic concept.
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
whatever platform the program is based on if you are booted to the system you are trying to clean then you have already lost ground.
of course a Posix type solution has the advantage of being mostly immune to the viruses on a Windows system.
Any person using FTFY or editing my postings agrees to a US$50.00 charge
So basically ...
It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC
Anyone who already has the ability to run a binary on your box can p0wn it ... well, no shit Sherlock. As that applies to every O/S, I wonder why Windows has been targeted as the "guilty party". Ah, Soulskill, say no more ...
And here I thought someone had found an exploit of a common audio-video codec, or just plain DCT or something interesting.
Anti-virus is an arms-race, and IMHO causes about as much problems as it solves. (Except the caused problems are rarely truly evil like the attacks stopped.)
Other examples where anti-virus software just fails;
* Decompression bombs
* McAfee:s recent XP borking
* Even good reputable AV seems to have problems catching up with months-old malware
* Let's not start talking performance-hogging
I wish security would be more built-into rather than bolted-on.
I normally use Mandriva, but the P/S (ShuttleX) died and I'm awaiting a replacement.
In the meantime, without another PC, I've been using my WinXP/VooDoo video box that I use for older 3Dfx games. It's all updated and I use Firefox, etc.
Within 24 hours of using it, it became infected and my email account got hacked. I've changed all my passwords, but damn GMail still locked down my mail account and my blog and won't tell me why. Any advice on that?
I hate Windows.
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
That's why you should always call su or sudo by absolute paths: /bin/su
Only root should be able to write on /bin
a) People don't as a rule understand or even know about security models, they just work with the system. The way it's configured out of the box defines security in most cases. If you ghost a secure Windows image, you're fine. If you ghost a leaky Linux image, you're not. And vice versa.
b) SELinux is from a user's and administrator's perspective atrocious compared to NT. I don't know enough about the actual implementation to decide whether it is formally less or more secure, but for the moment it sucks.
d) The method in TFA doesn't remove one bit of OS provided security. For example, if you run a program controlled in such a way that it cannot affect files, it still can't.
e) The method in TFA does not by itself stop your virus scanner from catching known viruses, it affects only what happens when code is deemed not to be a virus from the actual scan, but then tries to do something the virus scanner dislikes. You should have been using OS provided security mechanisms instead. So unknown viruses can do bad stuff; but the worst thing a program could do is delete all your documents and send your personal info over the internet, and viruses can already do that (both in Windows and in Linux).
f) The article doesn't mention how vulnerable the products tested are, nor why, nor the success rate. This is probably because this doesn't work quite as well as the researchers advertised.
c) The method in TFA won't work for long anyway, because your viral code is scanned before it can do anything at all. Anti virus products will be immune against this method next Thursday.
...does it run on Linux?
These guys wrote bad examples of SSDT hooks. If you copy the buffers passed in by the user to another location, and then when you pass the call on, use the buffer at the protected location, then the user mode software can not replace arguments.
Their statement of applicability is ludicrous as well, they clearly didn't check to see if these SSDT hooks performed the copies, they just declared SSDT patching to be insecure.
alias /bin/sudo='/the_path_to_my_evil_eavesdropping/sudo'
but wouldn't this work?
alias /bin/sudo='/the_path_to_my_evil_eavesdropping/sudo'
Obviously "/bin/sudo" is not a valid alias. Next time try it first before showing stupid things to the world.
That isn't enough. In bash you can use DEBUG traps to override any command:
lindi@sauna:~$ function f() {
> echo executing evil sudo...
> }
lindi@sauna:~$ trap f DEBUG
lindi@sauna:~$ sudo iptraf
executing evil sudo...
[sudo] password for lindi:
A: NO
Of course it's a valid alias, but only if you actually type out "/bin/sudo" every time.
it's a valid alias in zsh
This is just more evidence that a philosophy I've been following lately is correct. Constant-scan AV is a cure worse than the disease.
From where I'm standing, AV software is meant to address a number of failure modes.
1. Data Loss
Data loss is not solely, or even majority caused, by viruses. The best way to preserve important data is with regular off-machine backups. Most viruses today are more concerned with stealing personal information, or creating a botnet, than with destroying data.
2. Theft of personal information
This is one area where a virus detector is very important. However, constant scan AV isn't necessarily the best solution.
One reason for this is the unrevealed nature of a virus scanner failure. If you are relying on an automated, transparent system to detect viruses and it fails, then you have no real way to know it's not working until you actually get a virus because the scanner has failed. Likewise, if a virus disables the scanner, you won't know because it works in the background.
Scanning before entering personal information will help verify functionality of the scanner as well as ensuring a lack of viruses. Best practice would be to use a read-only medium before bootup to scan using an up-to-date database, ensuring an incorruptible virus scanner scanning a drive that has no ability to execute viruses to bypass a scan.
3. System performance degradation
System performance degradation is a terrible reason to use a virus scanner, a cure worse than the disease. Often the "Virus" on a machine is a virus scanner run amok. Startup scans from incorruptible media can protect against this, better than realtime scanning can.
4. System stability degradation.
Second verse, same as the first. As many or more system stability problems come about due to poorly written or poorly behaved virus scanners than by viruses themselves. Startup scans from incorruptible media can protect better against this than a real-time scan.
With best practices on system settings and behaviors, and frequent backups, you can get better protection, better performance, and lower cost (reduced hardware costs from wasted cpu cycles) than real-time scanning. Why bother with it?
It's been a long time.
"Given a choice between dancing pigs and security, users will pick dancing pigs every time"
Great news everyone. The killer application that Linux was missing all along, to take over
the Desktop, is Dancing Pigs.
The main difference is that people actually understand the basic Unix model of users and groups and so they often manage to set their file permissions to something relatively sane. Practically noone uses the full power of ACL's on either system.
---
What's more useful is using the *same* ACL's to control access on a samba server and windows clients.
Very fun! You should try it sometime.
Be sure to use a linux file system with native ACL and XATTR support so SMB can do proper translations between the ACL flavors. I control access by user and group. I don't know where you get that linux's finest granularity is the 'group'...it's the same as NT's -- user level.
That said, NT's access control does have finer level permission granularity.
NT is superior to linux in many ways. It's also closed source. Show me a tool like sysinternals.com's
process explorer (avail on windows) on linux. Linux has nothing even close -- yet on windows 1 free tool shows you more about your system than any collections of GUI's can on linux. Linux just doesn't have and seems to not believe in 'instrumentation' -- it doesn't have close to the hooks needed to do everything ProcessExplorer does. It's sad (disappointing, not sad-pathetic).
lsof
Mart
"I know I will be modded down for this": where's the option '-1, Asking for it'?
lsof isn't a GUI tool -- it has no interactive features.
It has a very small subset of procexp's functionality, but it is a _small_ subset.
alias /bin/sudo='/the_path_to_my_evil_eavesdropping/sudo'
The real sudo is setuid root. You'd have to be root in the first place to make your evil dropin setuid root, at which point why bother?
Dewey, what part of this looks like authorities should be involved?
#include "UserImitation.h"
int main()
{
\"I think I'll go ahead and click the link. How thoughtful of them...\"
\"Oh, this is a very professionally done site.
Hey! Why won't respond?
What the!?!?!\"
echo "Infection!"
echo "Connection terminated."
--EOF--
echo "CRAP!"
return 1;
}
Not a GUI tool? That wasn't part of your original specification. And what does it matter if it works? It's a sysadmin/developer tool FFS.
And tell me, what does procexp do what lsof in combination with the normal process tools and the standard Unix utilities can't do?
Mart
"I know I will be modded down for this": where's the option '-1, Asking for it'?
As any security expert will tell you, the best anti-virus is yourself. Don't do things that would bring malicious software into your system, don't make efforts to allow them and install them, and you should be virus free. A person should NEVER rely on the anti-virus software they have installed to do all of the work for them. I've never seen ONE anti-virus block, remove, or find 100% of the viruses out there, so the best thing a person can do is run periodic scans of multiple anti-virus and anti-malware software.
Procexp is 1 integrated GUI tool. All in one.
I didn't say you couldn't tie 20-30 unix utils with bailing wire and duct tape together to give the same information with 1000% more hassle.
The point is simplicity and power. It's all tied together in procexp.
I cannot begin to list all of the features of this free, and easy to use /O, paging memory, of
tool that even my non-computer literate friends can use to suspend processes
from the GUI. It lets you check stacks, symbols, see I
everything or zoom in on 1 process.
It sits in your tray and display up to 4 configurable icons for cpu/virtmem/physmem/io. open it it gives a top-like display with colors (configurable) assigned by process type (sys, threads, compressed, user, job, etc..).
Shows per process IO (not something you can get in top), process permission
bits (integrity level) culmlative and instantaneous stats...all configurable.
Each process w/properties you can set priority(nice), cpu-affin, start/stop,
look at each processes env, look at process in-mem image or on disk, see
each threads stack and traceback -- with full OS symbols. Performance
graphs of each process'es io, mem usage and cpu usage -- network(tcp/ip)
connections w/addr + port...
It has displays like xosview -- 'cept that you hover over any spike and it tells
you process name and id. Xosview would be a good top-level start for the graphing function, but there's no tie-in to anything else.
It's NOT just a developer tool -- in fact it ISN't a developer tool -- it's
a user tool. It doesn't have much in the way of devel tool tie in if anything.
It's to let users explore and find out what's going on in their system.
And it's downloadable from microsoft (they bought sysinternals).
And it's free -- and it's been out for 5 years.
Linux is so far behind in good OS instrumentation for users its not fair to say
that it is behind -- it just doesn't have anything close.
Now if you want something more for developers (but still is useful for users)
procmon, does full tracing of i/o, net, process-changing, and registry accesses to allow you to see how a program interacts with the system (all of the above are configurable with full filters).
But procexp -- more of a user tool and a devel -early-alert tool.
linux has nothing like it and it's unfortunate.
matousec's "argument-switch" attack is fairly reliable
"Fairly reliable" sounds an awful lot like "unreliable" when it comes to avoiding detection. After all, the offending code only has to be detected once before it can be quarantined/deleted/whatever. This also only seems to affect "on execute" scanning, and if it's not being executed, then good luck swapping the code.
https://www.eff.org/https-everywhere
Linux has nothing like procexp, and that's unfortunate for you, because you keep expecting a single huge monolithic app to do all that. Your 'spit and baling wire' comment shows that bias quite clearly.
Let me tell you, from the point of view of a Linux user and professional sysadmin: we don't think it's just 'spit and baling wire'. We like our single discrete tools and the ways we can combine them.
As long as you keep it expecting to be just another Windows, Linux is never going to be satisfactory to you.
Mart
"I know I will be modded down for this": where's the option '-1, Asking for it'?
Don't give me this we, ... I've been using unix since the late 80's and linux since late 90's.
I have every bit as much as right to say what I want as anyone.
I want a tool that ties it all together for convenience. I don't like to have to load 40
different packages with different levels of support all telling me different ways to install
everything, and then having half of it not work, only to be told it's open source and to fix it
myself. That's great when I have the time or energy or don't have some project I'm working on.
But it doesn't just WORK and that's the difference between Linux and Windows. Linux has
the benefit that when it doesn't just 'work', you have the ability (if you have the time) to
perhaps make it work, and you have the ability to tie things together that you might not be
able to in Windows.
But things that work in windows outshine linux by far, because the people there take the .. the kernel works because it is held together by linux and a few people, but nothing outside the kernel has any guiding person or body so nothing works together and nothing ties together seamlessly. If it did, you could show me your X utility that seamlessly ties everything together that procexp does.
time to polish them and tie them together, and because MS, controlling everything makes
things fit together. You can't say that about linux. There is virtually nothing about linux (outside of the kernel) that just works
The utilities on the outside that show things have to constantly keep up with a shifting kernel interface that is often -- for good reason, in transition. But too little (maybe) thought is given on how to maintain a powerful-system interface in linux that provides the features that procexp provides in windows.
Don't try to coral me in with windows users. I've spent the majority of my professional and development life on unix and linux doing development. I spend my casual time on Windows, where the interface is far easier to use. Sometimes I like things that just work. Linux (outside of kernel) rarely has that (ok..EXCEPTIONS...there are multiple individual projects that DO Work -- and even distro's if you don't push their limits; I use them at home where I run a linux server 24/7 and often download source (tarballs, CVS, bazaar, Git, et al) to roll lastest versions to attempt new things or just get existing things ). But _a_ tool to provide a simple summary of your systems activity that allows point and click drill-down? Doesn't exist on linux.
And it's nothing about about the preferences of linux users. Speaking as a veteran and speaking
for others who aren't who would love such tools.
2001 called, it wants its FUD back.
Stop pretending everything is a mess in Linuxland. It's not, and if you were not mired in your preconceptions, you'd admit that. All is not perfect, and there are rough edges, but despite what you pretend, Windows is not any better; and some of the time it is actually worse (Microsoft hasn't pissed me off lately, so I'm being charitable here).
Especially don't try to pretend that using the sysinternals tools as an example. How long ago was it that those tools were a third party while Microsoft neglected its responsibility to give admins their necessary tooling?
I've used proprietary Unices, I use and admin Windows daily, and they're not any better than Linux. And when you're told that the issue you're having problems with will only be fixed in the next release (for which you'll have to pay), that's about as helpful as 'patch the source yourself'. In fact, it's less helpful. At least on Linux I can patch the source myself. And I have done so.
I don't know about you, but when it comes to the systems given in my care, I prefer to be able to fix things myself, instead of being beholden to someone else who might not share my priorities.
Mart
"I know I will be modded down for this": where's the option '-1, Asking for it'?
The irony of Linux is that if you are tech savvy enough to use Linux, you wouldn't get malware on Windows in the first place. I haven't had a single malware since '03. My girlfriend managed to get tricked into installing a bogus copy of McAfee a week after I rebooted her machine from a previous virus. If Windows apps were as hard to install as Linux, it would be almost as secure. I agree with hairyfeet, Linux isn't so much better as it simply has different annoyances.
Why would the evil sudo need to be setuid? It just forks the real sudo and keeps track of the I/O, thus gaining the password. No need to replace sudo when you could use the real thing.
Yeah, that made more sense when I first wrote it.
Dewey, what part of this looks like authorities should be involved?