Slashdot Mirror

← Back to Stories (view on slashdot.org)

Critical Flaw Found In Virtually All AV Software

Posted by Soulskill on from the if-only-there-were-something-more-monolithic-to-blame dept.

Securityemo writes "The Register is running an article about a new method to bypass antivirus software, discovered by Matousec. By sending benign code to the antivirus driver hooks, and switching it out for malicious code at the last moment, the antivirus can be completely bypassed. This attack is apparently much more reliable on multi-core systems. Here's the original research paper." El Reg notes that "The technique works even when Windows is running under an account with limited privileges," but "it requires a large amount of code to be loaded onto the targeted machine, making it impractical for shellcode-based attacks or attacks that rely on speed and stealth. It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC."

5 of 279 comments (clear)

  1. Re:AHHHHHHHH by armanox · · Score: 5, Insightful

    Still reading because I'm running Linux?

    --
    I'm starting to think GNU is the problem with "GNU/Linux" these days.
  2. Not really new by Florian+Weimer · · Score: 5, Insightful

    These problems have been known for a while and used to defeat e.g. systrace in OpenBSD (CVE-2007-4305). It also does not affect AV software per se, but anomaly-based detection, which kicks in only if something bad is already running on your machine. If this approach is actually used in the wild, detection logic will be added for it. Business as usual, really.

  3. No way around strict privilege separation by Arancaytar · · Score: 5, Insightful

    So it seems that relying on runtime checks doesn't just slow the system down, but also is vulnerable to concurrency attacks.

    That may be alarming, but it's not like antivirus software was ever powerful enough to let users shut off their brains when using their computer.

  4. So.. by Anrego · · Score: 5, Insightful

    Anti virus software has become increasingly ineffective? Potentially opens up even more venues for attack! The Windows system of limiting privileges isn't always effective??!!??!!

    Next you'll be telling me that fire is hot, water is wet, sci.. you know the rest

    I mean this is cool and all, it's a neat discovery... but I think the whole concept of anti virus software is critically flawed and has become completely ineffective.

  5. Re:Ubuntu by Anonymous Coward · · Score: 5, Insightful

    I can still encrypt your entire home directory and delete everything I have access to with just a simple program

    Which is totally profitless to a virus writer. I haven't even seen a virus like that on windows for decades and windows have millions of viruses written for it.

    Someone, somewhere, will run a sudo command eventually..

    So what if they do? Executing the sudo command is limited to the program you're sudo-ing, not your whole session. A program can't wait in the background and get root when someone types sudo.

    Also you're side stepping the whole issue that most Linux distributions provide you with all the software you need so the whole running a third party executable is much less likely to happen. The only exceptions I can think of are Google Chrome and Dropbox.

    I'm not saying Linux is infallible however the examples people like you list to try to pretend a Linux system is "just as bad" at security are ridiculous at best.