Slashdot Mirror

← Back to Stories (view on slashdot.org)

Critical Flaw Found In Virtually All AV Software

Posted by Soulskill on from the if-only-there-were-something-more-monolithic-to-blame dept.

Securityemo writes "The Register is running an article about a new method to bypass antivirus software, discovered by Matousec. By sending benign code to the antivirus driver hooks, and switching it out for malicious code at the last moment, the antivirus can be completely bypassed. This attack is apparently much more reliable on multi-core systems. Here's the original research paper." El Reg notes that "The technique works even when Windows is running under an account with limited privileges," but "it requires a large amount of code to be loaded onto the targeted machine, making it impractical for shellcode-based attacks or attacks that rely on speed and stealth. It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC."

8 of 279 comments (clear)

  1. All AV software? by xulfer · · Score: 4, Interesting

    All AV software seems a little broad. This only seems to cover virus utilities that prevent viruses from attaching in the first place. I fail to see how this vulnerability would affect the large portion of av utilities that are simply scanners... e.g. clamav, etc.

  2. Ubuntu by Das+Auge · · Score: 4, Interesting

    Since switching to Ubuntu, over three years ago, I haven't used AV.

    I suppose that someday Linux will become a real target for virus writers; but between the good security model inherent ot UNIX-based OSes and common sense, I doubt I'll need one for a long time.

    1. Re:Ubuntu by siride · · Score: 4, Interesting

      The Windows NT security model is actually more advanced and capable than the base Unix security model. It's only because of culture, better-written 3rd party programs and marketshare that Linux/Unix doesn't have a malware problem.

    2. Re:Ubuntu by Architect_sasyr · · Score: 5, Interesting

      I'd like to just step in here and point out that the security model means shit to a virus writer - so what I can't get root on your desktop, I can still encrypt your entire home directory and delete everything I have access to with just a simple program. The whole push for administration rights is only necessary when you need to hide the software, but if all these linux users aren't running AV, then what's the point of trying to hide yourself before you can get your root privileges. Someone, somewhere, will run a sudo command eventually...

      --
      Me failed English...
      FreeBSD over Linux. If my comments seem odd, this may explain...
    3. Re:Ubuntu by Runaway1956 · · Score: 3, Interesting

      But, an earlier poster mentioned the fact that corporate and financial institutions have all this money to pay high powered administrators. If the administrators are working with a decent operating system, and if the administrators are competent, then Enterprise is safe, right? And, the military too, right?

      How's that British thing working out now? Windows for Submarines? The last I heard, it was down. Who has more expertise in securing computers than the US or the UK departments of defense? If THEY can't secure Windows, then who can?

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
  3. Re:Antivirus Design Flaw by Runaway1956 · · Score: 4, Interesting

    Long, long, long ago, I was out of town, and my laptop got dicked. I wasn't about to pay for a new Windows disk, nor did I have time or money to have a professional fix it. I went into a computer shop, talked awhile, and came out with an OnTrack SystemSuite disk, for which I paid about 15 bucks. Booted to it, ran the AV utility, and found nothing. Ran the rest of the utilities, and found that an improper shutdown had corrupted my MBR. Fixed the MBR, and booted up. Money well spent.

    And, yes, you are right. That is precisely what the rest of the AV industry needs to peddle. If you can't boot to a clean environment, you're just screwed, whether it be virus problems, or any number of other problems.

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
  4. Re:No way around strict privilege separation by Sycraft-fu · · Score: 3, Interesting

    Also AV's main power for a long time has been on access/creation scanning. More or less it stops the viruses before they've a chance to become active. You run a virus scanner and anything coming in from the web, or a flash drive, or whatever is scanned. If a virus is detected, access is blocked. The virus can't get around that, since it isn't running. The AV stops it cold, before it has a chance to try anything.

    Now that's not perfect, of course, the AV software has to have a signature for the virus, but it works pretty damn well. It is a good layer of security. Shouldn't be your only layer, but no layer should be your only layer.

    This attack sounds like it is more useful against behavioural anti-virus. The AV notices a program doing shit it shouldn't and tries to stop it. Another good layer to have, but getting around it only gets you anywhere if you got the program to run in the first place.

    As you say though, no matter what you just can't shut your brain off. There is no such thing as perfect security, physical or otherwise, and anyone who sells it to you is lying. Good security requires defense in depth and requires someone to be watching to make sure things are working and not getting broken through. AV software is useful, firewalls are useful, privilege separation (like UAC or sudo) is useful, but all of them still need you as a user not to be an idiot about it.

  5. Re:Is this a joke? by Opportunist · · Score: 3, Interesting

    Aka Dancing Pig Problem.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.