Critical Flaw Found In Virtually All AV Software

Securityemo writes "The Register is running an article about a new method to bypass antivirus software, discovered by Matousec. By sending benign code to the antivirus driver hooks, and switching it out for malicious code at the last moment, the antivirus can be completely bypassed. This attack is apparently much more reliable on multi-core systems. Here's the original research paper." El Reg notes that "The technique works even when Windows is running under an account with limited privileges," but "it requires a large amount of code to be loaded onto the targeted machine, making it impractical for shellcode-based attacks or attacks that rely on speed and stealth. It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC."

All AV software?

[xulfer]

All AV software seems a little broad. This only seems to cover virus utilities that prevent viruses from attaching in the first place. I fail to see how this vulnerability would affect the large portion of av utilities that are simply scanners... e.g. clamav, etc.

Ubuntu

[Das+Auge]

Since switching to Ubuntu, over three years ago, I haven't used AV.

I suppose that someday Linux will become a real target for virus writers; but between the good security model inherent ot UNIX-based OSes and common sense, I doubt I'll need one for a long time.

Re:Ubuntu

[siride]

The Windows NT security model is actually more advanced and capable than the base Unix security model. It's only because of culture, better-written 3rd party programs and marketshare that Linux/Unix doesn't have a malware problem.

Re:Ubuntu

[Architect_sasyr]

I'd like to just step in here and point out that the security model means shit to a virus writer - so what I can't get root on your desktop, I can still encrypt your entire home directory and delete everything I have access to with just a simple program. The whole push for administration rights is only necessary when you need to hide the software, but if all these linux users aren't running AV, then what's the point of trying to hide yourself before you can get your root privileges. Someone, somewhere, will run a sudo command eventually...

Re:Antivirus Design Flaw

[Runaway1956]

Long, long, long ago, I was out of town, and my laptop got dicked. I wasn't about to pay for a new Windows disk, nor did I have time or money to have a professional fix it. I went into a computer shop, talked awhile, and came out with an OnTrack SystemSuite disk, for which I paid about 15 bucks. Booted to it, ran the AV utility, and found nothing. Ran the rest of the utilities, and found that an improper shutdown had corrupted my MBR. Fixed the MBR, and booted up. Money well spent.

And, yes, you are right. That is precisely what the rest of the AV industry needs to peddle. If you can't boot to a clean environment, you're just screwed, whether it be virus problems, or any number of other problems.