Critical Flaw Found In Virtually All AV Software

Securityemo writes "The Register is running an article about a new method to bypass antivirus software, discovered by Matousec. By sending benign code to the antivirus driver hooks, and switching it out for malicious code at the last moment, the antivirus can be completely bypassed. This attack is apparently much more reliable on multi-core systems. Here's the original research paper." El Reg notes that "The technique works even when Windows is running under an account with limited privileges," but "it requires a large amount of code to be loaded onto the targeted machine, making it impractical for shellcode-based attacks or attacks that rely on speed and stealth. It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC."

AHHHHHHHH

Everybody turn your PCs off NOW! Why are you still reading?

Re:AHHHHHHHH

[armanox]

Still reading because I'm running Linux?

Joke's on them!

[Abstrackt]

I don't run AV software! Ha!

Not really new

[Florian+Weimer]

These problems have been known for a while and used to defeat e.g. systrace in OpenBSD (CVE-2007-4305). It also does not affect AV software per se, but anomaly-based detection, which kicks in only if something bad is already running on your machine. If this approach is actually used in the wild, detection logic will be added for it. Business as usual, really.

Re:Not really new

[Christophe+Devine]

Yep. Furthermore this requires not just admin privileges, but also being able to load a kernel module which has been severely restricted under 64-bit Windows (the driver's catalog has to be signed by Microsoft). Still, many people use Windows XP with an admin account, but the flaw itself does not lie with the AV themselves -- a few of them will even warn when a program attemps to load a unsigned kernel driver. KAV also warns when running an unsigned program from outside Program Files.

However for compatibility with existing malware^W legitimate corporate drivers, Microsoft decided not to block the loading of unsigned kernel drivers in Windows 7 32-bit. In fact NX protection is neither enabled by default in 32 and 64-bit versions (it can be enabled manually in the "Advanced systems settings" tab).

Re:Not really new

[Christophe+Devine]

Hmm obviously I read the article too quickly, this attack does not depend on loading a kernel driver. My bad ;)

Re:Not really new

[riskpundit]

While this is surely interesting research, there are far simpler ways of bypassing AV software. Drive-by browser-based attacks of the type exemplified by Zeus and Koobface are far easier to execute. Today, attackers are focused on stealing money and intellectual property. They will take the path of least resistance. The AV vendors have yet to respond to the more obvious existential threat to their existence.

No way around strict privilege separation

[Arancaytar]

So it seems that relying on runtime checks doesn't just slow the system down, but also is vulnerable to concurrency attacks.

That may be alarming, but it's not like antivirus software was ever powerful enough to let users shut off their brains when using their computer.

Re:No way around strict privilege separation

[Sycraft-fu]

Also AV's main power for a long time has been on access/creation scanning. More or less it stops the viruses before they've a chance to become active. You run a virus scanner and anything coming in from the web, or a flash drive, or whatever is scanned. If a virus is detected, access is blocked. The virus can't get around that, since it isn't running. The AV stops it cold, before it has a chance to try anything.

Now that's not perfect, of course, the AV software has to have a signature for the virus, but it works pretty damn well. It is a good layer of security. Shouldn't be your only layer, but no layer should be your only layer.

This attack sounds like it is more useful against behavioural anti-virus. The AV notices a program doing shit it shouldn't and tries to stop it. Another good layer to have, but getting around it only gets you anywhere if you got the program to run in the first place.

As you say though, no matter what you just can't shut your brain off. There is no such thing as perfect security, physical or otherwise, and anyone who sells it to you is lying. Good security requires defense in depth and requires someone to be watching to make sure things are working and not getting broken through. AV software is useful, firewalls are useful, privilege separation (like UAC or sudo) is useful, but all of them still need you as a user not to be an idiot about it.

All AV software?

[xulfer]

All AV software seems a little broad. This only seems to cover virus utilities that prevent viruses from attaching in the first place. I fail to see how this vulnerability would affect the large portion of av utilities that are simply scanners... e.g. clamav, etc.

Ubuntu

[Das+Auge]

Since switching to Ubuntu, over three years ago, I haven't used AV.

I suppose that someday Linux will become a real target for virus writers; but between the good security model inherent ot UNIX-based OSes and common sense, I doubt I'll need one for a long time.

Re:Ubuntu

[siride]

The Windows NT security model is actually more advanced and capable than the base Unix security model. It's only because of culture, better-written 3rd party programs and marketshare that Linux/Unix doesn't have a malware problem.

Re:Ubuntu

[Architect_sasyr]

I'd like to just step in here and point out that the security model means shit to a virus writer - so what I can't get root on your desktop, I can still encrypt your entire home directory and delete everything I have access to with just a simple program. The whole push for administration rights is only necessary when you need to hide the software, but if all these linux users aren't running AV, then what's the point of trying to hide yourself before you can get your root privileges. Someone, somewhere, will run a sudo command eventually...

Re:Ubuntu

[Runaway1956]

Das Auge made a reasonable statement - and you respond with that old stupidity. "It's all about market share". Windows NT security model is in now way, shape, or form, "superior" to *nix security model. It is true that Linux gains a bit of security through obscurity. Market share does play a role. But I've said it before, I'll say it again: Linux systems, worldwide, guard more money and data than it would take to make thousands of hackers filthy rich. If it were easy, they would have done it already, instead of fighting over that huge Windows market share.

Re:Ubuntu

I can still encrypt your entire home directory and delete everything I have access to with just a simple program

Which is totally profitless to a virus writer. I haven't even seen a virus like that on windows for decades and windows have millions of viruses written for it.

Someone, somewhere, will run a sudo command eventually..

So what if they do? Executing the sudo command is limited to the program you're sudo-ing, not your whole session. A program can't wait in the background and get root when someone types sudo.

Also you're side stepping the whole issue that most Linux distributions provide you with all the software you need so the whole running a third party executable is much less likely to happen. The only exceptions I can think of are Google Chrome and Dropbox.

I'm not saying Linux is infallible however the examples people like you list to try to pretend a Linux system is "just as bad" at security are ridiculous at best.

Re:Ubuntu

[__aasqbs9791]

Really? seems to differ and wasn't the only reference I could find for microsoft.com defaced (seventh link).

Re:Ubuntu

[sjames]

In what way? And is it superior in totality or just superior to the parts of the linux security model that are actually used these days?

Of course, Linux may not have as much market share, but it is a much more attractive target. One critical server running linux is worth a lot more than 1000 XP desktop machines running solitaire.

Re:Ubuntu

[Runaway1956]

http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_exec_summary_internet_security_threat_report_xv_04-2010.en-us.pdf
Targeted attacks focus on enterprises
Targeted attacks using advanced persistent threats (APT) that occurred in 2009 made headlines in early
2010.6 Most notable of these was the Hydraq Trojan (a.k.a., Aurora).7 In January 2010, reports emerged
that dozens of large companies had been compromised by attackers using this Trojan.8 While these attacks
were not novel in approach, they highlighted the methods by which large enterprises could be compromised.

http://www.informationweek.com/blog/main/archives/2010/01/significant_wor.html;jsessionid=KDF2YBU4HXNKLQE1GHPCKH4ATMY32JVN

http://manageddatacenter.searchdatacenter.com/taxonomy/taxkey;root_1387_1332_204/DC-category.htm
Current FBI estimates indicate that malicious software and attacks targeting identity theft cost American businesses and consumers more than $50 billion a year. (note BUSINESSES)

The point being, enterprise is vulnerable. It isn't just the home user who is targeted, nor is it just the home user that is compromised. Malware costs corporate America billions every year. How many billions is debateable - one alarmist estimate places it at hundreds of billions, and others pooh-pooh that with overly conservative estimates.

Fact is, enterprises are compromised almost every day.

Re:Ubuntu

[Antique+Geekmeister]

What? "Culture", better written _core_ utilities, and the open access to the base software rather than the secretive and obscure security models of NT all contribute massively to Linux security by comparison. The smaller system components are easier and safer to do well. Also, while the kernel of NT was based on VMS when David Cutler stole his old work from DEC, it was forced to integrate numerous historical poor choices of DOS, Windows 3.x, and Windows 95 to provide backwards compatibility. These have been a _disaster_ in security terms, and very difficult to address due to the closed nature of the code and difficulty of upgrading other components to preserve compatibility.

Some of the most "secure" components of NT, such as Active Directory, are actually due to its integration of far more secure open source components such as Kerberos, and its use of open standards such as DNS, DHCP, and LDAP to replace Microsoft's older versions of "NetBIOS" (which they also did not invent, it came from IBM and IBM discarded it years ago).

Re:Ubuntu

[hairyfeet]

Can I call bullshit please? Y'all want to know that "magic secret" as to why even with all that money floating around Linux don't get hacked, and Windows does? Here you go...

Uuuhhhhh....I really hate to burst your reality bubble there, bud, but there is a reason why all the Linux servers aren't getting pwned and the Windows desktops are. It is because they have these things called server admins and they are usually pretty damned smart. They are also really anal retentive when it comes to anything security related. With good reason, after all they are getting paid the big bucks to be. Meet Glenn. Say hi Glenn (I'm busy, go away) not a very social creature, Glenn is a Linux server admin. He spends most of his time on security websites and learning about the latest nasty when he isn't testing a new tweak on the test server to see if he can get an extra .05% performance under load. In his free time he enjoys black hat conferences, which his employer is happy to pay him to attend.

Now we are going to meet an average Windows desktop user. Meet Velma. say hi Velma (Hi Y'all!) isn't she sweet? Little Velma works at the local insurance agency. They love her there because she can take one look at a customer and without looking up a shred of paperwork say something like this "Hi Bob! How's your oldest girl? You know she's about ready to get her learner's permit so I've already looked up the most affordable coverage for her. Does she have really good grades? She can get an extra discount if she does" and so on. Little Velma is really good at generating sales. She is sweet and friendly and always knows your name and remembers all about your family. Everybody loves little Velma.

/cue ominous music/......But we here in the PC business have a nickname for little Velma, one that she don't know about but is well earned it is....the disaster area! Dum dum dum! That is because little Velma is the trusting kind of sort, and on a computer that equals danger. Let's watch as little Velma interacts with her friendly neighborhood PC repairman, a big but lovable biker looking chap known on the net as hairyfeet.../feet/Now Velma, we have talked about this. you shouldn't mess with email attachments, I don't care who they are from. And if it is a .zip that you have to put a password to open it is a virus and you shouldn't touch it! /Velma/ But my bff Kim sent me this! See there is her name and everything! I'm sure it will be safe! /feet/Velma look, it is an executable and NOT happy puppy pictures! Do NOT run that! /Velma/ Oh, you worry too much. My bff Kim wouldn't send me anything bad. (inputs password, runs .exe, porn popups start flooding the screen while the network gets pounded) ooops. /feet/ .......

And now you have seen an actual demonstration of why Linux is safe on servers. It is safe on servers because it is administered by guys like Glenn, say goodbye Glenn (I'm busy!) and does NOT have any Velma types mucking it up. Say goodbye Velma (Bye Y'all!). If you were to let Velma and all her friends loose on Linux if they didn't break them immediately they would become spambots in no time. It is because the malware writers have already figured out how to use a sinister concept called social engineering to target Velma and her types VERY effectively. Glenn isn't very social (Bite Me!) and is a naturally cynical creature and therefor social engineering really isn't an effective tool on his type. This is why Linux can enjoy the freedom to operate on some many servers across America without the constant malware like poor Velma gets. Tune in next week when we meet Bob, the Windows network admin, also known as the "where the hell is the damned disk?" guy.

Re:Ubuntu

[toadlife]

A program can't wait in the background and get root when someone types sudo.

When password caching is turned in (like it is by default in Ubuntu) yes, it can.

Re:Ubuntu

[Sir_Lewk]

A program can't wait in the background and get root when someone types sudo.

Actually, it most certainly can. Exercise a little creativity.

Alias 'sudo' for a user to script in the user's home directory that looks like sudo, and even executes sudo as the user thought they were, but also logs whatever password they typed. Bamn, no you have the users password and (in the vast majority of cases) the ability to gain root. All of this is quite easy to do, I've done it myself in the past. Takes about 3 minutes to bang it out.

It should be noted that this can also easily be done for 'su'. The trick is rather blunt, and anyone that thought too look for it would immediately notice it, but if your target isn't suspecting you are good to go.

I'm not saying Linux is infallible however the examples people like you list to try to pretend a Linux system is "just as bad" at security are ridiculous at best.

Agreed, full heartedly.

Re:Ubuntu

[Runaway1956]

But, an earlier poster mentioned the fact that corporate and financial institutions have all this money to pay high powered administrators. If the administrators are working with a decent operating system, and if the administrators are competent, then Enterprise is safe, right? And, the military too, right?

How's that British thing working out now? Windows for Submarines? The last I heard, it was down. Who has more expertise in securing computers than the US or the UK departments of defense? If THEY can't secure Windows, then who can?

Re:Ubuntu

[amorsen]

ACL's don't make a ton of sense in the default configuration, and few people use them correctly (but luckily on Linux hardly anyone besides me uses them at all, so the problem is limited).

The "shitty" user/group/others system is understandable by regular users and they tend to use it correctly. There are cases where it isn't flexible enough. Most of those can be handled by asking the systems administrator (which tends to be the user anyway, these days) to set up an extra group, but otherwise setfacl works fine.

Re:Ubuntu

And if Velma's desktop were set up properly, with her having a non-administrative account and the home partition mounted non-executable? Oh right, she wouldn't be able to run the malware.

Re:Ubuntu

[drsmithy]

The Windows and Linux security models are virtually identical if you exclude MAC (SELinux etc.).

Except for NT having no concept of a superuser and Linux utterly dependent on one to implement nearly all aspects of a usable system.
Except for the finest granularity in Linux being the group and in NT the user.
Except for the utter nightmare in Linux trying to create exclusionary or complicated sets of permissions with multiple users and/or groups.
Except for the NT ACLs applying to nearly all objects in the OS, and in Linux only things represented in the filesystem.
Except for NT ACLs controlling nearly all ways to manipulate an object and in Linux being limited to read, write and execute.

"Virtually the same" my arse. NT's security model is vastly more capable than traditional UNIX's.

The main difference is that people actually understand the basic Unix model of users and groups and so they often manage to set their file permissions to something relatively sane. Practically noone uses the full power of ACL's on either system.

NT's permissions capabilities are a superset of Linux's. If someone understands the latter, then they can implement something *at least* as good on the former with the same amount of effort.

Re:Ubuntu

[__aasqbs9791]

...Don't you think someone would love to serve malware from, or deface microsoft.com? It hasn't been,...

Was the part I was responding to not bold enough for you? There, I fixed it for you.

Re:Ubuntu

[siride]

No, that's a shell feature. KDE and GNOME have had the same flaw. You name something .desktop and it will be executed/interpreted by the KDE/GNOME shell. The NT kernel uses the same mechanism as Unix for permissions.

Re:Ubuntu

[Runaway1956]

Remedial reading 101 at a community college near you. Take it.

I SAID that Linux systems guard more than enough money and data to make thousands of hackers rich beyond their wildest dreams. I never inferred that they guard more money and data than Windows systems guard. While the latter MIGHT be true, I don't have the data necessary to draw such a conclusion. Common sense says that it's probably NOT true.

Re:Ubuntu

[wumpus188]

That is why I always type /usr/bin/sudo instead of just sudo. And people call me paranoid...

Re:Ubuntu

[517714]

Nobody calls you paranoid, you just think they do.

Re:Ubuntu

[drsmithy]

bullshit. While it's true Windows has been victimized and targeted, there are fundamental security design flaws in NT that you won't find In UNIX.

For example ?

On UNIX, if you don't root the machine, you haven't taken it, and it's no trivial task to do remotely.

Funny you should mention root, given that a superuser is a fundamental design flaw Windows NT _doesn't_ have.

So..

[Anrego]

Anti virus software has become increasingly ineffective? Potentially opens up even more venues for attack! The Windows system of limiting privileges isn't always effective??!!??!!

Next you'll be telling me that fire is hot, water is wet, sci.. you know the rest

I mean this is cool and all, it's a neat discovery... but I think the whole concept of anti virus software is critically flawed and has become completely ineffective.

Re:Flaw explained in plain English here

[phoenix321]

All I see is an article that is applauding Apple for doing infrequent security updates for Safari, contrasted with Firefox, that does security updates with an - for that blogger - absolutely unbearable frequency and install time. Though, in objective reality, Firefox releases an update every two months or so and the update takes about a minute on any recent PC.

Also, I remember the rabid verbal attacks on Microsoft for NOT updating their browser fast and often enough. But Apple isn't perceived to leave known vulnerabilities unpatched like Microsoft did, they are seen as to spare their users from annoyances.

Their marketing dept is godlike.

Anagram?

[Theaetetus]

"Matousec"? Hmm...
"To use Mac"? Hey!

Re:Anagram?

[517714]

"Cat" and "Mouse"

Follow Apple?

[ITI_guy]

If M$ would have only used the App Store model for software distribution we wouldn't need AV at all, and think of the profit!

Re:Antivirus Design Flaw

[Runaway1956]

Long, long, long ago, I was out of town, and my laptop got dicked. I wasn't about to pay for a new Windows disk, nor did I have time or money to have a professional fix it. I went into a computer shop, talked awhile, and came out with an OnTrack SystemSuite disk, for which I paid about 15 bucks. Booted to it, ran the AV utility, and found nothing. Ran the rest of the utilities, and found that an improper shutdown had corrupted my MBR. Fixed the MBR, and booted up. Money well spent.

And, yes, you are right. That is precisely what the rest of the AV industry needs to peddle. If you can't boot to a clean environment, you're just screwed, whether it be virus problems, or any number of other problems.

Re:Found In Virtually All AV Software

[Runaway1956]

MSSE is important for the following reasons:

1: it's from Microsoft, hence, the nontechies will trust it to run well (The old mentality that "detroit knows best" when it comes to cars)
2: my testing indicates that MSSE is at least as effective as the "free" AV's, and possibly equal to the best paid AV's
3: the semi-computer literate can quickly find that MSSE is far less demanding of resources than almost any other AV
and
4: it's another "free" product which appeals to millions of people - AND any Bing search will probably turn up MSSE ahead of the competition

I've tested MSSE on XP and Win7, and quickly decided that it was more than sufficient for any virtual machine which I chose to protect. Disclaimer: I've not put MSSE to the test in any real world enterprise situation, subjecting it to unwanted testing by hackers/crackers/scriptkiddies.

and this is why LIVE FILESYSTEM ROMs are needed

[RobertLTux]

whatever platform the program is based on if you are booted to the system you are trying to clean then you have already lost ground.

of course a Posix type solution has the advantage of being mostly immune to the viruses on a Windows system.

Re:Antivirus Design Flaw

[Z34107]

That is precisely what the rest of the AV industry needs to peddle. If you can't boot to a clean environment, you're just screwed, whether it be virus problems, or any number of other problems.

I actually wonder why more don't do this. Back when I ran a brand-new copy of Windows 98, my copy of McAfee (I was young and didn't know any better!) came with a boot floppy for just that purpose. Surely with Windows PE the whole process would be trivial - boot to the PE, download the most recent AV signatures, and scan away. You wouldn't even have to periodically refresh the signatures on your floppy.

Re:Is this a joke?

[Opportunist]

Aka Dancing Pig Problem.