Critical Flaw Found In Virtually All AV Software

Securityemo writes "The Register is running an article about a new method to bypass antivirus software, discovered by Matousec. By sending benign code to the antivirus driver hooks, and switching it out for malicious code at the last moment, the antivirus can be completely bypassed. This attack is apparently much more reliable on multi-core systems. Here's the original research paper." El Reg notes that "The technique works even when Windows is running under an account with limited privileges," but "it requires a large amount of code to be loaded onto the targeted machine, making it impractical for shellcode-based attacks or attacks that rely on speed and stealth. It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC."

AHHHHHHHH

Everybody turn your PCs off NOW! Why are you still reading?

Re:AHHHHHHHH

[armanox]

Still reading because I'm running Linux?

Joke's on them!

[Abstrackt]

I don't run AV software! Ha!

Not really new

[Florian+Weimer]

These problems have been known for a while and used to defeat e.g. systrace in OpenBSD (CVE-2007-4305). It also does not affect AV software per se, but anomaly-based detection, which kicks in only if something bad is already running on your machine. If this approach is actually used in the wild, detection logic will be added for it. Business as usual, really.

No way around strict privilege separation

[Arancaytar]

So it seems that relying on runtime checks doesn't just slow the system down, but also is vulnerable to concurrency attacks.

That may be alarming, but it's not like antivirus software was ever powerful enough to let users shut off their brains when using their computer.

Re:No way around strict privilege separation

[Sycraft-fu]

Also AV's main power for a long time has been on access/creation scanning. More or less it stops the viruses before they've a chance to become active. You run a virus scanner and anything coming in from the web, or a flash drive, or whatever is scanned. If a virus is detected, access is blocked. The virus can't get around that, since it isn't running. The AV stops it cold, before it has a chance to try anything.

Now that's not perfect, of course, the AV software has to have a signature for the virus, but it works pretty damn well. It is a good layer of security. Shouldn't be your only layer, but no layer should be your only layer.

This attack sounds like it is more useful against behavioural anti-virus. The AV notices a program doing shit it shouldn't and tries to stop it. Another good layer to have, but getting around it only gets you anywhere if you got the program to run in the first place.

As you say though, no matter what you just can't shut your brain off. There is no such thing as perfect security, physical or otherwise, and anyone who sells it to you is lying. Good security requires defense in depth and requires someone to be watching to make sure things are working and not getting broken through. AV software is useful, firewalls are useful, privilege separation (like UAC or sudo) is useful, but all of them still need you as a user not to be an idiot about it.

All AV software?

[xulfer]

All AV software seems a little broad. This only seems to cover virus utilities that prevent viruses from attaching in the first place. I fail to see how this vulnerability would affect the large portion of av utilities that are simply scanners... e.g. clamav, etc.

Ubuntu

[Das+Auge]

Since switching to Ubuntu, over three years ago, I haven't used AV.

I suppose that someday Linux will become a real target for virus writers; but between the good security model inherent ot UNIX-based OSes and common sense, I doubt I'll need one for a long time.

Re:Ubuntu

[siride]

The Windows NT security model is actually more advanced and capable than the base Unix security model. It's only because of culture, better-written 3rd party programs and marketshare that Linux/Unix doesn't have a malware problem.

Re:Ubuntu

[Architect_sasyr]

I'd like to just step in here and point out that the security model means shit to a virus writer - so what I can't get root on your desktop, I can still encrypt your entire home directory and delete everything I have access to with just a simple program. The whole push for administration rights is only necessary when you need to hide the software, but if all these linux users aren't running AV, then what's the point of trying to hide yourself before you can get your root privileges. Someone, somewhere, will run a sudo command eventually...

Re:Ubuntu

[Runaway1956]

Das Auge made a reasonable statement - and you respond with that old stupidity. "It's all about market share". Windows NT security model is in now way, shape, or form, "superior" to *nix security model. It is true that Linux gains a bit of security through obscurity. Market share does play a role. But I've said it before, I'll say it again: Linux systems, worldwide, guard more money and data than it would take to make thousands of hackers filthy rich. If it were easy, they would have done it already, instead of fighting over that huge Windows market share.

Re:Ubuntu

I can still encrypt your entire home directory and delete everything I have access to with just a simple program

Which is totally profitless to a virus writer. I haven't even seen a virus like that on windows for decades and windows have millions of viruses written for it.

Someone, somewhere, will run a sudo command eventually..

So what if they do? Executing the sudo command is limited to the program you're sudo-ing, not your whole session. A program can't wait in the background and get root when someone types sudo.

Also you're side stepping the whole issue that most Linux distributions provide you with all the software you need so the whole running a third party executable is much less likely to happen. The only exceptions I can think of are Google Chrome and Dropbox.

I'm not saying Linux is infallible however the examples people like you list to try to pretend a Linux system is "just as bad" at security are ridiculous at best.

Re:Ubuntu

[sjames]

In what way? And is it superior in totality or just superior to the parts of the linux security model that are actually used these days?

Of course, Linux may not have as much market share, but it is a much more attractive target. One critical server running linux is worth a lot more than 1000 XP desktop machines running solitaire.

Re:Ubuntu

[Antique+Geekmeister]

What? "Culture", better written _core_ utilities, and the open access to the base software rather than the secretive and obscure security models of NT all contribute massively to Linux security by comparison. The smaller system components are easier and safer to do well. Also, while the kernel of NT was based on VMS when David Cutler stole his old work from DEC, it was forced to integrate numerous historical poor choices of DOS, Windows 3.x, and Windows 95 to provide backwards compatibility. These have been a _disaster_ in security terms, and very difficult to address due to the closed nature of the code and difficulty of upgrading other components to preserve compatibility.

Some of the most "secure" components of NT, such as Active Directory, are actually due to its integration of far more secure open source components such as Kerberos, and its use of open standards such as DNS, DHCP, and LDAP to replace Microsoft's older versions of "NetBIOS" (which they also did not invent, it came from IBM and IBM discarded it years ago).

Re:Ubuntu

[hairyfeet]

Can I call bullshit please? Y'all want to know that "magic secret" as to why even with all that money floating around Linux don't get hacked, and Windows does? Here you go...

Uuuhhhhh....I really hate to burst your reality bubble there, bud, but there is a reason why all the Linux servers aren't getting pwned and the Windows desktops are. It is because they have these things called server admins and they are usually pretty damned smart. They are also really anal retentive when it comes to anything security related. With good reason, after all they are getting paid the big bucks to be. Meet Glenn. Say hi Glenn (I'm busy, go away) not a very social creature, Glenn is a Linux server admin. He spends most of his time on security websites and learning about the latest nasty when he isn't testing a new tweak on the test server to see if he can get an extra .05% performance under load. In his free time he enjoys black hat conferences, which his employer is happy to pay him to attend.

Now we are going to meet an average Windows desktop user. Meet Velma. say hi Velma (Hi Y'all!) isn't she sweet? Little Velma works at the local insurance agency. They love her there because she can take one look at a customer and without looking up a shred of paperwork say something like this "Hi Bob! How's your oldest girl? You know she's about ready to get her learner's permit so I've already looked up the most affordable coverage for her. Does she have really good grades? She can get an extra discount if she does" and so on. Little Velma is really good at generating sales. She is sweet and friendly and always knows your name and remembers all about your family. Everybody loves little Velma.

/cue ominous music/......But we here in the PC business have a nickname for little Velma, one that she don't know about but is well earned it is....the disaster area! Dum dum dum! That is because little Velma is the trusting kind of sort, and on a computer that equals danger. Let's watch as little Velma interacts with her friendly neighborhood PC repairman, a big but lovable biker looking chap known on the net as hairyfeet.../feet/Now Velma, we have talked about this. you shouldn't mess with email attachments, I don't care who they are from. And if it is a .zip that you have to put a password to open it is a virus and you shouldn't touch it! /Velma/ But my bff Kim sent me this! See there is her name and everything! I'm sure it will be safe! /feet/Velma look, it is an executable and NOT happy puppy pictures! Do NOT run that! /Velma/ Oh, you worry too much. My bff Kim wouldn't send me anything bad. (inputs password, runs .exe, porn popups start flooding the screen while the network gets pounded) ooops. /feet/ .......

And now you have seen an actual demonstration of why Linux is safe on servers. It is safe on servers because it is administered by guys like Glenn, say goodbye Glenn (I'm busy!) and does NOT have any Velma types mucking it up. Say goodbye Velma (Bye Y'all!). If you were to let Velma and all her friends loose on Linux if they didn't break them immediately they would become spambots in no time. It is because the malware writers have already figured out how to use a sinister concept called social engineering to target Velma and her types VERY effectively. Glenn isn't very social (Bite Me!) and is a naturally cynical creature and therefor social engineering really isn't an effective tool on his type. This is why Linux can enjoy the freedom to operate on some many servers across America without the constant malware like poor Velma gets. Tune in next week when we meet Bob, the Windows network admin, also known as the "where the hell is the damned disk?" guy.

Re:Ubuntu

[toadlife]

A program can't wait in the background and get root when someone types sudo.

When password caching is turned in (like it is by default in Ubuntu) yes, it can.

Re:Ubuntu

[Runaway1956]

But, an earlier poster mentioned the fact that corporate and financial institutions have all this money to pay high powered administrators. If the administrators are working with a decent operating system, and if the administrators are competent, then Enterprise is safe, right? And, the military too, right?

How's that British thing working out now? Windows for Submarines? The last I heard, it was down. Who has more expertise in securing computers than the US or the UK departments of defense? If THEY can't secure Windows, then who can?

Re:Ubuntu

[amorsen]

ACL's don't make a ton of sense in the default configuration, and few people use them correctly (but luckily on Linux hardly anyone besides me uses them at all, so the problem is limited).

The "shitty" user/group/others system is understandable by regular users and they tend to use it correctly. There are cases where it isn't flexible enough. Most of those can be handled by asking the systems administrator (which tends to be the user anyway, these days) to set up an extra group, but otherwise setfacl works fine.

Re:Ubuntu

[drsmithy]

The Windows and Linux security models are virtually identical if you exclude MAC (SELinux etc.).

Except for NT having no concept of a superuser and Linux utterly dependent on one to implement nearly all aspects of a usable system.
Except for the finest granularity in Linux being the group and in NT the user.
Except for the utter nightmare in Linux trying to create exclusionary or complicated sets of permissions with multiple users and/or groups.
Except for the NT ACLs applying to nearly all objects in the OS, and in Linux only things represented in the filesystem.
Except for NT ACLs controlling nearly all ways to manipulate an object and in Linux being limited to read, write and execute.

"Virtually the same" my arse. NT's security model is vastly more capable than traditional UNIX's.

The main difference is that people actually understand the basic Unix model of users and groups and so they often manage to set their file permissions to something relatively sane. Practically noone uses the full power of ACL's on either system.

NT's permissions capabilities are a superset of Linux's. If someone understands the latter, then they can implement something *at least* as good on the former with the same amount of effort.

Re:Ubuntu

[517714]

Nobody calls you paranoid, you just think they do.

So..

[Anrego]

Anti virus software has become increasingly ineffective? Potentially opens up even more venues for attack! The Windows system of limiting privileges isn't always effective??!!??!!

Next you'll be telling me that fire is hot, water is wet, sci.. you know the rest

I mean this is cool and all, it's a neat discovery... but I think the whole concept of anti virus software is critically flawed and has become completely ineffective.

Re:Flaw explained in plain English here

[phoenix321]

All I see is an article that is applauding Apple for doing infrequent security updates for Safari, contrasted with Firefox, that does security updates with an - for that blogger - absolutely unbearable frequency and install time. Though, in objective reality, Firefox releases an update every two months or so and the update takes about a minute on any recent PC.

Also, I remember the rabid verbal attacks on Microsoft for NOT updating their browser fast and often enough. But Apple isn't perceived to leave known vulnerabilities unpatched like Microsoft did, they are seen as to spare their users from annoyances.

Their marketing dept is godlike.

Anagram?

[Theaetetus]

"Matousec"? Hmm...
"To use Mac"? Hey!

Re:Antivirus Design Flaw

[Runaway1956]

Long, long, long ago, I was out of town, and my laptop got dicked. I wasn't about to pay for a new Windows disk, nor did I have time or money to have a professional fix it. I went into a computer shop, talked awhile, and came out with an OnTrack SystemSuite disk, for which I paid about 15 bucks. Booted to it, ran the AV utility, and found nothing. Ran the rest of the utilities, and found that an improper shutdown had corrupted my MBR. Fixed the MBR, and booted up. Money well spent.

And, yes, you are right. That is precisely what the rest of the AV industry needs to peddle. If you can't boot to a clean environment, you're just screwed, whether it be virus problems, or any number of other problems.

and this is why LIVE FILESYSTEM ROMs are needed

[RobertLTux]

whatever platform the program is based on if you are booted to the system you are trying to clean then you have already lost ground.

of course a Posix type solution has the advantage of being mostly immune to the viruses on a Windows system.

Re:Is this a joke?

[Opportunist]

Aka Dancing Pig Problem.