Slashdot Mirror

← Back to Stories (view on slashdot.org)

Critical Flaw Found In Virtually All AV Software

Posted by Soulskill on from the if-only-there-were-something-more-monolithic-to-blame dept.

Securityemo writes "The Register is running an article about a new method to bypass antivirus software, discovered by Matousec. By sending benign code to the antivirus driver hooks, and switching it out for malicious code at the last moment, the antivirus can be completely bypassed. This attack is apparently much more reliable on multi-core systems. Here's the original research paper." El Reg notes that "The technique works even when Windows is running under an account with limited privileges," but "it requires a large amount of code to be loaded onto the targeted machine, making it impractical for shellcode-based attacks or attacks that rely on speed and stealth. It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC."

16 of 279 comments (clear)

  1. AHHHHHHHH by Anonymous Coward · · Score: 5, Funny

    Everybody turn your PCs off NOW! Why are you still reading?

    1. Re:AHHHHHHHH by armanox · · Score: 5, Insightful

      Still reading because I'm running Linux?

      --
      I'm starting to think GNU is the problem with "GNU/Linux" these days.
  2. Joke's on them! by Abstrackt · · Score: 5, Funny

    I don't run AV software! Ha!

    --
    They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
  3. Not really new by Florian+Weimer · · Score: 5, Insightful

    These problems have been known for a while and used to defeat e.g. systrace in OpenBSD (CVE-2007-4305). It also does not affect AV software per se, but anomaly-based detection, which kicks in only if something bad is already running on your machine. If this approach is actually used in the wild, detection logic will be added for it. Business as usual, really.

  4. No way around strict privilege separation by Arancaytar · · Score: 5, Insightful

    So it seems that relying on runtime checks doesn't just slow the system down, but also is vulnerable to concurrency attacks.

    That may be alarming, but it's not like antivirus software was ever powerful enough to let users shut off their brains when using their computer.

  5. All AV software? by xulfer · · Score: 4, Interesting

    All AV software seems a little broad. This only seems to cover virus utilities that prevent viruses from attaching in the first place. I fail to see how this vulnerability would affect the large portion of av utilities that are simply scanners... e.g. clamav, etc.

  6. Ubuntu by Das+Auge · · Score: 4, Interesting

    Since switching to Ubuntu, over three years ago, I haven't used AV.

    I suppose that someday Linux will become a real target for virus writers; but between the good security model inherent ot UNIX-based OSes and common sense, I doubt I'll need one for a long time.

    1. Re:Ubuntu by siride · · Score: 4, Interesting

      The Windows NT security model is actually more advanced and capable than the base Unix security model. It's only because of culture, better-written 3rd party programs and marketshare that Linux/Unix doesn't have a malware problem.

    2. Re:Ubuntu by Architect_sasyr · · Score: 5, Interesting

      I'd like to just step in here and point out that the security model means shit to a virus writer - so what I can't get root on your desktop, I can still encrypt your entire home directory and delete everything I have access to with just a simple program. The whole push for administration rights is only necessary when you need to hide the software, but if all these linux users aren't running AV, then what's the point of trying to hide yourself before you can get your root privileges. Someone, somewhere, will run a sudo command eventually...

      --
      Me failed English...
      FreeBSD over Linux. If my comments seem odd, this may explain...
    3. Re:Ubuntu by Anonymous Coward · · Score: 5, Insightful

      I can still encrypt your entire home directory and delete everything I have access to with just a simple program

      Which is totally profitless to a virus writer. I haven't even seen a virus like that on windows for decades and windows have millions of viruses written for it.

      Someone, somewhere, will run a sudo command eventually..

      So what if they do? Executing the sudo command is limited to the program you're sudo-ing, not your whole session. A program can't wait in the background and get root when someone types sudo.

      Also you're side stepping the whole issue that most Linux distributions provide you with all the software you need so the whole running a third party executable is much less likely to happen. The only exceptions I can think of are Google Chrome and Dropbox.

      I'm not saying Linux is infallible however the examples people like you list to try to pretend a Linux system is "just as bad" at security are ridiculous at best.

    4. Re:Ubuntu by hairyfeet · · Score: 5, Funny

      Can I call bullshit please? Y'all want to know that "magic secret" as to why even with all that money floating around Linux don't get hacked, and Windows does? Here you go...

      Uuuhhhhh....I really hate to burst your reality bubble there, bud, but there is a reason why all the Linux servers aren't getting pwned and the Windows desktops are. It is because they have these things called server admins and they are usually pretty damned smart. They are also really anal retentive when it comes to anything security related. With good reason, after all they are getting paid the big bucks to be. Meet Glenn. Say hi Glenn (I'm busy, go away) not a very social creature, Glenn is a Linux server admin. He spends most of his time on security websites and learning about the latest nasty when he isn't testing a new tweak on the test server to see if he can get an extra .05% performance under load. In his free time he enjoys black hat conferences, which his employer is happy to pay him to attend.

      Now we are going to meet an average Windows desktop user. Meet Velma. say hi Velma (Hi Y'all!) isn't she sweet? Little Velma works at the local insurance agency. They love her there because she can take one look at a customer and without looking up a shred of paperwork say something like this "Hi Bob! How's your oldest girl? You know she's about ready to get her learner's permit so I've already looked up the most affordable coverage for her. Does she have really good grades? She can get an extra discount if she does" and so on. Little Velma is really good at generating sales. She is sweet and friendly and always knows your name and remembers all about your family. Everybody loves little Velma.

      /cue ominous music/......But we here in the PC business have a nickname for little Velma, one that she don't know about but is well earned it is....the disaster area! Dum dum dum! That is because little Velma is the trusting kind of sort, and on a computer that equals danger. Let's watch as little Velma interacts with her friendly neighborhood PC repairman, a big but lovable biker looking chap known on the net as hairyfeet.../feet/Now Velma, we have talked about this. you shouldn't mess with email attachments, I don't care who they are from. And if it is a .zip that you have to put a password to open it is a virus and you shouldn't touch it! /Velma/ But my bff Kim sent me this! See there is her name and everything! I'm sure it will be safe! /feet/Velma look, it is an executable and NOT happy puppy pictures! Do NOT run that! /Velma/ Oh, you worry too much. My bff Kim wouldn't send me anything bad. (inputs password, runs .exe, porn popups start flooding the screen while the network gets pounded) ooops. /feet/ .......

      And now you have seen an actual demonstration of why Linux is safe on servers. It is safe on servers because it is administered by guys like Glenn, say goodbye Glenn (I'm busy!) and does NOT have any Velma types mucking it up. Say goodbye Velma (Bye Y'all!). If you were to let Velma and all her friends loose on Linux if they didn't break them immediately they would become spambots in no time. It is because the malware writers have already figured out how to use a sinister concept called social engineering to target Velma and her types VERY effectively. Glenn isn't very social (Bite Me!) and is a naturally cynical creature and therefor social engineering really isn't an effective tool on his type. This is why Linux can enjoy the freedom to operate on some many servers across America without the constant malware like poor Velma gets. Tune in next week when we meet Bob, the Windows network admin, also known as the "where the hell is the damned disk?" guy.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    5. Re:Ubuntu by drsmithy · · Score: 5, Informative

      The Windows and Linux security models are virtually identical if you exclude MAC (SELinux etc.).

      Except for NT having no concept of a superuser and Linux utterly dependent on one to implement nearly all aspects of a usable system.
      Except for the finest granularity in Linux being the group and in NT the user.
      Except for the utter nightmare in Linux trying to create exclusionary or complicated sets of permissions with multiple users and/or groups.
      Except for the NT ACLs applying to nearly all objects in the OS, and in Linux only things represented in the filesystem.
      Except for NT ACLs controlling nearly all ways to manipulate an object and in Linux being limited to read, write and execute.

      "Virtually the same" my arse. NT's security model is vastly more capable than traditional UNIX's.

      The main difference is that people actually understand the basic Unix model of users and groups and so they often manage to set their file permissions to something relatively sane. Practically noone uses the full power of ACL's on either system.

      NT's permissions capabilities are a superset of Linux's. If someone understands the latter, then they can implement something *at least* as good on the former with the same amount of effort.

    6. Re:Ubuntu by 517714 · · Score: 5, Funny

      Nobody calls you paranoid, you just think they do.

      --
      The US government have made it clear that we have no inalienable rights; any we do not defend vigorously will be taken.
  7. So.. by Anrego · · Score: 5, Insightful

    Anti virus software has become increasingly ineffective? Potentially opens up even more venues for attack! The Windows system of limiting privileges isn't always effective??!!??!!

    Next you'll be telling me that fire is hot, water is wet, sci.. you know the rest

    I mean this is cool and all, it's a neat discovery... but I think the whole concept of anti virus software is critically flawed and has become completely ineffective.

  8. Anagram? by Theaetetus · · Score: 4, Funny

    "Matousec"? Hmm...
    "To use Mac"? Hey!

  9. Re:Antivirus Design Flaw by Runaway1956 · · Score: 4, Interesting

    Long, long, long ago, I was out of town, and my laptop got dicked. I wasn't about to pay for a new Windows disk, nor did I have time or money to have a professional fix it. I went into a computer shop, talked awhile, and came out with an OnTrack SystemSuite disk, for which I paid about 15 bucks. Booted to it, ran the AV utility, and found nothing. Ran the rest of the utilities, and found that an improper shutdown had corrupted my MBR. Fixed the MBR, and booted up. Money well spent.

    And, yes, you are right. That is precisely what the rest of the AV industry needs to peddle. If you can't boot to a clean environment, you're just screwed, whether it be virus problems, or any number of other problems.

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br