Slashdot Mirror
Antivirus Software Could Make Your Company More Vulnerable (csoonline.com)
itwbennett writes: Since June, researchers have found and reported several dozen serious flaws in antivirus products from vendors such as Kaspersky Lab, ESET, Avast, AVG Technologies, Intel Security (formerly McAfee) and Malwarebytes. Many of those vulnerabilities would have allowed attackers to remotely execute malicious code on computers, to abuse the functionality of the antivirus products themselves, to gain higher privileges on compromised systems and even to defeat the anti-exploitation defenses of third-party applications. And evidence suggests that attacks against antivirus products are both possible and likely. Some researchers believe that such attacks have already occurred, even though antivirus vendors might not be aware of them because of the very small number of victims. Among the emails leaked last year from Italian surveillance firm Hacking Team there is a document with exploits offered for sale by an outfit called Vulnerabilities Brokerage International. The document lists various privilege escalation, information disclosure and detection bypassing exploits for multiple antivirus products, and also a remote code execution exploit for ESET NOD32 Antivirus with the status 'sold.'
on domestic computers. AVG in particular just seems to let malware through - advertising scams, mostly, although once it was ransomware.
It's particularly annoying that I can't deactivate them to run other scanners to remove the crap they've allowed in. Anti-malware should NOT install and run under the SYSTEM account.
They sentenced me to twenty years of boredom
If I've read correctly (and tell me if I'm wrong, no doubt) but most of these latest vulns in the AV apps themselves were related to faulty or no-implementation of ASLR memory randomization and as such allow overflow and direct injection attacks into memory. All the major companies report it as a closed bug.
Is there some other APT type attack going on that isn't mentioned in the original disclosures?
I don't know if it is possible to have a MS Windows running on the internet without a anti virus software. So the question is not which AV software has vulnerabilities, as all software has this issue, but which provides significantly more protection than risk. Or if there is better way to protect MS Windows machines than AV software.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
I don;t think you understand. What you've seen is a failure to detect a particular virus. But, the story is talking about vulnerabilities in the antivirus software itself. So, AVG gets exploited and is then used to grant administrative access to a Windows system, something that would not have been possible if it wasn't for the weakness in the AVG agent and the fact that it runs with system level privileges.
My suspicion is that, if you were affect by such a virus, you would never know it.
The main vector for malware is people doing what computers tell them to do. Users have become so accustomed to oversight and "someone else" taking care of their computers that they feel they do need to "update their media player program", "install a codec" and "download this antivirus to remove the trojan horse" when their computer tells them to. That's what the pros do, right? Update and install something and then everything works. And Windows has a "security center" which lambasts the users with red exclamation marks until they download an antivirus, and now that website has found something and offers a free antivirus software. Phew, close one.
Microsoft, Google, Apple, etc. need to stop their programs from telling people how to keep their computers safe. If you know how, then just do it. If you don't know, then what's the point in warning the users: They certainly won't know what to do. Either way, shut up about it. When the computer tells them it has a virus, then users must know that the message is not from someone who looks over them, but probably from someone who wants them to do something that they shouldn't do. "Install this" should instinctively sound exactly as dangerous as installing software off the internet is.
Every piece of software is a potential security hole. AVs, firewalls, encryption layers like SSL or what not constitute no exceptions.
Everything I write is lies, read between the lines.
Not to mention the CPU and memory performance hit you take. Every antivirus tool probably has a missive database of every known virus, even from 20 years ago it's checking every file against (with any hope a file hash binary search). Norton's virus definition grew from like 25MB in 2008 to 220MB in 2013.
I routinely pause my antivirus when copying tons of files around or when installing known to be good stuff. As soon as I pause the scanner everything speeds up. even if you have a quad core, every file has to be inspected by by a scanner before the system or disk gets the files.
Exactly, which is why things should be kept simple - the less code you have running the less you have to keep track of.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Symantec is not on the list. Lucky surprised me.
Must have been filtered by their antivirus...
Introducing any new software onto a system has the potential to add increased attack vectors. In the case of antivirus software exploits may be easier to get to the right place because the software by definition is looking at all the traffic coming in, but you could just as easily look for vulnerabilities in network card driver stacks for widely-used network and wireless cards.
At least with antivirus they're likely already getting updates regularly; the same can't be said for hardware drivers on a huge percentage of systems.
fencepost
just a little off
I'll half agree with you... I think I know what you're getting at, but I think it's worth clarifying a bit. After all, it's not like any arbitrary code on a machine is vulnerable to random attacks from the internet.
Rather than talking about simplicity - because let's face it, that will never happen - we need to focus on minimizing and hardening the attack surface. For instance, if my personal machine sits behind a router, arbitrary incoming traffic from the internet is blocked. Anything that isn't blocked then has to make it past my personal machine's built-in firewall, which would tend to reject most anything else. Thus, it's likely that 99.999 percent of the code on my machine (any modern OS is *horribly* complex by nature) is completely immune to random internet-based attacks, at least ignoring user actions like launching an infected program or script.
A good example of minimizing attack surface is Amazon's recent release of a very tiny TLS library called s2n. With only 6000 lines of code, it's *much* easier to vet and declare secure than the feature rich but dangerously bloated OpenSSL library, which may put servers at risk with features they never used. Even the name (signal to noise) indicates the intent, which is to keep the library tiny and focused. We're discovering that there's a danger to letting code grow infinitely large and complex, and not depreciating it, because even if those old features work, they still may contain security issues. I'd be extremely surprised if s2n had any serious security flaws in its implementation simply due to its small size - there's just not as much that can go wrong there.
Irony: Agile development has too much intertia to be abandoned now.
I'm not GP, but you asked what part of your post is not true. This part:
> The problem with AV software is, it will only catch threats that are already known
That's true of SOME AV software. Other types use heuristics similar to spam filters to detect LIKELY threats (code that has been obfuscated in ways bad guys use, executables with names like *.com or *.jpg.exe, etc). Another type sometimes actually runs the code in a vm and looks for any changes to registry entries or files outside of the designated installation destination.
The third type is the most heavy-duty both in terms of effectiveness and resource usage, though in at least one case (Fireeye) the malware was able to escape the sandbox, turning the malware scanner into a major vulnerability.
I left eset for Kaspersky. Reason is I thought I had a bad ass, motherboard, and sata cables. Constant disk corruption occurred.
When doing a SFC caused a bsod at the NTFS driver I figured it was the av software. I was right
http://saveie6.com/
It's quite certain that AV software flaws have been attacked by bad guys, but that hardly means that your company is *more* vulnerable with the software than without it. Any sufficiently complex software has vulnerabilities.
If its vital, use a typewriter, secure limited amounts of paper files and hold face to face meetings in a secure room with only trusted staff. Works well during policy creation. Use the internet to push out a final policy statement, not create policy over years, weeks via junk encryption.
Learn about good quality encryption so that years of plain text data are not just sitting on fast internet facing servers.
As for AV brands: The global reach and trust means they are getting reports back of bespoke 5 eye crafted code in the wild.
AV brands that have the ability to understand every users network and create complex reports in near realtime.
Suite of Sophisticated Nation-State Attack Tools Found With Connection to Stuxnet (02.16.15)
http://www.wired.com/2015/02/k...
That is the real issue. The tame crypto academics, consumer OS designers are the way in. AV brands that can understand and get a wide range of reports are starting to see what was and is been done to wide open export grade OS's and hardware.
The other issue is the numbers of contractors and brands selling one time, unknown, not yet found access tools to govs/mil.
Well staffed AV brands are slowly understanding how to more protect wide open junk consumer OS's and then tell the world.
Gov funded malware is having less of a free open window for access over years to months or been patched or discovered in use..
Domestic spying is now "Benign Information Gathering"
My company operates in a regulated industry (finance). We're forced to have AV software installed (including on Macs) in order to comply with the regs.
> Those things are all easily overcome by malware writers by testing against existing antivirus. If the Antivirus detects it, then keep changing the malware until the Antivirus doesn't detect it.
Those are called crypters and you're right, those are currently a significant problem for type-A, signature based AV. However, signature based is still useful. Consider all the Nigerian Prince scams and similar that you see. Most is immediately recognizable due to the grammar, etc. I would be absolutely trivial for the bad guys to defeat "grammar detection", but most don't bother. Similarly, while signature-based AV (and standard door locks) are easily defeated, they are still useful.
Heuristics-based (type 2) can't be so readily overcome by changing the malware. A type 2 detection engine scores on factors such as:
Runs automatically at boot. (+2 points)
Fake file extension like kittens.jpg.exe (+3 points)
Alters system files (+2 points)
To change the software to avoid triggering this better type of engine, the bad guys have to make it -not- run automatically, not have a misleading name, and not alter the system. Keep going down that path and it's no longer malware, so a high-quality type 2 is a great thing to have. Further development in this area is worthwhile.
then we have type 3, which runs the software on a test machine and see if any damage is done. Type 3 looks directly at the EFFECTS, at what the software DOES. If it reads private files, it's rejected. If it automatically changes any existing files (cryptolocker) it's rejected, etc. "Change the malware until it's not detected" means "change it to no longer do anything bad", on a well-constructed type 3 system.
Further development in this area is worthwhile.
Indeed.
"First they came for the slanderers and i said nothing."
completely immune to random internet-based attacks, at least ignoring user actions like launching an infected program or script
Or using a web browser to view a news article on Forbes triggering popunders with malware exploits, or looking at a page which happens to contain a PNG file designed to exploit a buffer overflow in the PNG parsing library, or running AV software which scans a ZIP file that happens to be crafted to exploit a vulnerability in the archive extraction library. Or really installing any software, ever.
If there's two things we could do to mitigate the damage caused by these exploits, it's:
1: Stop using C and C++ to write programs. People are still shooting themselves (and all users of their software) in the foot by accidentally introducing stack-smashing vulnerabilities and the like into their code in 2016, and that's embarrassing and unnecessary.
2: Figure out how to automatically use virtualisation containers like Docker to isolate every user program into a separate virtual environment that prevents them from accidentally destroying the system. Without the user needing to even know anything about it...
While your desktop is likely pretty well protected against worms by default (ignoring the fact it's probably punching holes in the firewall with UPnP) it's /entirely/ irrelevant to the attack under discussion.
This is a privilege escalation attack on people who are doing the 'right thing' and not running all their web browsers as admin. i.e. corporate/government networks that tend to enforce AV and have moved on from the Windows 98 model. Access from the internet side is not required.
It's like you're saying HIV isn't a problem because you use condoms with any casual sex partners, but we've gone ahead and infected your spouse to get to you.
Yep, I didn't mean to imply otherwise. I was specifically responding to the parent's notion that "simplicity" is what's needed, but my argument is that's somewhat impractical given the size of modern software, so you need to focus more on the software that's exposed to potential attacks. And obviously, as this article points out, that includes our AV software.
It's the reason many of us were upset with Mozilla for adding that stupid "Pocket" feature - that product is likely to have security holes, and the more code you add to a web browser (which Desty rightly pointed out is generally a much bigger attack surface), the more likely it is for there to be a crack in the existing code to exploit.
I didn't mean to sound like I was blaming users - there are plenty of times users/admins do absolutely nothing wrong, like an exploit just from looking at a web page with a fully patched browser, or even just previewing an e-mail with a malicious payload. It's sort of depressing that we're still at this stage in computer security.
Irony: Agile development has too much intertia to be abandoned now.
So, what I'm hearing is that huge pig AV's are bad (McAfee). They also open an attack vector because they are obsfucated to protect themselves from end users. This makes it more difficult for people to notice problems and I see a clear pattern of users blaming slowness an odd behavior on the AV without any ability to really verify this.
Cheap storage VM.
Go ahead and use Modern C++. Properly used (and by that I mean doing things that can be easily checked by a code reviewer), it's a lot safer than C or older C++.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
http://www.techweekeurope.co.u...