How AV Can Open You To Attacks That Otherwise Wouldn't Be Possible

Antivirus suites expose a user's system to attacks that otherwise wouldn't be possible, a security researcher reported on Friday. From a report: On Friday, a researcher documented a vulnerability he had found in about a dozen name-brand AV programs that allows attackers who already have a toehold on a targeted computer to gain complete system control. AVGater, as the researcher is calling the vulnerability, works by relocating malware already put into an AV quarantine folder to a location of the attacker's choosing. Attackers can exploit it by first getting a vulnerable AV program to quarantine a piece of malicious code and then moving it into a sensitive directory such as C:\Windows or C:\Program Files, which normally would be off limits to the attacker. Six of the affected AV programs have patched the vulnerablity after it was privately reported. The remaining brands have yet to fix it, said Florian Bogner, a Vienna, Austria-based security researcher who gets paid to hack businesses so he can help them identify weaknesses in their networks. Bogner said he developed a series of AVGater exploits during several assignments that called for him to penetrate deep inside customer networks. Using malicious phishing e-mails, he was able to infect employee PCs, but he still faced a significant challenge. Because company administrators set up the PCs to run with limited system privileges, Bogner's malware was unable to access the password database -- known as the Security Account Manager -- that stored credentials he needed to pivot onto the corporate network.

They what?

Six of the affected AV programs have patched the vulnerable.

They "patched the vulnerable"? Really?

At this rate english will be a dead language within three or four generations.

Re:They what?

[Big+Hairy+Ian]

Six of the affected AV programs have patched the vulnerable.

They "patched the vulnerable"? Really?

At this rate english will be a dead language within three or four generations.

I blame the the Coriolis Affect

Re:They what?

You blame "the the" Coriolis Affect?

You just proved my point.

Re:They what?

And you can't see the sarcasm tags

Re:They what?

does the word "whoooooosh" mean anything to you?

Re:They what?

Not when it's riddled with grammatical errors.

Re:They what?

They "patched the vulnerable"? Really?

At least they didn't do the vulnerable...

Re:They what?

[wardrich86]

Maybe they're going above and beyond and spreading a patch to all the other computers that are still affected.

Re: They what?

[clovis]

Yes, the Coriolis Affect is a mental state where thoughts spin around in your brain due to exposure to egregious fucktardation.

Re:They what?

Welcome to the social.
Remember, this is a Microsoft only social after all.

So My AV was the weakest link

[Big+Hairy+Ian]

I wonder if this is being exploited in the wild

A collection of exploits working together

[Opportunist]

I know it's quite common to bash Antivirus, from "they create the viruses themselves to create a market" to "they are snakeoil anyway", so the headline is very Slashdot-y, but please realize that this is exploitable because three things come together:

1. The way Windows symlinks is FUBAR.
2. There are STILL programs that simply go by the logic of "let's just load every DLL in this directory".
3. A program (in this case an AV tool) allows to "restore" files into a directory, does not double check where that ends up and has admin privileges.

You can probably get the same effect with backup programs.

Re:A collection of exploits working together

[Baron_Yam]

The way Windows handles installing and removing programs is insane. The way programs handle what security Windows offers is insane. But as a platform, Windows was originally designed for 'easy' not 'good', and it did an adequate job of standardizing program UIs, and then providing a standard interface to devices.

After that, of course, Microsoft (and everyone else) discovered that you could force users onto the upgrade treadmill by changing the standards over time and killing backwards compatibility. And now they have enough of the business desktop market not to care.

Whee!

Re:A collection of exploits working together

[ctilsie242]

Because of Windows's historically crappy programming, this is why AV was created. This isn't just MS's fault. Other operating systems of that time with cooperative multitasking had issues as well, so things like Disinfectant for the Mac that had a program load and run were critical.

However, time has passed. Macs run a pre-emptive OS with MAC and DAC controls. Linux has SELinux and AppArmor. Even Windows, especially with tools to limit what applications can write to what files, is getting there.

There is no real need for AV anymore. In the past, AV's liability of CPU slowness was worth it, as it would catch things. Now, AV is all but worthless because the two primary infection vectors are malvertising (which needs to be handled by the web browser and the sandbox/VM it sits in) and Trojans. AV rarely protects against malicious PDFs or Word documents.

It is worse now, because with the fact that AV autoupdates both signatures and code, as well as sends what the hell it feels like to the mother-ship, AV can easily become malware in itself in a way that is undetectable.

What needs to be done is to dump AV completely and have the OS handle security. The Qubes OS model is a good example of this done right. Alternatively, one can do this manually via Sandboxie or VMs on the desktop.

The fewer moving parts, the better.

Re:A collection of exploits working together

This is obvious.
As is adding shit to the white list or the blacklist, or exceptions to same.
Checksums and signatures should be checked before moving anything anywhere.
And directory games should be spoiled if pointers are incorrect or crossed.
Plus the vector where a reboot is needed to apply a patch - ripe territory there.

Re:A collection of exploits working together

[Dutch+Gun]

2. There are STILL programs that simply go by the logic of "let's just load every DLL in this directory".

This is not unusual because this is how programs handle extended functionality via plugins. For instance, every digital audio workstation (DAW) in the world works by scanning key folders for dlls with well-defined interfaces, known as VSTs. These VSTs contain virtual instruments or effects that can be accessed by the host DAW. Photoshop plugins? Same concept. And there are probably thousands more examples.

This is what people mean when they talk about the conflicting interests of security and functionality.

Re:A collection of exploits working together

[Dutch+Gun]

After that, of course, Microsoft (and everyone else) discovered that you could force users onto the upgrade treadmill by changing the standards over time and killing backwards compatibility.

What on earth are you talking about? If there's one thing that Microsoft is insanely good at, it's preserving backwards compatibility at the OS level, even allowing much older 32-bit applications (some even vintage Windows 95 era software) to run on 64-bit machines via a built-in emulation layer. Most issues of breaking compatibility had to do more with software explicitly breaking earlier rules which weren't strictly enforced in older versions of Windows (like Windows XP), such as writing data to the program directory, etc, but which are now enforced.

AV software, of course, pretty much breaks ALL the rules by hooking into the system guts, so naturally it tends to be version-specific. It would be a hell of a stretch to blame MS for this.

Re:A collection of exploits working together

[Opportunist]

It is really asking too much of a program to store a list of the plugins it uses and load those and only those plugins?

Re:A collection of exploits working together

[scdeimos]

Because of Windows's historically crappy programming, this is why AV was created. This isn't just MS's fault. Other operating systems of that time with cooperative multitasking had issues as well, so things like Disinfectant for the Mac that had a program load and run were critical.

You're right that this isn't just MS's fault. The 68x000 series of MacOS (capital M) did all sorts of things to encourage viruses, e.g.:

1. Hard disk volumes had their own driver code in the first couple of blocks which was dutifully loaded by the OS when they were plugged in/turned on/inserted (in the case of removable volumes like Syquest) to make the entire volume accessible. Naturally these were relocated by viruses and overwritten with their own code.
2. In its worst "what could possibly go wrong?" decision Apple allowed Resource Forks to contain Code Resources and, to make that even worse, added an "Auto-Execute" flag to them. Naturally this made it easy for viruses to stick auto-execute code resources in the Desktop file on every single hard disk, cartridge and floppy disk they encountered so they could easily spread infections.

Noobs.

Malwarebytes ..

.. probably patched it. It's been busy updating itself on the various systems here.

How about a more secure OS?

[evolutionary]

Linux is better at resisting these things than MS windows. one can argue that Linux is less targeted, but whatever the reason, Linux (there is Apple based on BSD, but Apple has hooks in their products that are not open source). No system is foolproof. and some of these attacks used phishing techniques which someone who is watching can probably spot. But hopefully the AV companies will get better staying ahead of the curve.

Re:How about a more secure OS?

[ctilsie242]

Linux has had its vulnerabilities, but it has done well for an OS that is Internet facing and always bearing the constant slings and arrows from attackers. The only time I've even thought of AV on Linux is because it is to check a box off when it comes to audits or paperwork. I doubt any AV would be useful at all on the platform, other than to catch Windows items on a SMB file server.

Re:How about a more secure OS?

internet facing is not the dangerous attack vector, contrary to what most people believe. The most dangerous vector is end users doing stuff on the desktop

New meme

[sjbe]

They "patched the vulnerable"? Really?

It's a close relative of Do the needful.

Re:New meme

You forgot "Kindly" do the needful. I'm not hearing it as much lately though.

Re: Obama is my Llama

[bestweasel]

Jackson Klaxon, a 32 year old software developer from Nohope Idaho, was today arrested outside a local dentist's office for indecent behaviour, stealing a llama from a nearby llama farmer and suspicion of being under the influence of hallucinogens.

"The door to the surgery opened and I was shocked to see Mr Klaxon standing there naked, particularly as he didn't have an appointment", said Ethel Mercaptan, Receptionist, mother of six and part-time meth addict. "He turned round, a sight none of us was ready for, and dragged a large, somewhat reluctant animal in after him. I thought it was a stretch goat but was later informed it's what they call a llama. I became alarmed when Mr Klaxon started dancing and waving his arms around in Reception, all the time singing a silly song."

"I told him he had to stop but he took no notice so I called the police, I mean we had women and children waiting and going to the dentist can be stressful enough. It's true some of the children were laughing and clapping and a couple of the adults were smiling but we really can't have that sort of behavior."

"We'll have to have the carpet replaced because of the mess. What? No, the llama was well behaved by comparison. I'm afraid most of it was Mr Klaxon."

Best AV using what IPStack has & 1 part only

See subject & APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/

Ads/script/malware rob speed/security/privacy/bandwidth.

Hosts add speed (via hardcodes/adblocks), security (vs. bad sites/malware/poisoned dns), reliability (vs. dns down), & anonymity (vs. dns requestlogs/trackers).

Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus + less security bugs/complexity & faster vs. addons/routers/remote dns!

Avoids DNSChangers in routers/IP settings & dns redirect (99.999% of ISP DNS != patched vs. it) + DNS tracking & lighten DNS load & resolve faster from local RAM!

* Via what u NATIVELY have in a FASTER kernelmode IP stack!

APK

P.S. - Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/ (self checking code vs. infection of it built-in)

Block threats before you can be infected

With less complexity 4 exploit APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/

Ads/script/malware rob speed/security/privacy/bandwidth.

Hosts add speed (hardcodes/adblocks), security (bad sites/malware/poisoned dns), reliability (dns down), & anonymity (dns requestlogs/trackers).

Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus + less security bugs/complexity & faster vs. addons/routers/remote dns!

Avoids DNSChangers in routers/IP settings & dns redirect (99++% of ISP DNS != patched vs. it) + DNS tracking & lighten DNS load & resolve faster from local RAM!

* Via what u NATIVELY have in a FASTER kernelmode IP stack!

APK

P.S. - Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/ (self checking code vs. infection of it built-in)

Software has bugs..

[Altrag]

News at 1942!

Seriously though.. antivirus software is software, and many of them are very complex pieces of software given that they all seem to incorporate some combination of the primary AV, a firewall, malware scanners, webpage scanners, filesystem monitors, kitchen sinks, etc.

Its kind of like expecting that your doctor can't get sick just because she's a doctor.

APK keeps on proving he is a retard

You just keep on proving that you are a retard. Making all sorts of false claims, lying about your file aggregators abilities and in general being a whining little bitch. You can't even do the hard work of curating and vetting the lists your overly complex bloated software consumes. Don't worry I will continue to point out your retarded lies.

You're whining UNIDENTIFIABLE "ne'er-do-well"

I'm going to continue using the Host File Engine. Your software is well written, functional. The Host File Engine performs exactly as promised by mmell

his hosts program is actually pretty good by xenotransplant

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg

(APK's) work, I've flat out said it's good by BronsCon

I've tried his hosts file generating software. It works by bmo

APK your posts on this & the hosts file posts, and more, have never been in error &/or bad advice by BlueStrat

Your premise that hostfiles are a good way to deal with advertising & malvertising is quite valid by JazzLad

I like your host file system by Karmashock

(NEED MORE?)

* Hosted by Malwarebytes' hpHosts!

See subject: You've done better?

APK

P.S.=> China imitated me http://www.theregister.co.uk/2017/04/26/boffins_supercharge_the_hosts_file_to_save_users_plagued_by_dns_outages/ ... apk

Re: Obama is my Llama

So if he had an appointment, the stretch goat and nakedness would have been fine?

In other words: we need SW freedom always.

[jbn-o]

Most anti-malware programs are nonfree (user-subjugating, proprietary) software. So it stands to reason that since people make mistakes and sometimes purposefully either don't fix exploitable bugs or put them there intentionally, nonfree anti-malware programs should be treated no differently from other non-free software—don't run nonfree software. The solution becomes obvious: run free software anti-malware programs instead. Apparently privatization got us to where we are: a series of untrustable nonfree programs with weaknesses only they're allowed to fix; weaknesses which can be exploited to do the very thing the programs aren't supposed to allow.

This is also the proper reason to not trust Kaspersky's anti-malware software: not because it's Russian, not because its recent issues might be the CIA's work posing as something its not, but because it is nonfree. Yes, I'm aware that Kaspersky allows some people to inspect what may well be its source code (perhaps under a non-disclosure agreement). But that is not software freedom because it doesn't grant those few people the freedom to run, share, and modify the code. Also because that limited permission doesn't include Kaspersky's users. All computer users deserve software freedom for all of the software they run. Together we can improve the software and end up with something we can trust. I don't think businesses deserve primacy, and we have n obligation to turn everything into a question of 'how can someone make money with this?', but we could give a research lab funding to continue their work investigating malware and coming up with improvements to anti-malware programs. Given how many people use computers (in other words, they're not optional anymore), we should seriously consider federal funding and long-term employment for this.