How AV Can Open You To Attacks That Otherwise Wouldn't Be Possible

Antivirus suites expose a user's system to attacks that otherwise wouldn't be possible, a security researcher reported on Friday. From a report: On Friday, a researcher documented a vulnerability he had found in about a dozen name-brand AV programs that allows attackers who already have a toehold on a targeted computer to gain complete system control. AVGater, as the researcher is calling the vulnerability, works by relocating malware already put into an AV quarantine folder to a location of the attacker's choosing. Attackers can exploit it by first getting a vulnerable AV program to quarantine a piece of malicious code and then moving it into a sensitive directory such as C:\Windows or C:\Program Files, which normally would be off limits to the attacker. Six of the affected AV programs have patched the vulnerablity after it was privately reported. The remaining brands have yet to fix it, said Florian Bogner, a Vienna, Austria-based security researcher who gets paid to hack businesses so he can help them identify weaknesses in their networks. Bogner said he developed a series of AVGater exploits during several assignments that called for him to penetrate deep inside customer networks. Using malicious phishing e-mails, he was able to infect employee PCs, but he still faced a significant challenge. Because company administrators set up the PCs to run with limited system privileges, Bogner's malware was unable to access the password database -- known as the Security Account Manager -- that stored credentials he needed to pivot onto the corporate network.

How about a more secure OS?

[evolutionary]

Linux is better at resisting these things than MS windows. one can argue that Linux is less targeted, but whatever the reason, Linux (there is Apple based on BSD, but Apple has hooks in their products that are not open source). No system is foolproof. and some of these attacks used phishing techniques which someone who is watching can probably spot. But hopefully the AV companies will get better staying ahead of the curve.

Re:How about a more secure OS?

[ctilsie242]

Linux has had its vulnerabilities, but it has done well for an OS that is Internet facing and always bearing the constant slings and arrows from attackers. The only time I've even thought of AV on Linux is because it is to check a box off when it comes to audits or paperwork. I doubt any AV would be useful at all on the platform, other than to catch Windows items on a SMB file server.

Re:A collection of exploits working together

[ctilsie242]

Because of Windows's historically crappy programming, this is why AV was created. This isn't just MS's fault. Other operating systems of that time with cooperative multitasking had issues as well, so things like Disinfectant for the Mac that had a program load and run were critical.

However, time has passed. Macs run a pre-emptive OS with MAC and DAC controls. Linux has SELinux and AppArmor. Even Windows, especially with tools to limit what applications can write to what files, is getting there.

There is no real need for AV anymore. In the past, AV's liability of CPU slowness was worth it, as it would catch things. Now, AV is all but worthless because the two primary infection vectors are malvertising (which needs to be handled by the web browser and the sandbox/VM it sits in) and Trojans. AV rarely protects against malicious PDFs or Word documents.

It is worse now, because with the fact that AV autoupdates both signatures and code, as well as sends what the hell it feels like to the mother-ship, AV can easily become malware in itself in a way that is undetectable.

What needs to be done is to dump AV completely and have the OS handle security. The Qubes OS model is a good example of this done right. Alternatively, one can do this manually via Sandboxie or VMs on the desktop.

The fewer moving parts, the better.