Slashdot Mirror

← Back to Stories (view on slashdot.org)

How AV Can Open You To Attacks That Otherwise Wouldn't Be Possible (arstechnica.com)

Posted by msmash on from the ain't-nobody-signed-up-for-that dept.

Antivirus suites expose a user's system to attacks that otherwise wouldn't be possible, a security researcher reported on Friday. From a report: On Friday, a researcher documented a vulnerability he had found in about a dozen name-brand AV programs that allows attackers who already have a toehold on a targeted computer to gain complete system control. AVGater, as the researcher is calling the vulnerability, works by relocating malware already put into an AV quarantine folder to a location of the attacker's choosing. Attackers can exploit it by first getting a vulnerable AV program to quarantine a piece of malicious code and then moving it into a sensitive directory such as C:\Windows or C:\Program Files, which normally would be off limits to the attacker. Six of the affected AV programs have patched the vulnerablity after it was privately reported. The remaining brands have yet to fix it, said Florian Bogner, a Vienna, Austria-based security researcher who gets paid to hack businesses so he can help them identify weaknesses in their networks. Bogner said he developed a series of AVGater exploits during several assignments that called for him to penetrate deep inside customer networks. Using malicious phishing e-mails, he was able to infect employee PCs, but he still faced a significant challenge. Because company administrators set up the PCs to run with limited system privileges, Bogner's malware was unable to access the password database -- known as the Security Account Manager -- that stored credentials he needed to pivot onto the corporate network.

18 of 34 comments (clear)

  1. They what? by Anonymous Coward · · Score: 2, Funny

    Six of the affected AV programs have patched the vulnerable.

    They "patched the vulnerable"? Really?

    At this rate english will be a dead language within three or four generations.

    1. Re:They what? by Big+Hairy+Ian · · Score: 1

      Six of the affected AV programs have patched the vulnerable.

      They "patched the vulnerable"? Really?

      At this rate english will be a dead language within three or four generations.

      I blame the the Coriolis Affect

      --

      Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

    2. Re:They what? by wardrich86 · · Score: 1

      Maybe they're going above and beyond and spreading a patch to all the other computers that are still affected.

    3. Re: They what? by clovis · · Score: 1

      Yes, the Coriolis Affect is a mental state where thoughts spin around in your brain due to exposure to egregious fucktardation.

  2. So My AV was the weakest link by Big+Hairy+Ian · · Score: 1

    I wonder if this is being exploited in the wild

    --

    Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

  3. A collection of exploits working together by Opportunist · · Score: 4, Insightful

    I know it's quite common to bash Antivirus, from "they create the viruses themselves to create a market" to "they are snakeoil anyway", so the headline is very Slashdot-y, but please realize that this is exploitable because three things come together:

    1. The way Windows symlinks is FUBAR.
    2. There are STILL programs that simply go by the logic of "let's just load every DLL in this directory".
    3. A program (in this case an AV tool) allows to "restore" files into a directory, does not double check where that ends up and has admin privileges.

    You can probably get the same effect with backup programs.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:A collection of exploits working together by Baron_Yam · · Score: 3, Insightful

      The way Windows handles installing and removing programs is insane. The way programs handle what security Windows offers is insane. But as a platform, Windows was originally designed for 'easy' not 'good', and it did an adequate job of standardizing program UIs, and then providing a standard interface to devices.

      After that, of course, Microsoft (and everyone else) discovered that you could force users onto the upgrade treadmill by changing the standards over time and killing backwards compatibility. And now they have enough of the business desktop market not to care.

      Whee!

    2. Re:A collection of exploits working together by ctilsie242 · · Score: 3, Informative

      Because of Windows's historically crappy programming, this is why AV was created. This isn't just MS's fault. Other operating systems of that time with cooperative multitasking had issues as well, so things like Disinfectant for the Mac that had a program load and run were critical.

      However, time has passed. Macs run a pre-emptive OS with MAC and DAC controls. Linux has SELinux and AppArmor. Even Windows, especially with tools to limit what applications can write to what files, is getting there.

      There is no real need for AV anymore. In the past, AV's liability of CPU slowness was worth it, as it would catch things. Now, AV is all but worthless because the two primary infection vectors are malvertising (which needs to be handled by the web browser and the sandbox/VM it sits in) and Trojans. AV rarely protects against malicious PDFs or Word documents.

      It is worse now, because with the fact that AV autoupdates both signatures and code, as well as sends what the hell it feels like to the mother-ship, AV can easily become malware in itself in a way that is undetectable.

      What needs to be done is to dump AV completely and have the OS handle security. The Qubes OS model is a good example of this done right. Alternatively, one can do this manually via Sandboxie or VMs on the desktop.

      The fewer moving parts, the better.

    3. Re:A collection of exploits working together by Dutch+Gun · · Score: 1

      2. There are STILL programs that simply go by the logic of "let's just load every DLL in this directory".

      This is not unusual because this is how programs handle extended functionality via plugins. For instance, every digital audio workstation (DAW) in the world works by scanning key folders for dlls with well-defined interfaces, known as VSTs. These VSTs contain virtual instruments or effects that can be accessed by the host DAW. Photoshop plugins? Same concept. And there are probably thousands more examples.

      This is what people mean when they talk about the conflicting interests of security and functionality.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    4. Re:A collection of exploits working together by Dutch+Gun · · Score: 1

      After that, of course, Microsoft (and everyone else) discovered that you could force users onto the upgrade treadmill by changing the standards over time and killing backwards compatibility.

      What on earth are you talking about? If there's one thing that Microsoft is insanely good at, it's preserving backwards compatibility at the OS level, even allowing much older 32-bit applications (some even vintage Windows 95 era software) to run on 64-bit machines via a built-in emulation layer. Most issues of breaking compatibility had to do more with software explicitly breaking earlier rules which weren't strictly enforced in older versions of Windows (like Windows XP), such as writing data to the program directory, etc, but which are now enforced.

      AV software, of course, pretty much breaks ALL the rules by hooking into the system guts, so naturally it tends to be version-specific. It would be a hell of a stretch to blame MS for this.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    5. Re:A collection of exploits working together by Opportunist · · Score: 1

      It is really asking too much of a program to store a list of the plugins it uses and load those and only those plugins?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    6. Re:A collection of exploits working together by scdeimos · · Score: 1

      Because of Windows's historically crappy programming, this is why AV was created. This isn't just MS's fault. Other operating systems of that time with cooperative multitasking had issues as well, so things like Disinfectant for the Mac that had a program load and run were critical.

      You're right that this isn't just MS's fault. The 68x000 series of MacOS (capital M) did all sorts of things to encourage viruses, e.g.:

      1. Hard disk volumes had their own driver code in the first couple of blocks which was dutifully loaded by the OS when they were plugged in/turned on/inserted (in the case of removable volumes like Syquest) to make the entire volume accessible. Naturally these were relocated by viruses and overwritten with their own code.
      2. In its worst "what could possibly go wrong?" decision Apple allowed Resource Forks to contain Code Resources and, to make that even worse, added an "Auto-Execute" flag to them. Naturally this made it easy for viruses to stick auto-execute code resources in the Desktop file on every single hard disk, cartridge and floppy disk they encountered so they could easily spread infections.

      Noobs.

  4. How about a more secure OS? by evolutionary · · Score: 3, Informative

    Linux is better at resisting these things than MS windows. one can argue that Linux is less targeted, but whatever the reason, Linux (there is Apple based on BSD, but Apple has hooks in their products that are not open source). No system is foolproof. and some of these attacks used phishing techniques which someone who is watching can probably spot. But hopefully the AV companies will get better staying ahead of the curve.

    --
    "Imagination is more important than knowledge" - Einstein
    1. Re:How about a more secure OS? by ctilsie242 · · Score: 3, Informative

      Linux has had its vulnerabilities, but it has done well for an OS that is Internet facing and always bearing the constant slings and arrows from attackers. The only time I've even thought of AV on Linux is because it is to check a box off when it comes to audits or paperwork. I doubt any AV would be useful at all on the platform, other than to catch Windows items on a SMB file server.

  5. New meme by sjbe · · Score: 1

    They "patched the vulnerable"? Really?

    It's a close relative of Do the needful.

  6. Re: Obama is my Llama by bestweasel · · Score: 1, Offtopic

    Jackson Klaxon, a 32 year old software developer from Nohope Idaho, was today arrested outside a local dentist's office for indecent behaviour, stealing a llama from a nearby llama farmer and suspicion of being under the influence of hallucinogens.

    "The door to the surgery opened and I was shocked to see Mr Klaxon standing there naked, particularly as he didn't have an appointment", said Ethel Mercaptan, Receptionist, mother of six and part-time meth addict. "He turned round, a sight none of us was ready for, and dragged a large, somewhat reluctant animal in after him. I thought it was a stretch goat but was later informed it's what they call a llama. I became alarmed when Mr Klaxon started dancing and waving his arms around in Reception, all the time singing a silly song."

    "I told him he had to stop but he took no notice so I called the police, I mean we had women and children waiting and going to the dentist can be stressful enough. It's true some of the children were laughing and clapping and a couple of the adults were smiling but we really can't have that sort of behavior."

    "We'll have to have the carpet replaced because of the mess. What? No, the llama was well behaved by comparison. I'm afraid most of it was Mr Klaxon."

  7. Software has bugs.. by Altrag · · Score: 1

    News at 1942!

    Seriously though.. antivirus software is software, and many of them are very complex pieces of software given that they all seem to incorporate some combination of the primary AV, a firewall, malware scanners, webpage scanners, filesystem monitors, kitchen sinks, etc.

    Its kind of like expecting that your doctor can't get sick just because she's a doctor.

  8. In other words: we need SW freedom always. by jbn-o · · Score: 1

    Most anti-malware programs are nonfree (user-subjugating, proprietary) software. So it stands to reason that since people make mistakes and sometimes purposefully either don't fix exploitable bugs or put them there intentionally, nonfree anti-malware programs should be treated no differently from other non-free software—don't run nonfree software. The solution becomes obvious: run free software anti-malware programs instead. Apparently privatization got us to where we are: a series of untrustable nonfree programs with weaknesses only they're allowed to fix; weaknesses which can be exploited to do the very thing the programs aren't supposed to allow.

    This is also the proper reason to not trust Kaspersky's anti-malware software: not because it's Russian, not because its recent issues might be the CIA's work posing as something its not, but because it is nonfree. Yes, I'm aware that Kaspersky allows some people to inspect what may well be its source code (perhaps under a non-disclosure agreement). But that is not software freedom because it doesn't grant those few people the freedom to run, share, and modify the code. Also because that limited permission doesn't include Kaspersky's users. All computer users deserve software freedom for all of the software they run. Together we can improve the software and end up with something we can trust. I don't think businesses deserve primacy, and we have n obligation to turn everything into a question of 'how can someone make money with this?', but we could give a research lab funding to continue their work investigating malware and coming up with improvements to anti-malware programs. Given how many people use computers (in other words, they're not optional anymore), we should seriously consider federal funding and long-term employment for this.

    --
    Digital Citizen