Breaking AV Software

ASLR drives up the cost of virtually all memory corruption vulnerabilities.

 

The adversaries that are most likely to have and develop such exploits have nearly unlimited resources available. For them, cost is a non-issue.

 

Of course that researcher refuses to give any detail about what he found. Obviously he is in only for show and profit.

 

This does seem like a lot of FUD. If there is a vulnerability, I'd hope the more responsible antimalware makers would fix the issue or at least make a signature.

 

His answer was "No, I will not give you details. Do audit your programs by yourself."

So what kind of attitude is that? Does he wants to help improve the security of products and for users or does he just wanna show-off how great his reversing skillz are? Or he got some juicy offer so that some tripple letter agency can abuse the vulnerabilities against the users world-wide?

With the attitude he shows plus the fact that he obviously don't want that people use AV at all one could suspect he is into malware writing business... Soften up targets so he can earn more $$$

Yeah sorry, I got a bit paranoid with all the things that are going on

I just don't like people who's prime interest is finding flaws in other people's work, not helping them to improve and not doing any positive or helpful at all.
I wonder how many bugs they would have if these people would actually write complex software... None, sure...

 

Nice different perspective, thank you.

 

You make a good point.

 

Make a signature for their own program because the person won't share the details concerning the vuln with them?

I see no reason why any of the vendors wouldn't fix the vuln's ASAP if they were given details about it. The person with the details is the one doing it wrong.

 

So many questions, so little time...

I'm Joxean, the guy who gave this talk. Some answers to what I have read in this thread:

1) I do not work and will never work in the malware industry. Just nope.
2) I'm not encouraging the average Joe to not using AV products. After all, my talk was more focused on the actual target of an adversary using 0days so not the average user but, rather, big companies and governments. Indeed, I encourage the average user to actually use antivirus products: they really need them.
3) One of the reasons of doing this talk is, of course, auto-fellatio. But not the main reason.
4) The main reason, believe it or not, is to push the AV industry to make actually secure products. There is only one way of doing so: making most of the information public so everybody can prevent attacks instead of blindly trusting buggy products because they're labeled as security products. The current security state of AV products is sad to say the least.
5) Every company that contacted me before the talk was actually answered back with real vulnerabilities and my recommendations to discover them (and more), how to fix them and, more than anything, the important point, how not to fall again in this mess.

Now, some random points I have seen here that I would like to comment on... For example, the Avira team is not happy with me because after my talk I refused to give more details to any other company contacting me. Sorry. Do audit your products, I'm a random guy, not a big company like the one you work for and I have no responsability whatsoever in your products at all. You have better resources than I and I have other things to do better than helping for free companies making money when I do it for fun as for myself. So, sorry again, but I'm not responsible of your bugs and you do not fullfil any of my own rules to contact a vendor, which are listed bellow:

1) They offer a Bug Bounty. Only Avast offers it nowadays.
2) The product is Open Source. ClamAV is the only one and I, of course, contacted them.
3) I have close friends there. This is the case of Panda.

Also, I do not follow the rules created by companies about what is "responsible disclosure". I used to but not anymore after very unpleasant histories... So, if responsible disclosure means you work for free for companies that have more money than what you will ever see in your entire life... ehm, sorry, it's not responsible, it's just benefitial for, one side, the company and nothing else.

Regarding conspiranoid histories... I do not think, but for obvious reasons I cannot probe, that any AV company out there is doing anything for helping $RANDOM_GOVERNMENT. Indeed, sorry, but I think a government doesn't actually need to force an AV company to install any backdoor into most of the products I tested because overall it's simply too easy to just research the product you want to target and have a 0day in a couple of days.

Going back to ad-hominem attacks: Stefan, the next time you feel upset by somebody do not say he is in the malware business just because you feel upset when you know he is not but you're upset because he doesn't do what you want. It is bad for karma.

And, in order to finish this rather long post: you can believe me or not, but I only showed the current overall "state-of-the-art" in AV products. Here are the results. Also, you can blame me if you want but this is not going to fix bugs in AV products neither make them more secure so, please, AV companies, try to answer yourself why is it harder to exploit a ~ Snipped as per TOS ~browser or a document reader than a so called security product as of today.

Cheers.

~ Clever Alteration of a Possibly Offensive Word Removed - JRViejo ~

 

@stefan Kurzhals: you're referring to the Blackhat presentation? That's a nasty attitude the researcher has, from what you say, but I can't say I'm surprised. A lot of people in the offensive security scene seem to be a bit on the unscrupulous side. :\

@Hungry Man, re antivirus software. How would you know if an AV engine's code base is ancient, or whether it uses some form of sandboxing/privilege separation when doing heuristic analysis? These programs are for the most part completely proprietary, and some are actively designed to foil reverse engineering attempts.

I mean, if for some reason I were writing an AV with heuristics, it would probably
- Have the heuristic engine running in userspace as a special unprivileged user, with access only to a small ramdisk
- On attempting to load or run an unrecognized DLL or EXE, copy the binary (or chunks thereof) into the ramdisk
- Wait for the engine to decide if it's nasty, and pass the decision back to the driver
- Have the driver allow or deny execution based on the results from the userspace engine

On UNIX you could do even better by chrooting the engine; on Windows Vista and later you could use integrity levels. The most difficult part, I think, is getting data back from the unprivileged engine process. On UNIX I'd use a temporary file in the ramdisk for that, not sure what would be sane on Windows... But the point is, I can come up with something like this off the top of my head in ~5 minutes, based on pretty limited understanding of multiuser OSes. I would be very surprised if AV developers haven't thought of something better than that by now. The days of mandatory Win9x compatibility are long gone.

tl;dr While I'm not overly fond of realtime AVs, I have some doubts about the generalizations you're making here, especially seeing as (AFAIK) you've never looked at an antivirus product's code base.

 

hi
Always the same reaction for the av industry when something, paper, zero day, research, tries to demonstrate the weaknesses of their products or protections.
Just remember as an example among many others the racetozero http://www.pcworld.com/article/145148/article.html http://www.beskerming.com/commentar...Competition_has_Antivirus_Vendors_Complaining
I am agree with the author of the paper, and this statement has been pointed out by the nomorefreebugs initiative
http://blog.trailofbits.com/2009/03/22/no-more-free-bugs/
Then why a researcher will give for free the result of his research?
To help the antivirus editor to sell more and more licenses with an av-comparative marketing like our av is more immune than others?
Like Dr Web with the IAWACS contest http://www.pressebox.com/pressrelea...-Antivirus-ist-iAWACS-Testsieger/boxid/303460
The av industry is a business, why av devs can not consider that vulnerability assessment market niche is also a business too?
More over, does it make sense to give for free the result of hours of stress testing, code auditing, tainting/fuzzing if we consider that in a any zero day market, a vulnerability can be sold from 1000 dollars to 500 000 dollars?
http://blog.nibblesec.org/2011/10/no-more-free-bugs-initiatives.html
Seriously, one of the main problem is that AV devs are in the defense side, and by this way, do their work from this principle.
The same for AV tests in general based on defensive methodology. Vicious circle.
If an AV editor wants to improve its product, there is of course users forums, but also security boards, see av bypass discussions on Kernelmodeinfo board for instance, vulnerability assessment/code auditing services, like Veracode, Coresecurity or Vupen.
If not, there is a riks to be listed on http://securityerrata.org/errata/
Many interesting papers like this one has been published in this decade, and i remember for instance the IAWACS challenge:
https://www.wilderssecurity.com/threads/dr-web-wouldn’t-crack.258087/
http://cvo-lab.blogspot.fr/2012/08/perseus-and-iawacs-20092010-available.html

As a conclusion, antivirus are designed mostly to be as simple as possible in order to be used by the maximum of people; they are not specifically designed to provide the maximum security.
Rgds

 

The post calling him a malware writer is terrible. He very obviously isn't, nothing he does is out of the ordinary, and the post reeks of terrible damage control.

It is not his *job* to fix your product.

edit: Actually! The post annoyed me so much that I'm going to break down each part of it and actually give a real response.

@Stefan Kurtzhals

"So what kind of attitude is that? Does he wants to help improve the security of products and for users or does he just wanna show-off how great his reversing skillz are? Or he got some juicy offer so that some tripple letter agency can abuse the vulnerabilities against the users world-wide?"

Do you want to help improve the security of your product? Some guy just pointed out a bunch of flaws - are you going to fix them? Are you going to better your product ?

Research like his is *commonplace and typical*. The idea that security research is just about showing off.. you can't possibly believe that? I can only assume that your goal is to confuse people with this statement, as anyone who's been to a conference, or talked to anyone in the field, or has done any research whatsoever, would know that it's not "showing off". Research is critical to improving products.

"With the attitude he shows plus the fact that he obviously don't want that people use AV at all one could suspect he is into malware writing business... Soften up targets so he can earn more $$$"

Disingenuous and offensive. Claiming that because someone does attack research they must be selling 0days or doing something malicious is nonsense. Again, are you in this field? Are you a part of it at all? How does one work at an antivirus company and not get that offensive research is not malicious?

Anyways, yeah, you should flat out feel bad for posting that because it's such nonsense.

"I just don't like people who's prime interest is finding flaws in other people's work, not helping them to improve and not doing any positive or helpful at all."

How much of your job/ someone else's job does he have to do before he starts having a positive impact? He's already pointed out problems in software, is it also his job to fix them? Will your company be paying him for his work? Because so far, he's working for you pro-bono as far as I can see.

"I wonder how many bugs they would have if these people would actually write complex software... None, sure..."

Not the point. At all.

Nothing of substance in your post.

@GJ, I will edit this post in a few minutes. Working on other stuff at the moment. Just saw that the author had posted here and then I saw the (avira dev?) other post.

Damn. Broke GRUB... ok well time to answer your question.

You can see if a process is sandboxing itself just by looking at a process manager. If their sandbox has any sanity involved (ie: not something like the Java sandbox) it'll be clear.

Yes, your method would be superior to the way it's currently done. It probably took you very little time to come up with that, but that's more than they've done. The caveat you've mentioned would not be a giant issue.

Your assumption that they've thought of it is probably correct - it would be really embarrassing if they hadn't. But they haven't done anything with it. A few AVs have moved processes out of root but like... so has everyone else after UAC.

I've not looked at AV codebases, but I'm also not claiming to have a 0day up my sleeve. All I'm saying is that you can look at permissions and mitigation techniques on AVs and see that they're behind.

 

I would like to hear your opinion about this

 

this thread would be really useful if there are solution / recommendation for average joe like me.
does anyone or maybe joxean have security product/setup recommendation?

I've read hungry man report on his site, citing that MSE and WSA have all exe ASLR and DEP enabled.
does that makes them superior to other av?

 

It's hard to tell really since Windows still doesn't have anything too interesting currently. In my personal and selfish opinion it's better to "scan" (note that I put quotation marks there) the files before you even download them. This can be achieved by using some sort of a download repo + use a security-based DNS filtering service + use Chrome since it also tells you about potentially infected files. Then you can use MSE and don't need to worry about its basic protection that everyone keeps unnecessarily nagging about. FWIW, HitmanPro can also be used along with MSE since from what I can remember, it enables ASLR in all of its components. Correct me if I'm wrong on that last part.

 

That's just one factor among many. An AV that's not vulnerable to being exploited isn't worth much if it misses detections or constantly gives false positives. There's a lot of different criteria when comparing security apps. This issue is a 2 edged sword. The AV can be both an asset and a liability at the same time.
How much weight each factor carries will vary depending on the users priorities. The user has to decide how central is the AV to your security policy, whether it's the frontline defense or a secondary layer, and who/what they consider to be the primary threat to their system.

 

Ah, but we cannot fix "the problem" he pointed out. In the presentation there is just "The product has multiple vulnerabilities". Nothing more. Not even the component which is affected. Are we supposed to spend now weeks and months to look in our product for the problems you found? With the chance that you tested an old version and that the bug is already fixed? Of course there are bugs in the products, which software is ever bug free? Of course we want to fix all bugs we find or get told - but this is still a company which must work cost effective.

Do you have any idea how many bad & big problems we have to solve that have urgent priority? We prefer to focus on things that we can solve quickly, so what do you expect? That the entire company panics and starts searching for the one problem you found, dropping all current work?

Did it ever occur to you that you have a very narrrow view of the world, that all that matters to you are vulnerabilites? There are more problems to solve. Welcome to the real world.

Nobody expects you to work for free - but actually nobody ordered you to do that work. So what, do you want so say to the companies: "pay me or you get nothing"? There is another, ugly, word for that.

 

Maybe this guy is Chuck Norris?

 

@Stefan Kurtzhals

"Ah, but we cannot fix "the problem" he pointed out. In the presentation there is just "The product has multiple vulnerabilities". Nothing more. Not even the component which is affected. Are we supposed to spend now weeks and months to look in our product for the problems you found? With the chance that you tested an old version and that the bug is already fixed? Of course there are bugs in the products, which software is ever bug free? Of course we want to fix all bugs we find or get told - but this is still a company which must work cost effective."

Are you seriously nto already looking?

Here's a place to start - last I checked Avira had 41 non-ASLR executable files on an install. Why not just start there?

Can your team seriously not identify critically vulnerable areas of code?

Can you not work the fuzzer that he provides a link to in his talk and simply run it?

"Do you have any idea how many bad & big problems we have to solve that have urgent priority? We prefer to focus on things that we can solve quickly, so what do you expect? That the entire company panics and starts searching for the one problem you found, dropping all current work?"

So your argument is that you have better things to do. K. Well, if you get the time, how about fuzzing your product.

Does Avira have a fuzzing process already?

How are you actually going out of your way to protect your users?

Because so far all you're telling me is how you *aren't* because you have better things to do.

"Did it ever occur to you that you have a very narrrow view of the world, that all that matters to you are vulnerabilites? There are more problems to solve. Welcome to the real world."

More words for distractions. You say nothing here except that vulnerabilities aren't important because of some vague threat that you don't specify. Of course, that doesn't address anything anyone's said - more nonsense.

"Nobody expects you to work for free - but actually nobody ordered you to do that work. So what, do you want so say to the companies: "pay me or you get nothing"? There is another, ugly, word for that."

So, again, what's the point with this statement? You're upset because he doesn't hand research over to you for nothing (he handed it to multiple companies for free because they were nice and asked him). But you also say that vulnerabilities don't matter and the research isn't important. And then you also say that he's, what, extorting you? What exactly is the ugly word here? Because from my perspective this is typical offensive research.

He wrote some research that:

1) Explains the dangers of antiviruses from a theoretical standpoint, stating what we've all known for years - attack surface + privileges = danger, and AV has a lot of both.

2) Shows demonstrable exploits against products that have had the vulnerabilities disclosed. either due to vendor bounty programs or vendors simply approaching him asking for help.

And you:

1) Accuse him of being a malware author

2) Accuse him of spreading FUD (oh the irony, given the above)

3) State that you and your team have better things to do than to download and run the tool provided that he used to find vulnerabilities.

Let's take a step back here and just forget all of the nonsense you've posted in this topic. I'm willing to forgive and forget on one condition: you explain to your users how you are going to protect them from the threats detailed in the research.

No ad hominems accusing one person of X or Y. No excuses about whatever other things you guys have going on. I want you to tell the people who use and rely on your product why they should feel safe using it, what you are doing to address the problems pointed out (and there *are* problems pointed out).

Otherwise just stop posting - you're making it worse.

 

My friend, I did not contact you so... why do you think I really care at all about what do you do? I answered you "audit your products" because you *asked* me, not because of any other reason. Honestly, I don't care about what do you do.

You expect me to give for free my research. As I don't do that you're disgusted with me. I never said anything at all like what you say. I did not contact you neither when you contacted me I offered you to give you anything either paying or not. Blame me whatever you want, I really don't care.

BTW, this is the last time I answer to your offenses. Have a nice day Stefan.

 

BTW, why you think I am upset? You never saw me when I am upset. I find this discussion entertaining, actually.

I did never not say that vulnerabilities are unimportant. In fact we always fix bugs ASAP.

All relevant Avira processes have ASLR enabled. Maybe you tested AV12 or so?
We can even create complex detections on vulnerable areas of code. ;-)
We fuzz the scan engine all the time, in a more complex manner, for long long years already. It's just one of the many measures we take to ensure the security of the scan engine.

So?

 

thanks for answering.

I'm slightly knowledgeable than my friends , so I use av as second or maybe third protection.
and I do use on demand scanner such as HMP and others.
but for average joe, av is not first or second, it's their one and only protection against malware.
after reading this thread, my conclusion is still the same, for average joe, having anti malware is still the better option than having none.

this makes me sad, I was reading the whole thing and digging for that magical solution.
maybe in the future average joe will have better option

 

This discussion can be summed up to:

Stefan: "Provide me with SOMETHING or you are not part of the solution."
Joxean: "No, i don't care because Oracle's been a meanie."
Hungry Man: "I like running in circles, why don't you?"

The rest is empathic noise.

Seriously everyone?

 

LOL, best comments so far.

No just kidding.

But anyway, the end conclusion is: anti malware software should start to take advantage of security features offered by Windows, like the ones enforced by EMET for example.

 

LoL... Excellent...