Breaking AV Software

Hi guys,

I have just stumbled upon an interesting presentation regarding the exploitation of antivirus software. I can't comment on this, because it's over my head The link to the file containing the presentation is in this twitter status.

-https://twitter.com/matalaz/status/451934665830436864

 

Excellent overview of AV weaknesses... a must read.

 

I love the humor in it. For example:

Vulnerability scanner (LOL) not ASLR enabled. I love it, I do, I love it.

 

It has been some time ago, but I think the exe of BitDefender free (cloud) is not ASLR enabled either. Could someone check?

 

Interesting reading! Thanks!

 

On top of that, if you take a look at the pdf, you will see that even the paid version loads almost three dozen .dll's which are not ASLR enabled (page 57).

 

A simple fact that nearly everyone doesn't want to accept. =V

This feels like a slap in the early morning for me since I had a plan to be back using an AV. Heck in fact I was about half-way through.

 

Hopefully they have kept their day jobs.

 

This sort of thing (ASLR being disabled) is quite common in AV software. People have this completely incorrect notion that AV developers will somehow know how to write secure code, or even know *anything* about security.

Here's a tip - if you go through a CS degree in just about any school you will learn virtually nothing about security, unless you explicitly take security classes (rare). AV engineers are just like every other programmer, they make the same mistakes, they just get poetic irony attached.

I've been talking about AV vulns for years. I wrote an article a while back showing ASLR disabled on a bunch of binaries. That was a very cursory overlook at the security - the truth is that AV is probably the most easily exploitable piece of software on a users machine.

My expectation is that AV will be the path of least resistance for rooting a machine remotely.

 

Could there be other types of software which can be described as such? It might be a good idea to know how many vulnerable software which can screw us up so badly.

 

I might be wrong, but I guess being one of the most intrusive kinds of software doesn't help.

 

Yep, and I wonder if there are other kinds of software which are as intrusive and easily exploitable as AVs. I heard that torrent clients are quite risky software but I don't know how true is that.

Well at least we have another trash came to mind: JRE. =V

 

Is other software as dangerous? Not really.

By definition Antivirus software deals with attacker controlled code. That right there is reason enough for even *secure* code to be considered dangerous - it is *explicitly* exposed.

Beyond that, AV's tend to package all sorts of complex code - parsers, extractors, emulation, etc. These are historically exploitable types of code.

And, on top of that, to work properly most AVs will run those pieces of code at High integrity/ root.

The combination of this is that all one has to do is get a file onto the system (sometimes not even, even an email being opened is enough) and the AV will touch it, get exploited, and give an attacker root.

The bonus being that your attacker now contains what is likely a very trusted process on the system, unlikely to get picked up by another security program on the system.

No other piece of software is that dangerous.

 

That was really interesting reading. Most AV vendors are focused on protecting system but they forgot to protect their own software. I hope we'll see more test like that. If not before then after hackers will start to use those vulnerabilities ITW.

hqsec

 

Of course, we should rely on bloggers to protect us instead.

And one of those days you are going to code a POC that blah, blah, blah...... I've been reading the same story here at Wilders for years and nothing ever happens. AVs are still ok and you and the ones like you keep talking about how stupid the people who write security software are and how smart you are.

For example, you used to post in every thread about Trusteer Rapport to explain how easy it was to bypass it and how useless that program was. Well, every thread except the one that announced that IBM was buying Trusteer for one billion dollars, somehow you missed that one.

 

Then again, McAfee was bought by Intel not long ago.

 

Blogging is what I do in my spare time, just like posting here. I'm a computer science major, and I'm hired to do exploit development for a private contractor, among other things.

You mistunderstand. It's not AV software writers, it's all software writers. Everyone's pretty bad at writing software, especially at writing secure software. There are some solid programmers out there, but they can't help the fact that no one really teaches much about security in a CS degree.

The misconception is that AV writers are somehow different from the rest of the programmers of the world who write insecure software. They are not. Again, not their fault, security is not taught well to CS majors.

But yes, I am quite smart.

I didn't hear about IBM buying it. Why would I care? The product was a joke a year ago and I assume it still is, though I have not looked at it. I don't care who owns it.

 

How would we know?

I am sure no one here is valuable enough as a target so that skilled intrusion experts are trying to compromise our private computers. As for massively exploiting AV-Software just like Java or old versions of Flash and Adobe Reader, it perhaps takes a lot of effort and more knowledge; and as long as people are happily infecting their machines by executing socially engineered malware that simply isn't detected by the AV, exploiting the AV is not only unnecessary. It would be more expensive and reach a smaller target audience as well.

As far as high value targets are concerned, we are reading every couple of weeks about how one of the big ones gets compromised. Exploiting AVs could have played a part here and there, but no one would tell us, of course, and it's probably very hard to tell after the fact. But even in these cases I am pretty confident exploiting the AV was not necessary, as it just went by undetected as well.

So as long as security software continues to let malware pass through undetected, there is no need to exploit the security software

 

A very good point.

For those that are implying that having AV software on your machine is more dangerous than not, what do you suggest as an alternative?

 

Really depends on the needs of the system.

 

There is no arguments to maintain that statement, the fact that any Security Software can have an exploitable bug doesn't imply that you are safer without it.
Having a 2,3,4 layer security using different products should be enough, there are many other apps (not security related) more commonly used by the people that are a preferable target than any AV.

 

Maybe the idea that you would be safer without it is something that I am reading into it without it having been said, but a lot of the comments have implied to me that this would be the case, or a least something that needs to be clarified.

There likely are preferable targets, but when you consider this comment...

... I have to inquire of the perceived risk of running AV vs. another alternative.

Not picking on anyone here, I just want to know where to go with topic since it appears like a "Here is a bag of your AV is dangerous", lighting said bag on fire, dropping it on my porch, ringing the doorbell, and running.

 

Risk analysis is not generic.

AV is very dangerous software. It also provides something. It's really up to you or whoever is admin'ing the system to determine the cost : benefit.

Personally, I believe that if security is priority than Linux is the obvious choice. There isn't much decent software for security on Windows. Basically, just because AV isn't good doesn't mean there's an alternative that's better.

 

Agreed.

I am admin, the reason I am looking for input.

In my experience with testing many AV products, I would have to agree. Most of it seems to cause more problems than it solves. There probably is not an alternative that is better, but I was hoping someone would surprise me with a magical answer.

 

Unfortunately it just doesn't exist, in my opinion. That will change in a few years.