AV Exploits being Sold on Dark Web

Discussion in 'other anti-virus software' started by AutoCascade, Sep 22, 2015.

  1. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    pasted image 0.png

    In his latest Project Zero blog post Google researcher Tavis Ormandy writes about flaws found in Kaspersky AV - also complementing them on their extremely fast turn around to close up those bugs.

    Then he shows a so called dark web page where AV exploits are being sold.

    http://googleprojectzero.blogspot.com/2015/09/kaspersky-mo-unpackers-mo-problems.html

    Just interesting reading for AV enthusiasts. Just to add that Ormandy is finding that malware is using the hooks in the AV to deliver its package.
     
    Last edited: Sep 23, 2015
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Interesting, so perhaps some parts of AV's should run with less rights.
     
  3. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,088
    Just like any software running on machines AVs can also increase attack surface. Since AVs have highest privileges, that's even more problematic than other software (like browsers) being exploited. As long as those exploits are used only in targeted attacks, ordinary users should not worry about it. OTOH if you practice safe computing you probably don't need to run real-time AV anyway.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    From the above article:

    Ormandy recommended that AV developers build security sandboxes into their products that isolate downloaded files from core parts of the computer operating system.

    Well, some AV products already have them. Eset's advanced heuristics uses a virtual sandbox. I believe Avast also now has one. Perhaps he was referring to installed apps that were downloaded? This is something that should have been part of Windows OS since day one. Think Unix and it's protégée, Linux.
     
  6. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    He said he was going to be looking at a couple of other AVs in the near future though I can't find that post. Here's a couple of posts about ESET from July and a recent one about Avast

    He gets a hold of the vendor right away and lets them know they have a problem. His twitter feed is very interesting to follow.

    Tavis Ormandy ‏@taviso Jul 1
    Another curious ESET bug, modifying the IAT at runtime can break out of the emulator. https://code.google.com/p/google-security-research/issues/detail?id=470…

    Tavis Ormandy ‏@taviso Jun 30
    Remote heap overflow in ESET parsing symbian installation files (!?!) https://code.google.com/p/google-security-research/issues/detail?id=466

    Srsly Avast? If you're gonna mitm chrome's SSL at least get an intern to skim your X.509 parsing before shipping it.

    https://pbs.twimg.com/media/CPwO10HUsAAJ96F.png
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Eset fixed those two bugs real quick. One they already knew about.

    I believe Avast is only one among many, Eset and Kapersky and two others I know of, that have SSL protocol scanning options. As has been previously pointed out by a number of security entities, none of the vendors are doing it properly. Actually, Avast was one who came closest to getting it right ..................... The whole subject can be summarized as "which is the lesser of two evils?"
     
    Last edited: Sep 28, 2015
  8. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    The feed is very interesting to follow though don't you agree? Tavis also has a blog 'project zero'.

    It's like Google has an employee whose job is to help AV vendors. Pretty cool.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    This sounds a bit weird, virtual sandboxes won't do anything to block or mitigate exploits in security software itself. I think Ormandy meant that sandboxing must be build into the AV, to harden the AV against attacks. Similar to the Chrome and Edge sandbox.
     
    Last edited: Sep 28, 2015
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Both the Eset issues were memory related vulnerability issues; heapspraying and IAT modification. Sandboxing would not have prevented those attacks.
     
  12. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    732
    Could EMET help here, with the memory related vulnerability issues... or would that just cripple the OS entirely? How would AVs work on an OS if they employ memory vulnerability tweaks such as the ones mentioned above or ones mentioned on the EMET GUI? We already allow AVs to run rampant on our OS (even with custom settings tailored to individual needs), when is enough really enough? The more I read about this stuff, the more I am convinced that application black/white listing along with DLL and drivers are the way to go...
     
  13. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,088
    Yes I understood it that way also. But this would be much harder as AVs run with admin and system privileges. OTOH Chrome runs with medium and untrusted privileges. Also if AV's driver gets exploited there could probably be no sandbox built in AV that could contain that.
     
  14. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Perhaps some of the AV components can run with less rights? I have no idea if this idea is feasible.
     
  16. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,088
    Antivirus software could make your company more vulnerable
    http://www.pcworld.com/article/3020...-could-make-your-company-more-vulnerable.html

     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Interesting how the author never mentions the number of past and present whitelisting bypasses in existence:

    One technology that could either complement or replace antivirus programs entirely in high-risk environments is application whitelisting, which only allows pre-approved applications to run on a computer. The U.S. National Institute of Standards and Technology recently encouraged the use of such protection mechanisms, which are available in some operating systems by default, and even released a guide with recommended practices.
    The bottom line is every complex piece of software developed has vulnerabilities. The most common are backdoors that were inserted into the coding for test purposes and that were not removed prior to implementation. The AV industry existence relies on its delivery of reliable software. Just ensure you have a product installed from a reliable, AV lab test verified, and time proven vendor.
     
Loading...