Breaking AV Software

Discussion in 'other anti-virus software' started by FleischmannTV, Apr 4, 2014.

Thread Status:
Not open for further replies.
  1. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,071
    Location:
    Germany
    Hi guys,

    I have just stumbled upon an interesting presentation regarding the exploitation of antivirus software. I can't comment on this, because it's over my head ;) The link to the file containing the presentation is in this twitter status.

    -https://twitter.com/matalaz/status/451934665830436864
     
  2. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,726
    Location:
    localhost
    Excellent overview of AV weaknesses... a must read.
     
  3. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,071
    Location:
    Germany
    I love the humor in it. For example:

    Vulnerability scanner (LOL) not ASLR enabled. I love it, I do, I love it.
     
  4. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,067
    Location:
    Netherlands
    It has been some time ago, but I think the exe of BitDefender free (cloud) is not ASLR enabled either. Could someone check?
     
  5. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    Interesting reading! Thanks! :p
     
  6. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,071
    Location:
    Germany
    On top of that, if you take a look at the pdf, you will see that even the paid version loads almost three dozen .dll's which are not ASLR enabled (page 57).
     
  7. guest

    guest Guest

    A simple fact that nearly everyone doesn't want to accept. =V

    This feels like a slap in the early morning for me since I had a plan to be back using an AV. Heck in fact I was about half-way through.
     
  8. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Hopefully they have kept their day jobs.
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    This sort of thing (ASLR being disabled) is quite common in AV software. People have this completely incorrect notion that AV developers will somehow know how to write secure code, or even know *anything* about security.

    Here's a tip - if you go through a CS degree in just about any school you will learn virtually nothing about security, unless you explicitly take security classes (rare). AV engineers are just like every other programmer, they make the same mistakes, they just get poetic irony attached.

    I've been talking about AV vulns for years. I wrote an article a while back showing ASLR disabled on a bunch of binaries. That was a very cursory overlook at the security - the truth is that AV is probably the most easily exploitable piece of software on a users machine.

    My expectation is that AV will be the path of least resistance for rooting a machine remotely.
     
  10. guest

    guest Guest

    Could there be other types of software which can be described as such? It might be a good idea to know how many vulnerable software which can screw us up so badly.
     
  11. Inside Out

    Inside Out Registered Member

    Joined:
    Sep 17, 2013
    Posts:
    421
    Location:
    Pangea
    I might be wrong, but I guess being one of the most intrusive kinds of software doesn't help.
     
  12. guest

    guest Guest

    Yep, and I wonder if there are other kinds of software which are as intrusive and easily exploitable as AVs. I heard that torrent clients are quite risky software but I don't know how true is that.

    Well at least we have another trash came to mind: JRE. =V
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Is other software as dangerous? Not really.

    By definition Antivirus software deals with attacker controlled code. That right there is reason enough for even *secure* code to be considered dangerous - it is *explicitly* exposed.

    Beyond that, AV's tend to package all sorts of complex code - parsers, extractors, emulation, etc. These are historically exploitable types of code.

    And, on top of that, to work properly most AVs will run those pieces of code at High integrity/ root.

    The combination of this is that all one has to do is get a file onto the system (sometimes not even, even an email being opened is enough) and the AV will touch it, get exploited, and give an attacker root.

    The bonus being that your attacker now contains what is likely a very trusted process on the system, unlikely to get picked up by another security program on the system.

    No other piece of software is that dangerous.
     
  14. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    :thumb: That was really interesting reading. Most AV vendors are focused on protecting system but they forgot to protect their own software. I hope we'll see more test like that. If not before then after hackers will start to use those vulnerabilities ITW.

    hqsec
     
  15. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    Of course, we should rely on bloggers to protect us instead.

    And one of those days you are going to code a POC that blah, blah, blah...... I've been reading the same story here at Wilders for years and nothing ever happens. AVs are still ok and you and the ones like you keep talking about how stupid the people who write security software are and how smart you are.

    For example, you used to post in every thread about Trusteer Rapport to explain how easy it was to bypass it and how useless that program was. Well, every thread except the one that announced that IBM was buying Trusteer for one billion dollars, somehow you missed that one.
     
  16. Inside Out

    Inside Out Registered Member

    Joined:
    Sep 17, 2013
    Posts:
    421
    Location:
    Pangea
    Then again, McAfee was bought by Intel not long ago. :D
     
  17. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Blogging is what I do in my spare time, just like posting here. I'm a computer science major, and I'm hired to do exploit development for a private contractor, among other things.

    You mistunderstand. It's not AV software writers, it's all software writers. Everyone's pretty bad at writing software, especially at writing secure software. There are some solid programmers out there, but they can't help the fact that no one really teaches much about security in a CS degree.

    The misconception is that AV writers are somehow different from the rest of the programmers of the world who write insecure software. They are not. Again, not their fault, security is not taught well to CS majors.

    But yes, I am quite smart.

    I didn't hear about IBM buying it. Why would I care? The product was a joke a year ago and I assume it still is, though I have not looked at it. I don't care who owns it.
     
  18. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,071
    Location:
    Germany
    How would we know?

    I am sure no one here is valuable enough as a target so that skilled intrusion experts are trying to compromise our private computers. As for massively exploiting AV-Software just like Java or old versions of Flash and Adobe Reader, it perhaps takes a lot of effort and more knowledge; and as long as people are happily infecting their machines by executing socially engineered malware that simply isn't detected by the AV, exploiting the AV is not only unnecessary. It would be more expensive and reach a smaller target audience as well.

    As far as high value targets are concerned, we are reading every couple of weeks about how one of the big ones gets compromised. Exploiting AVs could have played a part here and there, but no one would tell us, of course, and it's probably very hard to tell after the fact. But even in these cases I am pretty confident exploiting the AV was not necessary, as it just went by undetected as well.

    So as long as security software continues to let malware pass through undetected, there is no need to exploit the security software :D
     
  19. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    A very good point.

    For those that are implying that having AV software on your machine is more dangerous than not, what do you suggest as an alternative?
     
  20. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Really depends on the needs of the system.
     
  21. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,067
    There is no arguments to maintain that statement, the fact that any Security Software can have an exploitable bug doesn't imply that you are safer without it.
    Having a 2,3,4 layer security using different products should be enough, there are many other apps (not security related) more commonly used by the people that are a preferable target than any AV.
     
  22. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    Maybe the idea that you would be safer without it is something that I am reading into it without it having been said, but a lot of the comments have implied to me that this would be the case, or a least something that needs to be clarified.

    There likely are preferable targets, but when you consider this comment...
    ... I have to inquire of the perceived risk of running AV vs. another alternative.

    Not picking on anyone here, I just want to know where to go with topic since it appears like a "Here is a bag of your AV is dangerous", lighting said bag on fire, dropping it on my porch, ringing the doorbell, and running. :ninja:
     
  23. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Risk analysis is not generic.

    AV is very dangerous software. It also provides something. It's really up to you or whoever is admin'ing the system to determine the cost : benefit.

    Personally, I believe that if security is priority than Linux is the obvious choice. There isn't much decent software for security on Windows. Basically, just because AV isn't good doesn't mean there's an alternative that's better.
     
  24. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    Agreed.

    I am admin, the reason I am looking for input. :D

    In my experience with testing many AV products, I would have to agree. Most of it seems to cause more problems than it solves. There probably is not an alternative that is better, but I was hoping someone would surprise me with a magical answer. :argh:
     
  25. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Unfortunately it just doesn't exist, in my opinion. That will change in a few years.
     
Loading...
Thread Status:
Not open for further replies.