The attack worked first by getting Bogner’s malicious file quarantined by the AV program running on the targeted computer. The pentester then exploited vulnerabilities in the AV programs that allowed unprivileged users to restore the quarantined files. He further abused a Windows feature known as NTFS file junction point to force the restore operation to put his malicious file into a privileged directory of Bogner’s choosing. The technique took advantage of another Windows feature known as Dynamic Link Library search order. With that, Bogner’s malware ran with full privileges.
Increasingly, attacks focus on social engineering or phishing that lures users onto compromised websites that can steal information or serve ransomware.
Those websites are so short-lived that antivirus software often doesn’t update fast enough to recognize them, Sjouwerman added.
Because Symantec uses a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link to an exploit is enough to trigger it – the victim does not need to open the file or interact with it in anyway. Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers.
An attacker could easily compromise an entire enterprise fleet using a vulnerability like this. Network administrators should keep scenarios like this in mind when deciding to deploy Antivirus, it’s a significant tradeoff in terms of increasing attack surface.
Overall, Ormandy wrote that he found over 70 APIs exposed to the Internet, not all of which he had investigated for security issues. He suggested Trend should hire an external consultancy to audit the code.
While these are mainly examples of using antivirus vulnerabilities to evade detection, there’s also a demand for remote code execution exploits affecting antivirus products and these are being sold by specialized brokers on the largely unregulated exploit market.
Among the emails leaked last year from Italian surveillance firm Hacking Team there is a document with exploits offered for sale by an outfit called Vulnerabilities Brokerage International. The document lists various privilege escalation, information disclosure and detection bypassing exploits for multiple antivirus products, and also a remote code execution exploit for ESET NOD32 Antivirus with the status “sold.”
The security bug relates to the fact that the AVG antivirus creates a memory space with full RWX (read-write-execute) privileges where it normally runs. For that particular version of the AVG antivirus, this memory space was not randomized and was often shared with other applications, like, for example, Acrobat Reader or the enSilo product that collided with the antivirus.
If an attacker knew about the antivirus’ predictable behavior and where this address space was, they could force their malicious code to execute inside that memory address and have the same privileges as the antivirus process (which is system-level).
Unlike a normal virus scanner on consumer PCs that compares a catalog of known viruses to something that has infected the computer, A3 can detect new, unknown viruses or malware automatically by sensing that something is occurring in the computer’s operation that is not correct. It then can stop the virus, approximate a repair for the damaged software code, and then learn to never let that bug enter the machine again.
The A3 software is open source, meaning it is free for anyone to use, but Eide believes many of the A3 technologies could be incorporated into commercial products
Download papers from the source: A3 : Flux Research Group
The A3 project applies virtualization, record-and-replay, introspection, repair, and other techniques to develop a customizable container for “advanced adaptive applications.” The A3 container provides its protected application with both innate and adaptive defenses against security threats.
XenTT — a “time-traveling” hypervisor (docs and source code)
“The overall detection by anti-virus software in January was disappointing — only 70.62 percent. For February it is even worse — only 64.77 percent was detected. And in March the average detection was 73.56 percent. That might not sound too bad but it means that 29 percent, 35 percent and 26 percent was not detected,” the company’s report read.
Under a new bill, investigators would be able to hack into computers, install spyware, read emails and destroy files.
They could also break into servers located abroad, if they were being used to block services.
This is no threat to a properly secured system. AV software is not a panacea for securing a system.
1. Abandon antivirus
Businesses could remove host-based security from their desktops and trust that their perimeter will keep out the malware.
There are some other useful tips in this article as well. I like the above quoted idea because AV software can be a pretty heavy load on an endpoint requiring constant maintenance and upgrade. These upgrade cycles in and of themselves pose a security hazard. The more complex a system becomes, the more that can go wrong.