Critical Flaw Found In Virtually All AV Software 279
Securityemo writes "The Register is running an article about a new method to bypass antivirus software, discovered by Matousec. By sending benign code to the antivirus driver hooks, and switching it out for malicious code at the last moment, the antivirus can be completely bypassed. This attack is apparently much more reliable on multi-core systems. Here's the original research paper."
El Reg notes that "The technique works even when Windows is running under an account with limited privileges," but "it requires a large amount of code to be loaded onto the targeted machine, making it impractical for shellcode-based attacks or attacks that rely on speed and stealth. It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC."
Re:Not really new (Score:2, Informative)
However for compatibility with existing malware^W legitimate corporate drivers, Microsoft decided not to block the loading of unsigned kernel drivers in Windows 7 32-bit. In fact NX protection is neither enabled by default in 32 and 64-bit versions (it can be enabled manually in the "Advanced systems settings" tab).
Re:Ubuntu (Score:3, Informative)
Really? seems to differ [arstechnica.com] and wasn't the only reference I could find for microsoft.com defaced [bing.com] (seventh link).
Re:Found In Virtually All AV Software (Score:3, Informative)
MSSE is important for the following reasons:
1: it's from Microsoft, hence, the nontechies will trust it to run well (The old mentality that "detroit knows best" when it comes to cars)
2: my testing indicates that MSSE is at least as effective as the "free" AV's, and possibly equal to the best paid AV's
3: the semi-computer literate can quickly find that MSSE is far less demanding of resources than almost any other AV
and
4: it's another "free" product which appeals to millions of people - AND any Bing search will probably turn up MSSE ahead of the competition
I've tested MSSE on XP and Win7, and quickly decided that it was more than sufficient for any virtual machine which I chose to protect. Disclaimer: I've not put MSSE to the test in any real world enterprise situation, subjecting it to unwanted testing by hackers/crackers/scriptkiddies.
Re:Ubuntu (Score:3, Informative)
http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_exec_summary_internet_security_threat_report_xv_04-2010.en-us.pdf [symantec.com]
Targeted attacks focus on enterprises
Targeted attacks using advanced persistent threats (APT) that occurred in 2009 made headlines in early
2010.6 Most notable of these was the Hydraq Trojan (a.k.a., Aurora).7 In January 2010, reports emerged
that dozens of large companies had been compromised by attackers using this Trojan.8 While these attacks
were not novel in approach, they highlighted the methods by which large enterprises could be compromised.
http://www.informationweek.com/blog/main/archives/2010/01/significant_wor.html;jsessionid=KDF2YBU4HXNKLQE1GHPCKH4ATMY32JVN [informationweek.com]
http://manageddatacenter.searchdatacenter.com/taxonomy/taxkey;root_1387_1332_204/DC-category.htm [searchdatacenter.com]
Current FBI estimates indicate that malicious software and attacks targeting identity theft cost American businesses and consumers more than $50 billion a year. (note BUSINESSES)
The point being, enterprise is vulnerable. It isn't just the home user who is targeted, nor is it just the home user that is compromised. Malware costs corporate America billions every year. How many billions is debateable - one alarmist estimate places it at hundreds of billions, and others pooh-pooh that with overly conservative estimates.
Fact is, enterprises are compromised almost every day.
Re:Ubuntu (Score:4, Informative)
What? "Culture", better written _core_ utilities, and the open access to the base software rather than the secretive and obscure security models of NT all contribute massively to Linux security by comparison. The smaller system components are easier and safer to do well. Also, while the kernel of NT was based on VMS when David Cutler stole his old work from DEC, it was forced to integrate numerous historical poor choices of DOS, Windows 3.x, and Windows 95 to provide backwards compatibility. These have been a _disaster_ in security terms, and very difficult to address due to the closed nature of the code and difficulty of upgrading other components to preserve compatibility.
Some of the most "secure" components of NT, such as Active Directory, are actually due to its integration of far more secure open source components such as Kerberos, and its use of open standards such as DNS, DHCP, and LDAP to replace Microsoft's older versions of "NetBIOS" (which they also did not invent, it came from IBM and IBM discarded it years ago).
Comment removed (Score:4, Informative)
Re: NT, security and TFA (Score:1, Informative)
a) People don't as a rule understand or even know about security models, they just work with the system. The way it's configured out of the box defines security in most cases. If you ghost a secure Windows image, you're fine. If you ghost a leaky Linux image, you're not. And vice versa.
b) SELinux is from a user's and administrator's perspective atrocious compared to NT. I don't know enough about the actual implementation to decide whether it is formally less or more secure, but for the moment it sucks.
d) The method in TFA doesn't remove one bit of OS provided security. For example, if you run a program controlled in such a way that it cannot affect files, it still can't.
e) The method in TFA does not by itself stop your virus scanner from catching known viruses, it affects only what happens when code is deemed not to be a virus from the actual scan, but then tries to do something the virus scanner dislikes. You should have been using OS provided security mechanisms instead. So unknown viruses can do bad stuff; but the worst thing a program could do is delete all your documents and send your personal info over the internet, and viruses can already do that (both in Windows and in Linux).
f) The article doesn't mention how vulnerable the products tested are, nor why, nor the success rate. This is probably because this doesn't work quite as well as the researchers advertised.
c) The method in TFA won't work for long anyway, because your viral code is scanned before it can do anything at all. Anti virus products will be immune against this method next Thursday.
Re:Ubuntu (Score:5, Informative)
The Windows and Linux security models are virtually identical if you exclude MAC (SELinux etc.).
Except for NT having no concept of a superuser and Linux utterly dependent on one to implement nearly all aspects of a usable system.
Except for the finest granularity in Linux being the group and in NT the user.
Except for the utter nightmare in Linux trying to create exclusionary or complicated sets of permissions with multiple users and/or groups.
Except for the NT ACLs applying to nearly all objects in the OS, and in Linux only things represented in the filesystem.
Except for NT ACLs controlling nearly all ways to manipulate an object and in Linux being limited to read, write and execute.
"Virtually the same" my arse. NT's security model is vastly more capable than traditional UNIX's.
The main difference is that people actually understand the basic Unix model of users and groups and so they often manage to set their file permissions to something relatively sane. Practically noone uses the full power of ACL's on either system.
NT's permissions capabilities are a superset of Linux's. If someone understands the latter, then they can implement something *at least* as good on the former with the same amount of effort.
Re:Ubuntu (Score:3, Informative)