Critical Flaw Found In Virtually All AV Software

Securityemo writes "The Register is running an article about a new method to bypass antivirus software, discovered by Matousec. By sending benign code to the antivirus driver hooks, and switching it out for malicious code at the last moment, the antivirus can be completely bypassed. This attack is apparently much more reliable on multi-core systems. Here's the original research paper." El Reg notes that "The technique works even when Windows is running under an account with limited privileges," but "it requires a large amount of code to be loaded onto the targeted machine, making it impractical for shellcode-based attacks or attacks that rely on speed and stealth. It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC."

Re:AHHHHHHHH

[armanox]

Still reading because I'm running Linux?

Not really new

[Florian Weimer]

These problems have been known for a while and used to defeat e.g. systrace in OpenBSD (CVE-2007-4305). It also does not affect AV software per se, but anomaly-based detection, which kicks in only if something bad is already running on your machine. If this approach is actually used in the wild, detection logic will be added for it. Business as usual, really.

No way around strict privilege separation

[Arancaytar]

So it seems that relying on runtime checks doesn't just slow the system down, but also is vulnerable to concurrency attacks.

That may be alarming, but it's not like antivirus software was ever powerful enough to let users shut off their brains when using their computer.

So..

[Anrego]

Anti virus software has become increasingly ineffective? Potentially opens up even more venues for attack! The Windows system of limiting privileges isn't always effective??!!??!!

Next you'll be telling me that fire is hot, water is wet, sci.. you know the rest

I mean this is cool and all, it's a neat discovery... but I think the whole concept of anti virus software is critically flawed and has become completely ineffective.

Re:Flaw explained in plain English here

[phoenix321]

All I see is an article that is applauding Apple for doing infrequent security updates for Safari, contrasted with Firefox, that does security updates with an - for that blogger - absolutely unbearable frequency and install time. Though, in objective reality, Firefox releases an update every two months or so and the update takes about a minute on any recent PC.

Also, I remember the rabid verbal attacks on Microsoft for NOT updating their browser fast and often enough. But Apple isn't perceived to leave known vulnerabilities unpatched like Microsoft did, they are seen as to spare their users from annoyances.

Their marketing dept is godlike.

Re:Ubuntu

[Runaway1956]

Das Auge made a reasonable statement - and you respond with that old stupidity. "It's all about market share". Windows NT security model is in now way, shape, or form, "superior" to *nix security model. It is true that Linux gains a bit of security through obscurity. Market share does play a role. But I've said it before, I'll say it again: Linux systems, worldwide, guard more money and data than it would take to make thousands of hackers filthy rich. If it were easy, they would have done it already, instead of fighting over that huge Windows market share.

Re:Ubuntu

[siride]

So what is it about the Windows security model that's inferior to the Linux one? Because all of the documentation I've read says otherwise (SELinux aside).

Now, if you want to talk about Windows Explorer being weak with security, I'll buy that. If you want to talk about a culture of "don't care about security", I'll buy that. But don't tell me that the NT security model is weak.

Re:Ubuntu

[Anonymous Coward]

I can still encrypt your entire home directory and delete everything I have access to with just a simple program

Which is totally profitless to a virus writer. I haven't even seen a virus like that on windows for decades and windows have millions of viruses written for it.

Someone, somewhere, will run a sudo command eventually..

So what if they do? Executing the sudo command is limited to the program you're sudo-ing, not your whole session. A program can't wait in the background and get root when someone types sudo.

Also you're side stepping the whole issue that most Linux distributions provide you with all the software you need so the whole running a third party executable is much less likely to happen. The only exceptions I can think of are Google Chrome and Dropbox.

I'm not saying Linux is infallible however the examples people like you list to try to pretend a Linux system is "just as bad" at security are ridiculous at best.

Re:Found In Virtually All AV Software

[Anonymous Coward]

So given that, why do you think it's one of the most important ones?
Because it is free and high-quality (according to independent tests) and provided by a company that Windows users have to trust anyway. I don't want any Symantec or Russian shit drivers on my OS. Just look at the tests in TFA.

Re:Ubuntu

[sjames]

In what way? And is it superior in totality or just superior to the parts of the linux security model that are actually used these days?

Of course, Linux may not have as much market share, but it is a much more attractive target. One critical server running linux is worth a lot more than 1000 XP desktop machines running solitaire.

Re:Ubuntu

[Anonymous Coward]

Why do that? At least if it's Ubuntu with default settings you can just keylog the password and use sudo whenever you need.

and this is why LIVE FILESYSTEM ROMs are needed

[RobertLTux]

whatever platform the program is based on if you are booted to the system you are trying to clean then you have already lost ground.

of course a Posix type solution has the advantage of being mostly immune to the viruses on a Windows system.

Re:Ubuntu

[amorsen]

ACL's don't make a ton of sense in the default configuration, and few people use them correctly (but luckily on Linux hardly anyone besides me uses them at all, so the problem is limited).

The "shitty" user/group/others system is understandable by regular users and they tend to use it correctly. There are cases where it isn't flexible enough. Most of those can be handled by asking the systems administrator (which tends to be the user anyway, these days) to set up an extra group, but otherwise setfacl works fine.

Re:Ubuntu

[drsmithy]

bullshit. While it's true Windows has been victimized and targeted, there are fundamental security design flaws in NT that you won't find In UNIX.

For example ?

On UNIX, if you don't root the machine, you haven't taken it, and it's no trivial task to do remotely.

Funny you should mention root, given that a superuser is a fundamental design flaw Windows NT _doesn't_ have.