Critical Flaw Found In Virtually All AV Software 279
Securityemo writes "The Register is running an article about a new method to bypass antivirus software, discovered by Matousec. By sending benign code to the antivirus driver hooks, and switching it out for malicious code at the last moment, the antivirus can be completely bypassed. This attack is apparently much more reliable on multi-core systems. Here's the original research paper."
El Reg notes that "The technique works even when Windows is running under an account with limited privileges," but "it requires a large amount of code to be loaded onto the targeted machine, making it impractical for shellcode-based attacks or attacks that rely on speed and stealth. It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC."
All AV software? (Score:4, Interesting)
Ubuntu (Score:5, Interesting)
I suppose that someday Linux will become a real target for virus writers; but between the good security model inherent ot UNIX-based OSes and common sense, I doubt I'll need one for a long time.
Re:Ubuntu (Score:4, Interesting)
Re:Ubuntu (Score:5, Interesting)
Follow Apple? (Score:2, Interesting)
Re:Antivirus Design Flaw (Score:5, Interesting)
Long, long, long ago, I was out of town, and my laptop got dicked. I wasn't about to pay for a new Windows disk, nor did I have time or money to have a professional fix it. I went into a computer shop, talked awhile, and came out with an OnTrack SystemSuite disk, for which I paid about 15 bucks. Booted to it, ran the AV utility, and found nothing. Ran the rest of the utilities, and found that an improper shutdown had corrupted my MBR. Fixed the MBR, and booted up. Money well spent.
And, yes, you are right. That is precisely what the rest of the AV industry needs to peddle. If you can't boot to a clean environment, you're just screwed, whether it be virus problems, or any number of other problems.
Re:No way around strict privilege separation (Score:4, Interesting)
Also AV's main power for a long time has been on access/creation scanning. More or less it stops the viruses before they've a chance to become active. You run a virus scanner and anything coming in from the web, or a flash drive, or whatever is scanned. If a virus is detected, access is blocked. The virus can't get around that, since it isn't running. The AV stops it cold, before it has a chance to try anything.
Now that's not perfect, of course, the AV software has to have a signature for the virus, but it works pretty damn well. It is a good layer of security. Shouldn't be your only layer, but no layer should be your only layer.
This attack sounds like it is more useful against behavioural anti-virus. The AV notices a program doing shit it shouldn't and tries to stop it. Another good layer to have, but getting around it only gets you anywhere if you got the program to run in the first place.
As you say though, no matter what you just can't shut your brain off. There is no such thing as perfect security, physical or otherwise, and anyone who sells it to you is lying. Good security requires defense in depth and requires someone to be watching to make sure things are working and not getting broken through. AV software is useful, firewalls are useful, privilege separation (like UAC or sudo) is useful, but all of them still need you as a user not to be an idiot about it.
Re:Not really new (Score:2, Interesting)
Re:Ubuntu (Score:3, Interesting)
Actually, it most certainly can. Exercise a little creativity.
Alias 'sudo' for a user to script in the user's home directory that looks like sudo, and even executes sudo as the user thought they were, but also logs whatever password they typed. Bamn, no you have the users password and (in the vast majority of cases) the ability to gain root. All of this is quite easy to do, I've done it myself in the past. Takes about 3 minutes to bang it out.
It should be noted that this can also easily be done for 'su'. The trick is rather blunt, and anyone that thought too look for it would immediately notice it, but if your target isn't suspecting you are good to go.
Agreed, full heartedly.
Re:Ubuntu (Score:4, Interesting)
But, an earlier poster mentioned the fact that corporate and financial institutions have all this money to pay high powered administrators. If the administrators are working with a decent operating system, and if the administrators are competent, then Enterprise is safe, right? And, the military too, right?
How's that British thing working out now? Windows for Submarines? The last I heard, it was down. Who has more expertise in securing computers than the US or the UK departments of defense? If THEY can't secure Windows, then who can?
Re:Antivirus Design Flaw (Score:3, Interesting)
That is precisely what the rest of the AV industry needs to peddle. If you can't boot to a clean environment, you're just screwed, whether it be virus problems, or any number of other problems.
I actually wonder why more don't do this. Back when I ran a brand-new copy of Windows 98, my copy of McAfee (I was young and didn't know any better!) came with a boot floppy for just that purpose. Surely with Windows PE the whole process would be trivial - boot to the PE, download the most recent AV signatures, and scan away. You wouldn't even have to periodically refresh the signatures on your floppy.
Re:Ubuntu (Score:3, Interesting)
...Don't you think someone would love to serve malware from, or deface microsoft.com? It hasn't been,...
Was the part I was responding to not bold enough for you? There, I fixed it for you.
Re:Is this a joke? (Score:4, Interesting)
Aka Dancing Pig Problem [wikipedia.org].
Re:Ubuntu (Score:3, Interesting)
Remedial reading 101 at a community college near you. Take it.
I SAID that Linux systems guard more than enough money and data to make thousands of hackers rich beyond their wildest dreams. I never inferred that they guard more money and data than Windows systems guard. While the latter MIGHT be true, I don't have the data necessary to draw such a conclusion. Common sense says that it's probably NOT true.
Re:Ubuntu (Score:3, Interesting)
That is why I always type /usr/bin/sudo instead of just sudo. And people call me paranoid...
Re:Is this a joke? (Score:2, Interesting)
Except there's a difference between "a program I want" and "a program I trust."
If a random UAC prompt comes up, there's a chance that the user might realize something is wrong.
If a UAC prompt comes up on something the user downloaded willingly, though, the user will click Allow. EVERY TIME.
Re:Anagram? (Score:2, Interesting)