Critical Flaw Found In Virtually All AV Software

Securityemo writes "The Register is running an article about a new method to bypass antivirus software, discovered by Matousec. By sending benign code to the antivirus driver hooks, and switching it out for malicious code at the last moment, the antivirus can be completely bypassed. This attack is apparently much more reliable on multi-core systems. Here's the original research paper." El Reg notes that "The technique works even when Windows is running under an account with limited privileges," but "it requires a large amount of code to be loaded onto the targeted machine, making it impractical for shellcode-based attacks or attacks that rely on speed and stealth. It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC."

All AV software?

[xulfer]

All AV software seems a little broad. This only seems to cover virus utilities that prevent viruses from attaching in the first place. I fail to see how this vulnerability would affect the large portion of av utilities that are simply scanners... e.g. clamav, etc.

Ubuntu

[Das Auge]

Since switching to Ubuntu, over three years ago, I haven't used AV.

I suppose that someday Linux will become a real target for virus writers; but between the good security model inherent ot UNIX-based OSes and common sense, I doubt I'll need one for a long time.

Re:Ubuntu

[siride]

The Windows NT security model is actually more advanced and capable than the base Unix security model. It's only because of culture, better-written 3rd party programs and marketshare that Linux/Unix doesn't have a malware problem.

Re:Ubuntu

[Architect_sasyr]

I'd like to just step in here and point out that the security model means shit to a virus writer - so what I can't get root on your desktop, I can still encrypt your entire home directory and delete everything I have access to with just a simple program. The whole push for administration rights is only necessary when you need to hide the software, but if all these linux users aren't running AV, then what's the point of trying to hide yourself before you can get your root privileges. Someone, somewhere, will run a sudo command eventually...

Follow Apple?

[ITI_guy]

If M$ would have only used the App Store model for software distribution we wouldn't need AV at all, and think of the profit!

Re:Antivirus Design Flaw

[Runaway1956]

Long, long, long ago, I was out of town, and my laptop got dicked. I wasn't about to pay for a new Windows disk, nor did I have time or money to have a professional fix it. I went into a computer shop, talked awhile, and came out with an OnTrack SystemSuite disk, for which I paid about 15 bucks. Booted to it, ran the AV utility, and found nothing. Ran the rest of the utilities, and found that an improper shutdown had corrupted my MBR. Fixed the MBR, and booted up. Money well spent.

And, yes, you are right. That is precisely what the rest of the AV industry needs to peddle. If you can't boot to a clean environment, you're just screwed, whether it be virus problems, or any number of other problems.

Re:No way around strict privilege separation

[Sycraft-fu]

Also AV's main power for a long time has been on access/creation scanning. More or less it stops the viruses before they've a chance to become active. You run a virus scanner and anything coming in from the web, or a flash drive, or whatever is scanned. If a virus is detected, access is blocked. The virus can't get around that, since it isn't running. The AV stops it cold, before it has a chance to try anything.

Now that's not perfect, of course, the AV software has to have a signature for the virus, but it works pretty damn well. It is a good layer of security. Shouldn't be your only layer, but no layer should be your only layer.

This attack sounds like it is more useful against behavioural anti-virus. The AV notices a program doing shit it shouldn't and tries to stop it. Another good layer to have, but getting around it only gets you anywhere if you got the program to run in the first place.

As you say though, no matter what you just can't shut your brain off. There is no such thing as perfect security, physical or otherwise, and anyone who sells it to you is lying. Good security requires defense in depth and requires someone to be watching to make sure things are working and not getting broken through. AV software is useful, firewalls are useful, privilege separation (like UAC or sudo) is useful, but all of them still need you as a user not to be an idiot about it.

Re:Not really new

[riskpundit]

While this is surely interesting research, there are far simpler ways of bypassing AV software. Drive-by browser-based attacks of the type exemplified by Zeus and Koobface are far easier to execute. Today, attackers are focused on stealing money and intellectual property. They will take the path of least resistance. The AV vendors have yet to respond to the more obvious existential threat to their existence.

Re:Ubuntu

[Sir_Lewk]

A program can't wait in the background and get root when someone types sudo.

Actually, it most certainly can. Exercise a little creativity.

Alias 'sudo' for a user to script in the user's home directory that looks like sudo, and even executes sudo as the user thought they were, but also logs whatever password they typed. Bamn, no you have the users password and (in the vast majority of cases) the ability to gain root. All of this is quite easy to do, I've done it myself in the past. Takes about 3 minutes to bang it out.

It should be noted that this can also easily be done for 'su'. The trick is rather blunt, and anyone that thought too look for it would immediately notice it, but if your target isn't suspecting you are good to go.

I'm not saying Linux is infallible however the examples people like you list to try to pretend a Linux system is "just as bad" at security are ridiculous at best.

Agreed, full heartedly.

Re:Ubuntu

[Runaway1956]

But, an earlier poster mentioned the fact that corporate and financial institutions have all this money to pay high powered administrators. If the administrators are working with a decent operating system, and if the administrators are competent, then Enterprise is safe, right? And, the military too, right?

How's that British thing working out now? Windows for Submarines? The last I heard, it was down. Who has more expertise in securing computers than the US or the UK departments of defense? If THEY can't secure Windows, then who can?

Re:Antivirus Design Flaw

[Z34107]

That is precisely what the rest of the AV industry needs to peddle. If you can't boot to a clean environment, you're just screwed, whether it be virus problems, or any number of other problems.

I actually wonder why more don't do this. Back when I ran a brand-new copy of Windows 98, my copy of McAfee (I was young and didn't know any better!) came with a boot floppy for just that purpose. Surely with Windows PE the whole process would be trivial - boot to the PE, download the most recent AV signatures, and scan away. You wouldn't even have to periodically refresh the signatures on your floppy.

Re:Ubuntu

[__aasqbs9791]

...Don't you think someone would love to serve malware from, or deface microsoft.com? It hasn't been,...

Was the part I was responding to not bold enough for you? There, I fixed it for you.

Re:Is this a joke?

[Opportunist]

Aka Dancing Pig Problem [wikipedia.org].

Re:Ubuntu

[Runaway1956]

Remedial reading 101 at a community college near you. Take it.

I SAID that Linux systems guard more than enough money and data to make thousands of hackers rich beyond their wildest dreams. I never inferred that they guard more money and data than Windows systems guard. While the latter MIGHT be true, I don't have the data necessary to draw such a conclusion. Common sense says that it's probably NOT true.

Re:Ubuntu

[wumpus188]

That is why I always type /usr/bin/sudo instead of just sudo. And people call me paranoid...

Re:Is this a joke?

[bhtooefr]

Except there's a difference between "a program I want" and "a program I trust."

If a random UAC prompt comes up, there's a chance that the user might realize something is wrong.

If a UAC prompt comes up on something the user downloaded willingly, though, the user will click Allow. EVERY TIME.

Re:Anagram?

[517714]

"Cat" and "Mouse"