Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Windows IT

Critical Flaw Found In Virtually All AV Software 279

Securityemo writes "The Register is running an article about a new method to bypass antivirus software, discovered by Matousec. By sending benign code to the antivirus driver hooks, and switching it out for malicious code at the last moment, the antivirus can be completely bypassed. This attack is apparently much more reliable on multi-core systems. Here's the original research paper." El Reg notes that "The technique works even when Windows is running under an account with limited privileges," but "it requires a large amount of code to be loaded onto the targeted machine, making it impractical for shellcode-based attacks or attacks that rely on speed and stealth. It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC."
This discussion has been archived. No new comments can be posted.

Critical Flaw Found In Virtually All AV Software

Comments Filter:
  • AHHHHHHHH (Score:5, Funny)

    by Anonymous Coward on Sunday May 09, 2010 @09:21AM (#32146756)

    Everybody turn your PCs off NOW! Why are you still reading?

    • Re:AHHHHHHHH (Score:5, Insightful)

      by armanox ( 826486 ) <asherewindknight@yahoo.com> on Sunday May 09, 2010 @09:27AM (#32146794) Homepage Journal
      Still reading because I'm running Linux?
      • Ubuntu (Score:5, Interesting)

        by Das Auge ( 597142 ) on Sunday May 09, 2010 @09:32AM (#32146842)
        Since switching to Ubuntu, over three years ago, I haven't used AV.

        I suppose that someday Linux will become a real target for virus writers; but between the good security model inherent ot UNIX-based OSes and common sense, I doubt I'll need one for a long time.
        • Re:Ubuntu (Score:4, Interesting)

          by siride ( 974284 ) on Sunday May 09, 2010 @10:00AM (#32147038)
          The Windows NT security model is actually more advanced and capable than the base Unix security model. It's only because of culture, better-written 3rd party programs and marketshare that Linux/Unix doesn't have a malware problem.
          • Re:Ubuntu (Score:5, Interesting)

            by Architect_sasyr ( 938685 ) on Sunday May 09, 2010 @10:03AM (#32147058)
            I'd like to just step in here and point out that the security model means shit to a virus writer - so what I can't get root on your desktop, I can still encrypt your entire home directory and delete everything I have access to with just a simple program. The whole push for administration rights is only necessary when you need to hide the software, but if all these linux users aren't running AV, then what's the point of trying to hide yourself before you can get your root privileges. Someone, somewhere, will run a sudo command eventually...
            • Re:Ubuntu (Score:5, Insightful)

              by Anonymous Coward on Sunday May 09, 2010 @10:27AM (#32147186)

              I can still encrypt your entire home directory and delete everything I have access to with just a simple program

              Which is totally profitless to a virus writer. I haven't even seen a virus like that on windows for decades and windows have millions of viruses written for it.

              Someone, somewhere, will run a sudo command eventually..

              So what if they do? Executing the sudo command is limited to the program you're sudo-ing, not your whole session. A program can't wait in the background and get root when someone types sudo.

              Also you're side stepping the whole issue that most Linux distributions provide you with all the software you need so the whole running a third party executable is much less likely to happen. The only exceptions I can think of are Google Chrome and Dropbox.

              I'm not saying Linux is infallible however the examples people like you list to try to pretend a Linux system is "just as bad" at security are ridiculous at best.

              • Some viruses are "ransom-ware" - they encrypt your files and send the key to the virus author. Then they demand money to get the key to unencrypt your files.

              • Comment removed (Score:4, Informative)

                by account_deleted ( 4530225 ) on Sunday May 09, 2010 @01:18PM (#32148442)
                Comment removed based on user account deletion
              • Re: (Score:3, Interesting)

                by Sir_Lewk ( 967686 )

                A program can't wait in the background and get root when someone types sudo.

                Actually, it most certainly can. Exercise a little creativity.

                Alias 'sudo' for a user to script in the user's home directory that looks like sudo, and even executes sudo as the user thought they were, but also logs whatever password they typed. Bamn, no you have the users password and (in the vast majority of cases) the ability to gain root. All of this is quite easy to do, I've done it myself in the past. Takes about 3 minutes

              • A program can't wait in the background and get root when someone types sudo.

                Yes it can [deter.com].

          • Re:Ubuntu (Score:4, Insightful)

            by Runaway1956 ( 1322357 ) on Sunday May 09, 2010 @10:13AM (#32147122) Homepage Journal

            Das Auge made a reasonable statement - and you respond with that old stupidity. "It's all about market share". Windows NT security model is in now way, shape, or form, "superior" to *nix security model. It is true that Linux gains a bit of security through obscurity. Market share does play a role. But I've said it before, I'll say it again: Linux systems, worldwide, guard more money and data than it would take to make thousands of hackers filthy rich. If it were easy, they would have done it already, instead of fighting over that huge Windows market share.

            • Re: (Score:2, Insightful)

              by siride ( 974284 )

              So what is it about the Windows security model that's inferior to the Linux one? Because all of the documentation I've read says otherwise (SELinux aside).

              Now, if you want to talk about Windows Explorer being weak with security, I'll buy that. If you want to talk about a culture of "don't care about security", I'll buy that. But don't tell me that the NT security model is weak.

              • by amorsen ( 7485 )

                The Windows and Linux security models are virtually identical if you exclude MAC (SELinux etc.). The main difference is that people actually understand the basic Unix model of users and groups and so they often manage to set their file permissions to something relatively sane. Practically noone uses the full power of ACL's on either system.

                MAC makes a large difference though, so it's a bit unfair to exclude it.

                The way that AV products intercept system calls has been known to be broken for years. Some Linux

                • Re:Ubuntu (Score:5, Informative)

                  by drsmithy ( 35869 ) <drsmithy@gm[ ].com ['ail' in gap]> on Sunday May 09, 2010 @02:30PM (#32148830)

                  The Windows and Linux security models are virtually identical if you exclude MAC (SELinux etc.).

                  Except for NT having no concept of a superuser and Linux utterly dependent on one to implement nearly all aspects of a usable system.
                  Except for the finest granularity in Linux being the group and in NT the user.
                  Except for the utter nightmare in Linux trying to create exclusionary or complicated sets of permissions with multiple users and/or groups.
                  Except for the NT ACLs applying to nearly all objects in the OS, and in Linux only things represented in the filesystem.
                  Except for NT ACLs controlling nearly all ways to manipulate an object and in Linux being limited to read, write and execute.

                  "Virtually the same" my arse. NT's security model is vastly more capable than traditional UNIX's.

                  The main difference is that people actually understand the basic Unix model of users and groups and so they often manage to set their file permissions to something relatively sane. Practically noone uses the full power of ACL's on either system.

                  NT's permissions capabilities are a superset of Linux's. If someone understands the latter, then they can implement something *at least* as good on the former with the same amount of effort.

              • by sjames ( 1099 )

                To be fair, they mostly closed off the shatter attack (after 8 years), we think. So it's not mostly down to implementation issues and having the interlocking parts much too tightly connected such that it's easy to accidentally create new holes. Beyond that, it's a matter of the culture MS has created and nurtured for years of software that expects to run with admin privileges even though it never should and users trained to just click OK on the incomprehensible dialog box that doesn't contain any useful inf

              • by Xtifr ( 1323 )

                So what is it about the Windows security model that's inferior to the Linux one?

                Well, most notably, the fact that execute permission is implicit in a filename, rather than being a separate attribute that must be manually set.

                • Re: (Score:3, Informative)

                  by siride ( 974284 )
                  No, that's a shell feature. KDE and GNOME have had the same flaw. You name something .desktop and it will be executed/interpreted by the KDE/GNOME shell. The NT kernel uses the same mechanism as Unix for permissions.
            • by account_deleted ( 4530225 ) on Sunday May 09, 2010 @12:08PM (#32148000)
              Comment removed based on user account deletion
              • Re:Ubuntu (Score:4, Interesting)

                by Runaway1956 ( 1322357 ) on Sunday May 09, 2010 @01:43PM (#32148586) Homepage Journal

                But, an earlier poster mentioned the fact that corporate and financial institutions have all this money to pay high powered administrators. If the administrators are working with a decent operating system, and if the administrators are competent, then Enterprise is safe, right? And, the military too, right?

                How's that British thing working out now? Windows for Submarines? The last I heard, it was down. Who has more expertise in securing computers than the US or the UK departments of defense? If THEY can't secure Windows, then who can?

              • Re: (Score:2, Funny)

                by Anonymous Coward

                And if Velma's desktop were set up properly, with her having a non-administrative account and the home partition mounted non-executable? Oh right, she wouldn't be able to run the malware.

            • by Nick Ives ( 317 )

              How is Unix UID/GID equal to Windows ACLs? I'm genuinely curious, as looking at the permissions tab in Windows it looks like it's possible to have more fine grained permissions in Windows than in Unix. I thought SELinux was aimed at replicating that functionality and going a bit further!

              • One of the earlier posters has already admitted that ACL's are nearly equal between Linux and Windows, if administered with similar expertise - in the very same post in which he asked everyone to ignore SEL. You judge. Security Enhanced Linux is simply not available on Windows, to the best of my knowledge.

                But, even restricting ourselves to ACL's - default Linux installations beat default Windows installations all to hell and back on workstation installations, and server installations are nearly equal for

          • Re:Ubuntu (Score:4, Insightful)

            by sjames ( 1099 ) on Sunday May 09, 2010 @10:39AM (#32147300) Homepage Journal

            In what way? And is it superior in totality or just superior to the parts of the linux security model that are actually used these days?

            Of course, Linux may not have as much market share, but it is a much more attractive target. One critical server running linux is worth a lot more than 1000 XP desktop machines running solitaire.

            • Depends on your goal. If you want spam sluggers or if you want to collect access credentials to, say, online banking, paypal, Amazon or EBay, I'd go for the 1000 XP desktops.

            • One critical server running linux is worth a lot more than 1000 XP desktop machines running solitaire.

              And what's in Fort Knox is worth a lot more than what's in 1000 local banks. Yet nationwide robbers persist in the lower value targets... I wonder if it might have anything to do with the people defending the wealth.

              • by sjames ( 1099 )

                You're arguing MY point now. They hit the lower value XP targets because they can crack those!

                • Actually, my point was about the people behind the defense - Fort Knox is defended by trained and armed soldiers, banks by unarmed rent-a-cops. A critical Linux server is defended by a paranoid and capable admin, a desktop PC by McAfee/Norton and a clueless user.

          • Re:Ubuntu (Score:4, Informative)

            by Antique Geekmeister ( 740220 ) on Sunday May 09, 2010 @12:03PM (#32147966)

            What? "Culture", better written _core_ utilities, and the open access to the base software rather than the secretive and obscure security models of NT all contribute massively to Linux security by comparison. The smaller system components are easier and safer to do well. Also, while the kernel of NT was based on VMS when David Cutler stole his old work from DEC, it was forced to integrate numerous historical poor choices of DOS, Windows 3.x, and Windows 95 to provide backwards compatibility. These have been a _disaster_ in security terms, and very difficult to address due to the closed nature of the code and difficulty of upgrading other components to preserve compatibility.

            Some of the most "secure" components of NT, such as Active Directory, are actually due to its integration of far more secure open source components such as Kerberos, and its use of open standards such as DNS, DHCP, and LDAP to replace Microsoft's older versions of "NetBIOS" (which they also did not invent, it came from IBM and IBM discarded it years ago).

            • Also, while the kernel of NT was based on VMS when David Cutler stole his old work from DEC...

              A nice example of what the patent and copyright systems do to progress...DEC dropped Mica, and Cutler resurrected the concept to the later benefit of tens of millions of consumers...but at Microsoft. Although I believe that DEC erred in dropping it, they (or at least the people I knew from DEC in the '80s and '90s) still didn't deserve the fate of being consumed by...shudder...Compaq.

              There are those who argue that the security issues that have plagued Windows arise from the Intel architecture (which is cha

          • by miknix ( 1047580 )

            The Windows NT security model is actually more advanced and capable than the base Unix security model. It's only because of culture, better-written 3rd party programs and marketshare that Linux/Unix doesn't have a malware problem.

            Don't forget that Linux has some "extra" patches to complement the UNIX security model. For example, GRSecurity and SELinux.
            I suggest reading what is SELinux so you are able reformulate such claim. In fact, SELinux comes active by default on many desktop GNU/Linux distributions.

            I believe Microsoft doesn't have anything close to a *formally-verified kernel* that enforces Mandatory Access Control. SELinux not only provides more and "deeper" MAC policies but its formal validation guarantees the correctness of

            • by miknix ( 1047580 )

              I would like to add that such SELinux policies are handled automatically by the package manager. For instance, if you install apache the corresponding policies are also installed. This tells the MAC kernel what apache CAN do (file access, memory, more than you can imagine), everything else is denied. If apache is hacked, the attacker can do little or nothing outside the scope of apache.

              As you can see this ends up being (almost) transparent for the end user, in contrast to the Windows Policy Manager or the i

            • by siride ( 974284 )
              Notice how I said "base Unix security model". In another post, I did actually mention SELinux. It is quite powerful, albeit a bit unruly for a regular user to administer. Thankfully, distros have done a good job with creating working default policies.
              • by miknix ( 1047580 )

                Notice how I said "base Unix security model".

                My bad. My post is still valid though, for the distracted crows.

                In another post, I did actually mention SELinux. It is quite powerful, albeit a bit unruly for a regular user to administer. Thankfully, distros have done a good job with creating working default policies.

                Indeed, like I said in the two previous posts.
                And like everywhere else, uneducated users will just turn off SELinux if it starts messing with their runtime.

                - -
                We always end up concluding that the best security framework can't protect users from their own stupidity.

        • I normally use Mandriva, but the P/S (ShuttleX) died and I'm awaiting a replacement.

          In the meantime, without another PC, I've been using my WinXP/VooDoo video box that I use for older 3Dfx games. It's all updated and I use Firefox, etc.

          Within 24 hours of using it, it became infected and my email account got hacked. I've changed all my passwords, but damn GMail still locked down my mail account and my blog and won't tell me why. Any advice on that?

          I hate Windows.

      • by makomk ( 752139 )

        I think some early Linux security frameworks had a similar issue with swapping out parameters of system calls. The key word there is "had" - pretty much everyone knows not to write code that's vulnerable to this attack now, and even if they don't it's unlikely to be allowed into the kernel.

    • We run Linux/*nix.
  • by Abstrackt ( 609015 ) on Sunday May 09, 2010 @09:28AM (#32146798)
    I don't run AV software! Ha!
    • I don't run AV software! Ha!

      Suuuuure you do, you just didn't install it. One of those nice PC bugs has probably already inoculated you against everything but itself ;-)

      It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC.

      So, if you're already infected then they can bypass your AV software ... hmm ...

      I guess this is going to be a new attack vector for those 'fake AV' programs that download & run but can't do much harm because the user has a limited account.

    • by Graff ( 532189 )

      I'd say the real critical flaw of antivirus software is that it costs money, steals system resources, and has no productive use. Wait a second - maybe antivirus software is just a virus that you KNOW about!

      And yeah, I don't run any antivirus software either. I haven't run any for well over 20 years and I have yet to have any problems. Good security practices and an operating system that doesn't have much malware in the first place means that I've saved a lot of cash and time over the years.

  • Not really new (Score:5, Insightful)

    by Florian Weimer ( 88405 ) <fw@deneb.enyo.de> on Sunday May 09, 2010 @09:28AM (#32146806) Homepage

    These problems have been known for a while and used to defeat e.g. systrace in OpenBSD (CVE-2007-4305). It also does not affect AV software per se, but anomaly-based detection, which kicks in only if something bad is already running on your machine. If this approach is actually used in the wild, detection logic will be added for it. Business as usual, really.

    • Re: (Score:2, Informative)

      Yep. Furthermore this requires not just admin privileges, but also being able to load a kernel module which has been severely restricted under 64-bit Windows (the driver's catalog has to be signed by Microsoft). Still, many people use Windows XP with an admin account, but the flaw itself does not lie with the AV themselves -- a few of them will even warn when a program attemps to load a unsigned kernel driver. KAV also warns when running an unsigned program from outside Program Files.

      However for compatibi

      • Hmm obviously I read the article too quickly, this attack does not depend on loading a kernel driver. My bad ;)
      • Running Windows 7 64-bit here, unless I missed something VirtualBox's drivers are not signed, that's why I had to click OK when they were installing. I thought they got rid of the signing requirement for Win7 64.
    • And the malware will find different ways to get around that again of course.

      Isn't this simply a case of when a system is compromised, it can not reliably detect this by itself? Viruses that switch off AV, that hide from AV, that pretend to be not there - of course this can happen when a system is compromised already, and when the process you are trying to detect knows it may be detected and can defend itself against this.

      The only way to reliably detect whether a system is compromised is to take the hard d

    • Re: (Score:2, Interesting)

      by riskpundit ( 1609597 )
      While this is surely interesting research, there are far simpler ways of bypassing AV software. Drive-by browser-based attacks of the type exemplified by Zeus and Koobface are far easier to execute. Today, attackers are focused on stealing money and intellectual property. They will take the path of least resistance. The AV vendors have yet to respond to the more obvious existential threat to their existence.
  • So it seems that relying on runtime checks doesn't just slow the system down, but also is vulnerable to concurrency attacks.

    That may be alarming, but it's not like antivirus software was ever powerful enough to let users shut off their brains when using their computer.

    • by Sycraft-fu ( 314770 ) on Sunday May 09, 2010 @12:15PM (#32148040)

      Also AV's main power for a long time has been on access/creation scanning. More or less it stops the viruses before they've a chance to become active. You run a virus scanner and anything coming in from the web, or a flash drive, or whatever is scanned. If a virus is detected, access is blocked. The virus can't get around that, since it isn't running. The AV stops it cold, before it has a chance to try anything.

      Now that's not perfect, of course, the AV software has to have a signature for the virus, but it works pretty damn well. It is a good layer of security. Shouldn't be your only layer, but no layer should be your only layer.

      This attack sounds like it is more useful against behavioural anti-virus. The AV notices a program doing shit it shouldn't and tries to stop it. Another good layer to have, but getting around it only gets you anywhere if you got the program to run in the first place.

      As you say though, no matter what you just can't shut your brain off. There is no such thing as perfect security, physical or otherwise, and anyone who sells it to you is lying. Good security requires defense in depth and requires someone to be watching to make sure things are working and not getting broken through. AV software is useful, firewalls are useful, privilege separation (like UAC or sudo) is useful, but all of them still need you as a user not to be an idiot about it.

    • Unfortunately users do just that. I have AV, so I needn't watch out anymore.

      A fitting car analogy would be the question whether they speed on an icy road just 'cause they got airbags.

  • All AV software? (Score:4, Interesting)

    by xulfer ( 1368787 ) on Sunday May 09, 2010 @09:30AM (#32146816)
    All AV software seems a little broad. This only seems to cover virus utilities that prevent viruses from attaching in the first place. I fail to see how this vulnerability would affect the large portion of av utilities that are simply scanners... e.g. clamav, etc.
  • So.. (Score:5, Insightful)

    by Anrego ( 830717 ) * on Sunday May 09, 2010 @09:37AM (#32146874)

    Anti virus software has become increasingly ineffective? Potentially opens up even more venues for attack! The Windows system of limiting privileges isn't always effective??!!??!!

    Next you'll be telling me that fire is hot, water is wet, sci.. you know the rest

    I mean this is cool and all, it's a neat discovery... but I think the whole concept of anti virus software is critically flawed and has become completely ineffective.

    • This attack requires that badware is already running inside the machine it's trying to attack.

      If badware is already running then ... um, how exactly does this attack up the ante?

      • The malware does not have to be running with administrative privileges in order to perform this attack. Otherwise, it is still pretty meh.

    • "the whole concept of anti virus software is critically flawed and has become completely ineffective"

      I agree, but I'm still going to tell Grandpa to keep Norton updated. I also tell him not to browse pr0n sites, but since he saw Betty White on SNL last night I've got a whole new set a headaches to deal with!

    • by gilgongo ( 57446 )

      I mean this is cool and all, it's a neat discovery... but I think the whole concept of anti virus software is critically flawed and has become completely ineffective.

      Exactly. In fact, that's probably been the case since pretty much the coming of domestic broadband made botnets and related activity so huge. Really, I've not run any AV on my machine under my control since about 2001. I just make sure I'm using as little Microsoft software as possible, don't visit "strange" sites (outside of a VM at least!), and generally ignore any unexpected email attachments sent by anyone at all (and I strip out all executables at the mail gateway). That sounds like a lot of work, but

  • They tested every obscure antivirus program out there, yet they did not test one of the most important ones -- Microsoft Security Essentials.

    Seeing how obscure some of the tested AVs are, it's hard to believe their statement that "the only reason there are not more products in the following table is our time limitation."

    Was MSE intentionally omitted because it is not vulnerable? Slashdot is more likely to reject such an article... It is actually very likely that MSE is not vulnerable, because Microsoft prod

    • You're right, they should have tested it. But I'd take serious issue with your contention that it's "one of the most important ones". MSE 1.0 was released on the 29th of September, 2009. So it's essentially a 7 month old product. I'd also note that it doesn't come as part of the OS, and it looks like you need to download and install the software yourself.

      So given that, why do you think it's one of the most important ones?

      • Re: (Score:3, Informative)

        MSSE is important for the following reasons:

        1: it's from Microsoft, hence, the nontechies will trust it to run well (The old mentality that "detroit knows best" when it comes to cars)
        2: my testing indicates that MSSE is at least as effective as the "free" AV's, and possibly equal to the best paid AV's
        3: the semi-computer literate can quickly find that MSSE is far less demanding of resources than almost any other AV
        and
        4: it's another "free" product which appeals to millions of people - AND any Bing search w

    • Microsoft may not patch the kernel to integrate MSE, but MSE sure generates a lot of extra interrupts. And the overhead of handling them is onerous. I suspect they hook into the disc I/O. That would seem like a potential vulnerability.
  • "Matousec"? Hmm...
    "To use Mac"? Hey!
  • Follow Apple? (Score:2, Interesting)

    by ITI_guy ( 1021879 )
    If M$ would have only used the App Store model for software distribution we wouldn't need AV at all, and think of the profit!
  • Can someone tell me what the difference is between this and syscall wrapper exploits which have been known about long enough to be lectured in undergraduate security courses?
  • TFA has discovered "the rootkit".

  • Okay, so basically your PC has some type of rootkit on it already. Then your AV is ineffective due to some obscure attack. Rent a clue, editors! If you have a rootkit, you are fucked anyway. There is no magical piece of software that will protect you from your machine being owned.... that is the definition of owned.

    I can understand the general populous not getting this. I cannot understand Slashdot editors not getting such a basic concept.

    • This attack is apparently effective when the code executes as an unprivileged user, and from the model they've implemented it seems to not require any previous malicious code to reside on the system. Where did you get that from?
  • whatever platform the program is based on if you are booted to the system you are trying to clean then you have already lost ground.

    of course a Posix type solution has the advantage of being mostly immune to the viruses on a Windows system.

  • So basically ...

    It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC

    Anyone who already has the ability to run a binary on your box can p0wn it ... well, no shit Sherlock. As that applies to every O/S, I wonder why Windows has been targeted as the "guilty party". Ah, Soulskill, say no more ...

  • And here I thought someone had found an exploit of a common audio-video codec, or just plain DCT or something interesting.

    Anti-virus is an arms-race, and IMHO causes about as much problems as it solves. (Except the caused problems are rarely truly evil like the attacks stopped.)

    Other examples where anti-virus software just fails;
    * Decompression bombs
    * McAfee:s recent XP borking
    * Even good reputable AV seems to have problems catching up with months-old malware
    * Let's not start

Avoid strange women and temporary variables.

Working...