Jump to content

Antivirus Is as Vulnerable as Any Other Product


Matsuda

Recommended Posts

Antivirus_Is_As_Vulnerable_as_Any_Other_

Using a custom fuzzing testing suite and running basic local and remote checks, a security researcher found numerous remotely exploitable vulnerabilities in multiple antivirus software solutions.

He showed that security measures present in these products could be bypassed just like in any other, and that they provided multiple entry points to the system.

Joxean Koret from the Singapore-based Coseinc, a private company that offers information security services, explained how software designed to protect users from malware actually offers threat actors an increased number of attack vectors that can be leveraged to gain access to the victim’s system.

Since most antivirus products enjoy a default trust that allows them to run with top privileges, finding a bug in them and exploiting it allows an attacker the same privileges on the affected system.

At the SyScan 360 security conference in Beijing, Koret provided a simple example, saying that “most antivirus engines update via HTTP only protocols.”

Relying on the man-in-the-middle (MitM) attack, “one can install new files and/or replace existing installation files,” which “ often translates in completely owning the machine with the AV engine installed as updates are not commonly signed.”

The researcher provides a list with some vulnerabilities he found when testing his tools on reputed antivirus products. The results included heap overflows, remote vulnerabilities, integer overflows, local privilege escalation, as well as command injection possibilities.

The list of products with one or more of these glitches includes Avast, Bitdefender, Avira, AVG, Comodo, ClamAV, DrWeb, ESET, F-Prot, F-Secure, Panda, and eScan.

Koret has said that he downloaded the antivirus (AV) engines, which are the core of the antivirus product, with a Linux version he found. “The core is always the same with the only exception of some heuristic engines,” he explains. Moreover, he used some special methods to make Windows-only engines run on Linux.

It seems that although AV engines are compiled with ASLR turned on, only the core components are protected this way, and other parts, like the graphical user interface and some libraries, are not.

If certain conditions are met, such as the use of the built-in emulating tool, some of the engines create RWX (read/write/execute permissions) pages at fixed addresses and disable DEP (data execution prevention).

A possible compromise scenario would be for an attacker to send a ZIP archive that forces the emulator to be used, containing an exploit, the researcher says in the slides for the conference. As such, taking advantage of memory leaks in the emulators or leveraging other vulnerabilities would permit access to the system’s higher functions.

The conclusions are quite grim, for both users and developers of antivirus software, but it is the latter who have to take the necessary steps to improve security of their products and maintain the customer trust by staying ahead of cybercriminals and adapting the source code to the current day and age.



SY6naz1.gifSource

Edited by Matsuda
Link to comment
Share on other sites


  • Replies 5
  • Views 1.4k
  • Created
  • Last Reply

Top Posters In This Topic

  • CODYQX4

    2

  • kay3460

    1

  • kaloo1995

    1

  • Reefa

    1

Popular Days

Top Posters In This Topic

PS: One thing that has helped me is to take my Dad's laptop and deny execute access for Everyone to the Downloads folder, so if something for whatever reason gets downloaded it cannot run. No more trojan viruses pretending to be legit programs.

If I need to do maintenance or whatever on it one day, then I just move the file and run it. This technique has proven very successful, and when all someone uses is a browser, auto updates keep everything current.

How can I prevent file execution in a specific folder in Windows 7 without messing up windows folder/security settings?

Link to comment
Share on other sites


Just another standard reason why i don't bother with any antivirus..Sandboxie..Winpatrol..Zemana-Antilogger..PrivateFirewall..and SD when needed.. :yes:

Link to comment
Share on other sites


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...