How AV Can Open You To Attacks That Otherwise Wouldn't Be Possible

Antivirus suites expose a user's system to attacks that otherwise wouldn't be possible, a security researcher reported on Friday. From a report: On Friday, a researcher documented a vulnerability he had found in about a dozen name-brand AV programs that allows attackers who already have a toehold on a targeted computer to gain complete system control. AVGater, as the researcher is calling the vulnerability, works by relocating malware already put into an AV quarantine folder to a location of the attacker's choosing. Attackers can exploit it by first getting a vulnerable AV program to quarantine a piece of malicious code and then moving it into a sensitive directory such as C:\Windows or C:\Program Files, which normally would be off limits to the attacker. Six of the affected AV programs have patched the vulnerablity after it was privately reported. The remaining brands have yet to fix it, said Florian Bogner, a Vienna, Austria-based security researcher who gets paid to hack businesses so he can help them identify weaknesses in their networks. Bogner said he developed a series of AVGater exploits during several assignments that called for him to penetrate deep inside customer networks. Using malicious phishing e-mails, he was able to infect employee PCs, but he still faced a significant challenge. Because company administrators set up the PCs to run with limited system privileges, Bogner's malware was unable to access the password database -- known as the Security Account Manager -- that stored credentials he needed to pivot onto the corporate network.

Re: Obama is my Llama

[bestweasel]

Jackson Klaxon, a 32 year old software developer from Nohope Idaho, was today arrested outside a local dentist's office for indecent behaviour, stealing a llama from a nearby llama farmer and suspicion of being under the influence of hallucinogens.

"The door to the surgery opened and I was shocked to see Mr Klaxon standing there naked, particularly as he didn't have an appointment", said Ethel Mercaptan, Receptionist, mother of six and part-time meth addict. "He turned round, a sight none of us was ready

They what?

[Anonymous Coward]

Six of the affected AV programs have patched the vulnerable.

They "patched the vulnerable"? Really?

At this rate english will be a dead language within three or four generations.

Re:

[Big Hairy Ian]

Six of the affected AV programs have patched the vulnerable.

They "patched the vulnerable"? Really?

At this rate english will be a dead language within three or four generations.

I blame the the Coriolis Affect

Re: They what?

[clovis]

Yes, the Coriolis Affect is a mental state where thoughts spin around in your brain due to exposure to egregious fucktardation.

New meme

[sjbe]

They "patched the vulnerable"? Really?

It's a close relative of Do the needful [grammarly.com].

Re:

[wardrich86]

Maybe they're going above and beyond and spreading a patch to all the other computers that are still affected.

So My AV was the weakest link

[Big Hairy Ian]

I wonder if this is being exploited in the wild

A collection of exploits working together

[Opportunist]

I know it's quite common to bash Antivirus, from "they create the viruses themselves to create a market" to "they are snakeoil anyway", so the headline is very Slashdot-y, but please realize that this is exploitable because three things come together:

1. The way Windows symlinks is FUBAR.
2. There are STILL programs that simply go by the logic of "let's just load every DLL in this directory".
3. A program (in this case an AV tool) allows to "restore" files into a directory, does not double check where that ends up and has admin privileges.

You can probably get the same effect with backup programs.

Re:A collection of exploits working together

[Baron_Yam]

The way Windows handles installing and removing programs is insane. The way programs handle what security Windows offers is insane. But as a platform, Windows was originally designed for 'easy' not 'good', and it did an adequate job of standardizing program UIs, and then providing a standard interface to devices.

After that, of course, Microsoft (and everyone else) discovered that you could force users onto the upgrade treadmill by changing the standards over time and killing backwards compatibility. And now they have enough of the business desktop market not to care.

Whee!

Re:

[Dutch Gun]

After that, of course, Microsoft (and everyone else) discovered that you could force users onto the upgrade treadmill by changing the standards over time and killing backwards compatibility.

What on earth are you talking about? If there's one thing that Microsoft is insanely good at, it's preserving backwards compatibility at the OS level, even allowing much older 32-bit applications (some even vintage Windows 95 era software) to run on 64-bit machines via a built-in emulation layer. Most issues of breaking compatibility had to do more with software explicitly breaking earlier rules which weren't strictly enforced in older versions of Windows (like Windows XP), such as writing data to the pro

Re:A collection of exploits working together

[ctilsie242]

Because of Windows's historically crappy programming, this is why AV was created. This isn't just MS's fault. Other operating systems of that time with cooperative multitasking had issues as well, so things like Disinfectant for the Mac that had a program load and run were critical.

However, time has passed. Macs run a pre-emptive OS with MAC and DAC controls. Linux has SELinux and AppArmor. Even Windows, especially with tools to limit what applications can write to what files, is getting there.

There is no real need for AV anymore. In the past, AV's liability of CPU slowness was worth it, as it would catch things. Now, AV is all but worthless because the two primary infection vectors are malvertising (which needs to be handled by the web browser and the sandbox/VM it sits in) and Trojans. AV rarely protects against malicious PDFs or Word documents.

It is worse now, because with the fact that AV autoupdates both signatures and code, as well as sends what the hell it feels like to the mother-ship, AV can easily become malware in itself in a way that is undetectable.

What needs to be done is to dump AV completely and have the OS handle security. The Qubes OS model is a good example of this done right. Alternatively, one can do this manually via Sandboxie or VMs on the desktop.

The fewer moving parts, the better.

Re:

[scdeimos]

Because of Windows's historically crappy programming, this is why AV was created. This isn't just MS's fault. Other operating systems of that time with cooperative multitasking had issues as well, so things like Disinfectant for the Mac that had a program load and run were critical.

You're right that this isn't just MS's fault. The 68x000 series of MacOS (capital M) did all sorts of things to encourage viruses, e.g.:

1. Hard disk volumes had their own driver code in the first couple of blocks which was dutifull

Re:

[Dutch Gun]

2. There are STILL programs that simply go by the logic of "let's just load every DLL in this directory".

This is not unusual because this is how programs handle extended functionality via plugins. For instance, every digital audio workstation (DAW) in the world works by scanning key folders for dlls with well-defined interfaces, known as VSTs. These VSTs contain virtual instruments or effects that can be accessed by the host DAW. Photoshop plugins? Same concept. And there are probably thousands more examples.

This is what people mean when they talk about the conflicting interests of security and functional

Re:

[Opportunist]

It is really asking too much of a program to store a list of the plugins it uses and load those and only those plugins?

How about a more secure OS?

[evolutionary]

Linux is better at resisting these things than MS windows. one can argue that Linux is less targeted, but whatever the reason, Linux (there is Apple based on BSD, but Apple has hooks in their products that are not open source). No system is foolproof. and some of these attacks used phishing techniques which someone who is watching can probably spot. But hopefully the AV companies will get better staying ahead of the curve.

Re:How about a more secure OS?

[ctilsie242]

Linux has had its vulnerabilities, but it has done well for an OS that is Internet facing and always bearing the constant slings and arrows from attackers. The only time I've even thought of AV on Linux is because it is to check a box off when it comes to audits or paperwork. I doubt any AV would be useful at all on the platform, other than to catch Windows items on a SMB file server.

Software has bugs..

[Altrag]

News at 1942!

Seriously though.. antivirus software is software, and many of them are very complex pieces of software given that they all seem to incorporate some combination of the primary AV, a firewall, malware scanners, webpage scanners, filesystem monitors, kitchen sinks, etc.

Its kind of like expecting that your doctor can't get sick just because she's a doctor.

In other words: we need SW freedom always.

[jbn-o]

Most anti-malware programs are nonfree (user-subjugating, proprietary) software. So it stands to reason that since people make mistakes and sometimes purposefully either don't fix exploitable bugs or put them there intentionally, nonfree anti-malware programs should be treated no differently from other non-free software—don't run nonfree software. The solution becomes obvious: run free software anti-malware programs instead. Apparently privatization got us to where we are: a series of untrustable nonf