Malware bug

Antivirus software could make companies more vulnerable

Longform
(Source: Stockfresh)

11 January 2016

Imagine getting a call from your company’s IT department telling you your workstation has been compromised and you should stop what you’re doing immediately. You’re stumped: you went through the company’s security training and you’re sure you didn’t open any suspicious email attachments or click on any bad links; you know that your company has a solid patching policy and the software on your computer is up to date; you’re also not the type of employee who visits non-work-related web sites while on the job. So, how did this happen?

A few days later, an unexpected answer comes down from the security firm that your company hired to investigate the incident: hackers got in by exploiting a flaw in the corporate antivirus program installed on your computer, the same program that is supposed to protect it from attacks. And all it took was for attackers to send you an email message that you didn’t even open.

Far fetched
This scenario might sound far-fetched, but it’s not. According to vulnerability researchers who have analysed antivirus programs in the past, such attacks are quite likely, and may already have occurred. Some of them have tried to sound the alarm about the ease of finding and exploiting critical flaws in endpoint antivirus products for years.

Since June, researchers have found and reported several dozen serious flaws in antivirus products from vendors such as Kaspersky Lab, ESET, Avast, AVG Technologies, Intel Security (formerly McAfee) and Malwarebytes. Many of those vulnerabilities would have allowed attackers to remotely execute malicious code on computers, to abuse the functionality of the antivirus products themselves, to gain higher privileges on compromised systems and even to defeat the anti-exploitation defences of third-party applications.

Exploiting some of those vulnerabilities required no user interaction and could have allowed the creation of computer worms – self-propagating malware programs. In many cases, attackers would have only needed to send specially crafted email messages to potential victims, to inject malicious code into legitimate web sites visited by them, or to plug in USB drives with malformed files into their computers.

Attacks on the horizon
Evidence suggests that attacks against antivirus products, especially in corporate environments, are both possible and likely. Some researchers believe that such attacks have already occurred, even though antivirus vendors might not be aware of them because of the very small number of victims.

The intelligence agencies of various governments have long had an interest in antivirus flaws. News web site The Intercept reported in June that the UK Government Communications Headquarters (GCHQ) filed requests in 2008 to renew a warrant that would have allowed the agency to reverse engineer antivirus products from Kaspersky Lab to find weaknesses. The US National Security Agency also studied antivirus products to bypass their detection, according to secret files leaked by former NSA contractor Edward Snowden, the web site said.

A cyberespionage group known as Careto or The Mask, perhaps state-sponsored, is known to have attempted to exploit a vulnerability in older versions of Kaspersky antivirus products in order to evade detection. The group compromised computers belonging to hundreds of government and private organisations from more than 30 countries before its activities were exposed in February 2014.

While these are mainly examples of using antivirus vulnerabilities to evade detection, there’s also a demand for remote code execution exploits affecting antivirus products and these are being sold by specialised brokers on the largely unregulated exploit market.

Among the emails leaked last year from Italian surveillance firm Hacking Team there is a document with exploits offered for sale by an outfit called Vulnerabilities Brokerage International. The document lists various privilege escalation, information disclosure and detection bypassing exploits for multiple antivirus products, and also a remote code execution exploit for ESET NOD32 Antivirus with the status “sold.”

Ongoing issue
This has been going on for over a decade, according to Gunter Ollmann, chief security officer at intrusion detection vendor Vectra and former chief technology officer at security research firm IOActive. There are companies that specialise in reverse-engineering popular desktop antivirus products from countries where their clients have an interest, he said via email. They also reverse-engineer existing malware so they can hijack already infected systems, he said.

According to Ollmann, a remotely exploitable vulnerability in the Chinese Qihoo 360 antivirus product is worth several tens of thousands of dollars to intelligence agencies from the US and Europe.

“From a state-actor perspective, it would not be in their best interest to be detected doing this kind of thing, so targets are small and carefully controlled,” Ollmann said.

If intelligence agencies from the US and Europe are interested in such exploits, there’s no reason to think that those from Russia, China and other cyber powers are not. In fact, Chinese and Russian cyber espionage groups have repeatedly proven their ability to find and develop exploits for previously unknown vulnerabilities in popular applications, so applying those same skills to antivirus products shouldn’t be a problem.

Even some antivirus vendors agree that targeted attacks against antivirus products are likely, though they haven’t seen any so far.

“In our predictions for 2016, we specifically mention that attacks on security researchers and security vendors could be a future trend in information security; however, we do not believe these will be widespread attacks,” said Vyacheslav Zakorzhevsky, the head of anti-malware research at Kaspersky Lab, via email. “For example, security researchers may be attacked via compromised research tools, and since all software contains vulnerabilities, there is a possibility that security software could be impacted on a targeted and limited basis.”

Read More:


Back to Top ↑

TechCentral.ie