June 24, 2016

Antivirus As a Threat


Many people do not consider antivirus tools to be a threat. Antivirus software is frequently considered a trusted application; it may cause the reduction of information system efficiency, but provides protection against different types of attacks. As a result, antivirus can be the sole protection tool for the end-user while a set of antivirus software becomes the principal security method for enterprises.

However, as with any complicated programs, antiviruses are inherently vulnerable. Antivirus processes are trusted and run in privileged mode with extensive access rights and that makes antiviruses appealing for attackers, as their exploitation can lead to system compromise.
Currently, more attention is paid to vulnerabilities of protection software and antiviruses in particular. The swelling numbers of exploits found and published in exploit-db and other resources indicate that this is a growing problem.

The chart above demonstrates the number of vulnerabilities found yearly in well-known antivirus software for the last 15 years. In the 2000s, information about antivirus vulnerabilities was published rarely, but in 2015, more than 50 exploits based on such critical vulnerabilities in antiviruses as authentication bypass, privilege escalation, and remote code execution were published.

In particular, 2015 saw new vulnerabilities discovered in such products as ESET, Avast, Bitdefender, Symantec, Kaspersky Lab, FireEye, and Malwarebytes.

In addition to independent researchers, Google Project Zero started searching vulnerabilities in protection tools in 2014 and detected a significant percentage of vulnerabilities published in 2015. It is quite logical that governmental organizations also pay attention to this issue. Previously we covered reviews of Russian antivirus software performed by foreign intelligence agencies.
It is hard to forecast the frequency of vulnerabilities in antivirus software, but it is possible to make some conclusions based on exploits published in the first quarter of 2016. More details about these exploits are given below.

Attacks on Vulnerable Antiviruses

TrendMicro
Tavis Ormandy, a researcher from the Google Security Research team, found a critical vulnerability in TrendMicro antivirus that leads to remote code execution on January 11, 2016.

When using autoloading of the antivirus, Password Manager is implemented by default. This module is written in JavaScript with node.js. It initiates RPC to handle API requests via HTTP. The vulnerability was found in openUrlInDefaultBrowser, an API function that calls ShellExecute() without checking transferred arguments. In other words, it allows arbitrary code execution.

x = new XMLHttpRequest()
x.open("GET", "https://localhost:49155/api/
openUrlInDefaultBrowser?url=c:/windows/system32/calc.exe true);
try { x.send(); } catch (e) {};

The patch was issued one week after the incident.


McAfee Application Control
On January 12, specialists from SEC Consult, an Austrian company, published a report on bypassing security on McAfee Application Control. This application rejects the launching of apps unavailable in the white list and protects critical infrastructure. They used version 6.1.3.353 on Windows for testing. The researchers determined how to execute arbitrary code, launch unauthorized applications, and bypass DEP and UAC features and white lists. Additionally, the researchers detected vulnerabilities in swin1.sys, which may lead to system failure.


QuickHeal
On February 19, the researcher Fitzl Csaba wrote a proof-of-concept exploiting a vulnerability in the popular Indian antivirus QuickHeal 16.00. The webssx.sys driver appeared to be vulnerable to CVE-2015-8285 that can trigger BSOD or escalation of privileges. The driver was created without the flag FILE\_DEVICE\_SECURE\_OPEN, so any user can interact with it, bypassing ACL. The researcher determined the IOCTL code and necessary buffer size for calling the vulnerable function. Due to insufficient checks of data received from the input buffer, an integer overflow of arguments sent to the memcpy function occurred.


Comodo
On February 29, Greg Linares detected a vulnerability in the GeekBuddy module of Comodo antivirus. It leads to local escalation of privileges. GeekBuddy starts several processes, one of which tries to upload the library shfolder.dll. Instead of a full path to a file, GeekBuddy implies only a hard-coded library name, and it is possible to spoof dll. If a hacker inserts malicious shfolder.dll into C:\ProgramData\Comodo\lps4\temp\ and launches a client’s update or waits for an automatic update, they can escalate privileges up to the SYSTEM level and fully compromise the system.


Avast
On March 4, Google Security Research published new vulnerabilities in Avast. This time, they discovered an error related to memory corruption when parsing digital certificates. Tavis Ormandy created a portable executable file that triggered Avast failure. According to the specialist, the error was caused by corruption of memory when parsing digital signatures in files.


McAfee VirusScan
On March 7, Maurizio Agazzini presented another McAfee vulnerability. The researcher wrote an exploit that allows bypassing security restrictions of McAfee VirusScan Enterprise 8.8. By using this vulnerability, a user with rights of a local administrator can bypass security restrictions and disable the antivirus without using its password.

The vulnerability was fixed on February 25, though he started sending his requests in fall 2014.


Avira
On March 16, a critical vulnerability in the Avira antivirus was detected. As expected, the antivirus processes portable executable files, however, while testing the antivirus, researchers found the vulnerability called “heap underflow”. It occurred when PE section headers were parsed. If a header had a large RVA, Avira saved the calculated offset on the heap and recorded data controlled by attackers in the buffer (data from section ->PointerToRawData). The vulnerability caused RCE with the NT\_AUTHORITY\SYSTEM privileges. The patch was issued on March 18.


More Comodo
On March 19, a report on a critical vulnerability in the Comodo antivirus was published. This product contains an x86 emulator used to unpack and monitor obfuscated executable files automatically. The emulator is supposed to execute malicious code securely within a short time, so it allows the sample to unpack or demonstrate some behavior feature interesting for detection.

With the exception of issues related to the memory corruption, arguments of some dangerous emulated API requests are transferred to API functions during scanning. Some wrappers extract arguments from the emulated address space and send them directly to the system calls with the NT\_AUTHORITY\SYSTEM privileges. The call results then return to the emulator causing code execution.

It allows for different types of attacks, for example, reading, deleting, listing, and using cryptographic keys, interacting with smart cards and others devices. It is possible because the emulator forwards the arguments of the CryptoAPI functions directly to real APIs. Moreover, the vulnerability made it possible to read registry keys by using the RegQueryValueE wrapper, whose arguments are sent directly to a real API.

The attack vector shows that an attacker can execute malicious code in the emulator just by sending an email or making a victim visit an infected website. The patch was issued on March 22.


On March 14, researchers detected a critical vulnerability in the Comodo antivirus engine. It was possible to execute arbitrary code when the antivirus unpacked malicious files protected by PackMan. PackMan is a little-known open source packer used by Comodo during scanning.

During the processing of files compressed with certain options by the packer, compression parameters are read directly from the input file without validation. Fuzzing shows that the pointer pksDeCodeBuffer.ptr can be forwarded anywhere in the function CAEPACKManUnpack::DoUnpack\_With\_NormalPack, and that allows an attacker to free the arbitrary address by the free() function. The vulnerability allows a hacker to execute code with the NT\_AUTHORITY\SYSTEM privileges. The patch was issued on March 22.


What to Do
Despite all of the above outlined vulnerabilities, we cannot completely abandon the use of antivirus software. Antivirus engines analyze huge amounts of files more quickly than alternative solutions such as a sandbox, because they widely implement statistical analysis.

An effective protection system based on antiviruses should demonstrate detection accuracy and risk minimization. Here are the most promising ways to tackle this issue.

  • Scanning performed by several antivirus engines significantly increases accuracy and speed of threat detection. Some online services like VirusTotal can rise to the challenge but require uploading your files, which could lead to info leakage to third parties. It makes sense to perform such scans on a local server, which eliminates any involvement of outsider applications.
  • Security risks may be mitigated if all suspicious files are examined in an isolated and secure environment. We should understand that modern malicious software is able to analyze a target environment and either bypass sandboxes or stay hidden. That is why it is recommended to employ honeypots as they mimic the real system making it easy to observe malicious behavior for a prolonged period of time without being noticed.
  • Even after malware is detected, an antivirus is not able to trace back all the objects that were affected by it. This means that a security system should support forensic analysis functionality.

We employ this and other technologies in PT MultiScanner.

7 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete
  5. This comment has been removed by a blog administrator.

    ReplyDelete
  6. This comment has been removed by a blog administrator.

    ReplyDelete
  7. This comment has been removed by a blog administrator.

    ReplyDelete