Friday, June 24, 2016

Antivirus As a Threat

Many people do not consider antivirus tools to be a threat. Antivirus software is frequently considered a trusted application; it may cause the reduction of information system efficiency, but provides protection against different types of attacks. As a result, antivirus can be the sole protection tool for the end-user while a set of antivirus software becomes the principal security method for enterprises.

However, as with any complicated programs, antiviruses are inherently vulnerable. Antivirus processes are trusted and run in privileged mode with extensive access rights and that makes antiviruses appealing for attackers, as their exploitation can lead to system compromise.
Currently, more attention is paid to vulnerabilities of protection software and antiviruses in particular. The swelling numbers of exploits found and published in exploit-db and other resources indicate that this is a growing problem.

The chart above demonstrates the number of vulnerabilities found yearly in well-known antivirus software for the last 15 years. In the 2000s, information about antivirus vulnerabilities was published rarely, but in 2015, more than 50 exploits based on such critical vulnerabilities in antiviruses as authentication bypass, privilege escalation, and remote code execution were published.

Monday, June 20, 2016

Theory and Practice of Source Code Parsing with ANTLR and Roslyn

PT Application Inspector provides several approaches to analysis of the source code written in different programming languages:
  • Search by signatures.
  • Exploring the properties of mathematical models derived from the static abstract interpretation of code.
  • Dynamic analysis of the deployed application and verification of the static analysis results.
This series of articles focuses on the structure and operation principles of the signature analysis module (PM, pattern matching). The key benefits of such an analyzer include high performance, simplicity of pattern description, and scalability across various languages. The disadvantage of this approach is that the module is not able to analyze complex vulnerabilities, which require developing high-level models of code execution.

The following requirements have been defined for the module under development:
  • Capability of working with multiple programming languages and the option to add new ones easily.
  • Functionality that allows analysis of the code containing syntactic and semantic errors.
  • Capability of describing patterns using a common programming language (DSL, domain specific language).
In this case, all the patterns describe flaws or vulnerabilities in the source code.

Thursday, June 9, 2016

PHD VI: How They Stole Our Drone

This year, a new competition was introduced at PHDays, where anyone could try to take control over a Syma X5C quadcopter. Manufacturers often believe that if they implement a wireless standard instead of IP technology, they may not think about security. As if hackers would give up because dealing with something other than IP is too long, difficult, and expensive.

But in fact, SDR (software-defined radio) is an excellent way to access the IoT, where the initial level is determined by the level of an IoT vendor’s care and concern. However, even without SDR you can work wonders, even in the limited space of frequencies and protocols.

The contest goal is to take control over a drone.


  • drone control range: 2.4 GHz ISM,
  • control is driven by the module nRF24L01+ (actually, by its clone — BK2423).

Facilities (optional): Arduino Nano, nRF24L01+.

The hijacker received the Syma X8C as a prize.

Since those who wanted to steal our drone were trained people who had HackRF, BladeRF, and other serious tools in their arsenal, we describe two hijack methods: via SDR and nRF24L01+.

PHDays VI: WAF Bypass Contest

The WAF Bypass competition, now an annual event held during Positive Hack Days, an international forum on information security, was organized in May this year as well. The contest’s participants attempted to bypass the security checks of PT Application Firewall that protected vulnerable applications. Positive Technologies specialists had introduced configuration errors that allowed some bypassing of the system.

The goal of each task was to retrieve a flag stored in a database, file system or in cookies given to a special bot. Below is description and solutions of the contest’s tasks.