Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Critical Flaw Found In Virtually All AV Software

Soulskill posted more than 4 years ago | from the if-only-there-were-something-more-monolithic-to-blame dept.

Security 279

Securityemo writes "The Register is running an article about a new method to bypass antivirus software, discovered by Matousec. By sending benign code to the antivirus driver hooks, and switching it out for malicious code at the last moment, the antivirus can be completely bypassed. This attack is apparently much more reliable on multi-core systems. Here's the original research paper." El Reg notes that "The technique works even when Windows is running under an account with limited privileges," but "it requires a large amount of code to be loaded onto the targeted machine, making it impractical for shellcode-based attacks or attacks that rely on speed and stealth. It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC."

cancel ×

279 comments

Sorry! There are no comments related to the filter you selected.

AHHHHHHHH (5, Funny)

Anonymous Coward | more than 4 years ago | (#32146756)

Everybody turn your PCs off NOW! Why are you still reading?

Re:AHHHHHHHH (0, Offtopic)

DarkKnightRadick (268025) | more than 4 years ago | (#32146786)

lolwut?

Re:AHHHHHHHH (5, Insightful)

armanox (826486) | more than 4 years ago | (#32146794)

Still reading because I'm running Linux?

Re:AHHHHHHHH (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32146822)

Yep Linux is okay cause it has nigger-free code. Windows is chock full of niggerfied code which is why it has so many security holes. If only Microsoft would have adopted a policy of 100% Aryan code like in the Linux world they wouldn't have so many issues.

Ubuntu (4, Interesting)

Das Auge (597142) | more than 4 years ago | (#32146842)

Since switching to Ubuntu, over three years ago, I haven't used AV.

I suppose that someday Linux will become a real target for virus writers; but between the good security model inherent ot UNIX-based OSes and common sense, I doubt I'll need one for a long time.

Re:Ubuntu (4, Interesting)

siride (974284) | more than 4 years ago | (#32147038)

The Windows NT security model is actually more advanced and capable than the base Unix security model. It's only because of culture, better-written 3rd party programs and marketshare that Linux/Unix doesn't have a malware problem.

Re:Ubuntu (5, Interesting)

Architect_sasyr (938685) | more than 4 years ago | (#32147058)

I'd like to just step in here and point out that the security model means shit to a virus writer - so what I can't get root on your desktop, I can still encrypt your entire home directory and delete everything I have access to with just a simple program. The whole push for administration rights is only necessary when you need to hide the software, but if all these linux users aren't running AV, then what's the point of trying to hide yourself before you can get your root privileges. Someone, somewhere, will run a sudo command eventually...

Re:Ubuntu (5, Insightful)

Anonymous Coward | more than 4 years ago | (#32147186)

I can still encrypt your entire home directory and delete everything I have access to with just a simple program

Which is totally profitless to a virus writer. I haven't even seen a virus like that on windows for decades and windows have millions of viruses written for it.

Someone, somewhere, will run a sudo command eventually..

So what if they do? Executing the sudo command is limited to the program you're sudo-ing, not your whole session. A program can't wait in the background and get root when someone types sudo.

Also you're side stepping the whole issue that most Linux distributions provide you with all the software you need so the whole running a third party executable is much less likely to happen. The only exceptions I can think of are Google Chrome and Dropbox.

I'm not saying Linux is infallible however the examples people like you list to try to pretend a Linux system is "just as bad" at security are ridiculous at best.

Re:Ubuntu (1)

subanark (937286) | more than 4 years ago | (#32147518)

So what if they do? Executing the sudo command is limited to the program you're sudo-ing, not your whole session. A program can't wait in the background and get root when someone types sudo.

Don't underestimate the ability of virus writers to spoof some or all of your UI. I assume a simple way a virus can do this is by replacing your terminal icon on your computer to an evil terminal that works just like a real one, but as soon as you type sudo you are in fact executing its evil butler who will take over your system once it has permission to do so.

Re:Ubuntu (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32147548)

Why do that? At least if it's Ubuntu with default settings you can just keylog the password and use sudo whenever you need.

Re:Ubuntu (0)

Anonymous Coward | more than 4 years ago | (#32148264)

I can still encrypt your entire home directory and delete everything I have access to with just a simple program

Which is totally profitless to a virus writer. I haven't even seen a virus like that on windows for decades and windows have millions of viruses written for it.

Did you skipped 2008? [slashdot.org]

Re:Ubuntu (1)

Dr_Barnowl (709838) | more than 4 years ago | (#32148294)

Some viruses are "ransom-ware" - they encrypt your files and send the key to the virus author. Then they demand money to get the key to unencrypt your files.

Re:Ubuntu (3, Informative)

toadlife (301863) | more than 4 years ago | (#32148442)

A program can't wait in the background and get root when someone types sudo.

When password caching is turned in (like it is by default in Ubuntu) yes, it can.

Re:Ubuntu (3, Insightful)

Runaway1956 (1322357) | more than 4 years ago | (#32147122)

Das Auge made a reasonable statement - and you respond with that old stupidity. "It's all about market share". Windows NT security model is in now way, shape, or form, "superior" to *nix security model. It is true that Linux gains a bit of security through obscurity. Market share does play a role. But I've said it before, I'll say it again: Linux systems, worldwide, guard more money and data than it would take to make thousands of hackers filthy rich. If it were easy, they would have done it already, instead of fighting over that huge Windows market share.

Re:Ubuntu (1, Insightful)

siride (974284) | more than 4 years ago | (#32147140)

So what is it about the Windows security model that's inferior to the Linux one? Because all of the documentation I've read says otherwise (SELinux aside).

Now, if you want to talk about Windows Explorer being weak with security, I'll buy that. If you want to talk about a culture of "don't care about security", I'll buy that. But don't tell me that the NT security model is weak.

Re:Ubuntu (1)

amorsen (7485) | more than 4 years ago | (#32147408)

The Windows and Linux security models are virtually identical if you exclude MAC (SELinux etc.). The main difference is that people actually understand the basic Unix model of users and groups and so they often manage to set their file permissions to something relatively sane. Practically noone uses the full power of ACL's on either system.

MAC makes a large difference though, so it's a bit unfair to exclude it.

The way that AV products intercept system calls has been known to be broken for years. Some Linux kernel developers have attempted to find more secure solutions, but progress hasn't been fast. The AV industry is quite happy with what they have on Windows.

Re:Ubuntu (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#32147894)

So basically you agree that the NT security model is more powerful. Good.

Re:Ubuntu (1)

amorsen (7485) | more than 4 years ago | (#32147990)

So basically you agree that the NT security model is more powerful. Good.

Like I said, they are identical if you exclude MAC. They're both simple ACL file-based DAC systems. Since they're identical the NT security model isn't more powerful.

Once you include MAC, Linux is in a different league.

Re:Ubuntu (1)

sjames (1099) | more than 4 years ago | (#32147710)

To be fair, they mostly closed off the shatter attack (after 8 years), we think. So it's not mostly down to implementation issues and having the interlocking parts much too tightly connected such that it's easy to accidentally create new holes. Beyond that, it's a matter of the culture MS has created and nurtured for years of software that expects to run with admin privileges even though it never should and users trained to just click OK on the incomprehensible dialog box that doesn't contain any useful information anyway.

Re:Ubuntu (0)

Anonymous Coward | more than 4 years ago | (#32148336)

So what is it about the Windows security model that's inferior to the Linux one? Because all of the documentation I've read says otherwise (SELinux aside).

Now, if you want to talk about Windows Explorer being weak with security, I'll buy that. If you want to talk about a culture of "don't care about security", I'll buy that. But don't tell me that the NT security model is weak.

Token Hijacking - Cesar Cerrudo (?sp)

Just Google/read and tell me the security model isn't horribly flawed.

Re:Ubuntu (1)

vistapwns (1103935) | more than 4 years ago | (#32147142)

Sure, but those financial systems are monitored, hardened, and configured by professionals. Windows home machines are, decidedly not. Windows Servers are also rarely broken into. Don't you think someone would love to serve malware from, or deface microsoft.com? It hasn't been, and guess what, it's not running linux or any unix.

Re:Ubuntu (2, Informative)

nextekcarl (1402899) | more than 4 years ago | (#32147198)

Really? seems to differ [arstechnica.com] and wasn't the only reference I could find for microsoft.com defaced [bing.com] (seventh link).

Re:Ubuntu (1)

vistapwns (1103935) | more than 4 years ago | (#32147304)

Well I guess, I read tech news every day and missed that, so sue me. Doesn't address my point though, financial systems that run linux are nothing like windows home machines/users, so saying the linux financial systems aren't regularly hacked is proof of something is daft.

Re:Ubuntu (0)

Anonymous Coward | more than 4 years ago | (#32147482)

That's true, Microsoft obviously doesn't have any security professionals working for them.

Re:Ubuntu (1)

vistapwns (1103935) | more than 4 years ago | (#32147544)

And linux is all command line, and will never reach 2% market share either.

Re:Ubuntu (2, Informative)

Runaway1956 (1322357) | more than 4 years ago | (#32147574)

http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_exec_summary_internet_security_threat_report_xv_04-2010.en-us.pdf [symantec.com]
Targeted attacks focus on enterprises
Targeted attacks using advanced persistent threats (APT) that occurred in 2009 made headlines in early
2010.6 Most notable of these was the Hydraq Trojan (a.k.a., Aurora).7 In January 2010, reports emerged
that dozens of large companies had been compromised by attackers using this Trojan.8 While these attacks
were not novel in approach, they highlighted the methods by which large enterprises could be compromised.

http://www.informationweek.com/blog/main/archives/2010/01/significant_wor.html;jsessionid=KDF2YBU4HXNKLQE1GHPCKH4ATMY32JVN [informationweek.com]

http://manageddatacenter.searchdatacenter.com/taxonomy/taxkey;root_1387_1332_204/DC-category.htm [searchdatacenter.com]
Current FBI estimates indicate that malicious software and attacks targeting identity theft cost American businesses and consumers more than $50 billion a year. (note BUSINESSES)

The point being, enterprise is vulnerable. It isn't just the home user who is targeted, nor is it just the home user that is compromised. Malware costs corporate America billions every year. How many billions is debateable - one alarmist estimate places it at hundreds of billions, and others pooh-pooh that with overly conservative estimates.

Fact is, enterprises are compromised almost every day.

Re:Ubuntu (1)

vistapwns (1103935) | more than 4 years ago | (#32147678)

And your point is, that those systems are never linux systems? And also, corporate systems != financial institutions.

Re:Ubuntu (1)

OjM (1781592) | more than 4 years ago | (#32148284)

I'd butt in this and say that multiple army systems were compromised by conficker worm. Ya think banks have better people fiddling with their servers, eh?

Re:Ubuntu (0)

Anonymous Coward | more than 4 years ago | (#32147368)

My AV did warn me about malware coming from microsoft.com few months ago as I clicked for the site map after using windows update service. No malware was seen by the AV a few hours later..

Re:Ubuntu (5, Funny)

hairyfeet (841228) | more than 4 years ago | (#32148000)

Can I call bullshit please? Y'all want to know that "magic secret" as to why even with all that money floating around Linux don't get hacked, and Windows does? Here you go...

Uuuhhhhh....I really hate to burst your reality bubble there, bud, but there is a reason why all the Linux servers aren't getting pwned and the Windows desktops are. It is because they have these things called server admins and they are usually pretty damned smart. They are also really anal retentive when it comes to anything security related. With good reason, after all they are getting paid the big bucks to be. Meet Glenn. Say hi Glenn (I'm busy, go away) not a very social creature, Glenn is a Linux server admin. He spends most of his time on security websites and learning about the latest nasty when he isn't testing a new tweak on the test server to see if he can get an extra .05% performance under load. In his free time he enjoys black hat conferences, which his employer is happy to pay him to attend.

Now we are going to meet an average Windows desktop user. Meet Velma. say hi Velma (Hi Y'all!) isn't she sweet? Little Velma works at the local insurance agency. They love her there because she can take one look at a customer and without looking up a shred of paperwork say something like this "Hi Bob! How's your oldest girl? You know she's about ready to get her learner's permit so I've already looked up the most affordable coverage for her. Does she have really good grades? She can get an extra discount if she does" and so on. Little Velma is really good at generating sales. She is sweet and friendly and always knows your name and remembers all about your family. Everybody loves little Velma.

/cue ominous music/......But we here in the PC business have a nickname for little Velma, one that she don't know about but is well earned it is....the disaster area! Dum dum dum! That is because little Velma is the trusting kind of sort, and on a computer that equals danger. Let's watch as little Velma interacts with her friendly neighborhood PC repairman, a big but lovable biker looking chap known on the net as hairyfeet.../feet/Now Velma, we have talked about this. you shouldn't mess with email attachments, I don't care who they are from. And if it is a .zip that you have to put a password to open it is a virus and you shouldn't touch it! /Velma/ But my bff Kim sent me this! See there is her name and everything! I'm sure it will be safe! /feet/Velma look, it is an executable and NOT happy puppy pictures! Do NOT run that! /Velma/ Oh, you worry too much. My bff Kim wouldn't send me anything bad. (inputs password, runs .exe, porn popups start flooding the screen while the network gets pounded) ooops. /feet/ ....... [roflposters.com]

And now you have seen an actual demonstration of why Linux is safe on servers. It is safe on servers because it is administered by guys like Glenn, say goodbye Glenn (I'm busy!) and does NOT have any Velma types mucking it up. Say goodbye Velma (Bye Y'all!). If you were to let Velma and all her friends loose on Linux if they didn't break them immediately they would become spambots in no time. It is because the malware writers have already figured out how to use a sinister concept called social engineering to target Velma and her types VERY effectively. Glenn isn't very social (Bite Me!) and is a naturally cynical creature and therefor social engineering really isn't an effective tool on his type. This is why Linux can enjoy the freedom to operate on some many servers across America without the constant malware like poor Velma gets. Tune in next week when we meet Bob, the Windows network admin, also known as the "where the hell is the damned disk?" guy.

Re:Ubuntu (0)

Anonymous Coward | more than 4 years ago | (#32148190)

http://remuscm.blogspot.com/2009/05/inca-una-de-pe.html

Re:Ubuntu (1)

Nick Ives (317) | more than 4 years ago | (#32148114)

How is Unix UID/GID equal to Windows ACLs? I'm genuinely curious, as looking at the permissions tab in Windows it looks like it's possible to have more fine grained permissions in Windows than in Unix. I thought SELinux was aimed at replicating that functionality and going a bit further!

Re:Ubuntu (3, Insightful)

sjames (1099) | more than 4 years ago | (#32147300)

In what way? And is it superior in totality or just superior to the parts of the linux security model that are actually used these days?

Of course, Linux may not have as much market share, but it is a much more attractive target. One critical server running linux is worth a lot more than 1000 XP desktop machines running solitaire.

Re:Ubuntu (1)

vistapwns (1103935) | more than 4 years ago | (#32147696)

Ok, now put the soccor moms and solitaire playing grandma's in charge of the 'critical linux server' and see how long it last...

Re:Ubuntu (1)

sjames (1099) | more than 4 years ago | (#32148068)

I can buy that unskilled people being granted admin access could be the problem, but that's not a function of market share.

However, then we have to look at how possible it is for an ordinary user to get through their day without administrative privilege.

Re:Ubuntu (1)

toadlife (301863) | more than 4 years ago | (#32147802)

One critical server running linux is worth a lot more than 1000 XP desktop machines running solitaire.

I think botnet operators would disagree.

Re:Ubuntu (1)

sjames (1099) | more than 4 years ago | (#32148084)

Infect a linux web server and you can then infect 10,000 XP machines that visit the website.

Re:Ubuntu (3, Informative)

Antique Geekmeister (740220) | more than 4 years ago | (#32147966)

What? "Culture", better written _core_ utilities, and the open access to the base software rather than the secretive and obscure security models of NT all contribute massively to Linux security by comparison. The smaller system components are easier and safer to do well. Also, while the kernel of NT was based on VMS when David Cutler stole his old work from DEC, it was forced to integrate numerous historical poor choices of DOS, Windows 3.x, and Windows 95 to provide backwards compatibility. These have been a _disaster_ in security terms, and very difficult to address due to the closed nature of the code and difficulty of upgrading other components to preserve compatibility.

Some of the most "secure" components of NT, such as Active Directory, are actually due to its integration of far more secure open source components such as Kerberos, and its use of open standards such as DNS, DHCP, and LDAP to replace Microsoft's older versions of "NetBIOS" (which they also did not invent, it came from IBM and IBM discarded it years ago).

Re:Ubuntu (0)

Anonymous Coward | more than 4 years ago | (#32148126)

Why was parent modded as Troll?

Re:Ubuntu (0, Redundant)

Ichido (896924) | more than 4 years ago | (#32148322)

It's obvious that you know nothing about GNU/Linux and Ubuntu. I left M.$. Windoze 5 years ago and I will never go back.

Re:Ubuntu (1)

miknix (1047580) | more than 4 years ago | (#32148326)

The Windows NT security model is actually more advanced and capable than the base Unix security model. It's only because of culture, better-written 3rd party programs and marketshare that Linux/Unix doesn't have a malware problem.

Don't forget that Linux has some "extra" patches to complement the UNIX security model. For example, GRSecurity and SELinux.
I suggest reading what is SELinux so you are able reformulate such claim. In fact, SELinux comes active by default on many desktop GNU/Linux distributions.

I believe Microsoft doesn't have anything close to a *formally-verified kernel* that enforces Mandatory Access Control. SELinux not only provides more and "deeper" MAC policies but its formal validation guarantees the correctness of the specification in which the implementation is based.

Re:Ubuntu (1)

miknix (1047580) | more than 4 years ago | (#32148422)

I would like to add that such SELinux policies are handled automatically by the package manager. For instance, if you install apache the corresponding policies are also installed. This tells the MAC kernel what apache CAN do (file access, memory, more than you can imagine), everything else is denied. If apache is hacked, the attacker can do little or nothing outside the scope of apache.

As you can see this ends up being (almost) transparent for the end user, in contrast to the Windows Policy Manager or the infamous Allow/Deny popups seen everywhere in the Microsoft ecosystem (firewalls, antivirus, operating system).

Re:Ubuntu (0)

Anonymous Coward | more than 4 years ago | (#32147312)

I run Windows and don't use AV software either. Common sense and knowledge is the best security. No anti-virus or security model is 100% failsafe. I have to take responsibility for my own actions.

Re:Ubuntu (0)

Anonymous Coward | more than 4 years ago | (#32147730)

This is not even newsworthy. The attacker already has access to run binaries on the target system, so of course she can do any number of things including disabling AV software. Personally if I could run binaries on a target machine (assuming that means the AV hasn't caught on yet) the LAST THING I would do is make my presence on that machine known by doing something that conspicuous. I would probably just browse the HD for porn...

It's really funny to see Linux users running around Bible-beating about how they don't run AV. I've been running without AV on Windows for 10 years, on my personal machine, and I've had to rebuild an OS ONCE during that period (Vundo). Having used Linux for a couple years now, I know that rebuilding your Linux machine is a monthly occurrence up until a year or so ago, and now it's every few months. Given, it's easy to rebuild Ubuntu but Windows is more stable by far, with or without AV, if the user is not an idiot.

Re:Ubuntu (1)

armanox (826486) | more than 4 years ago | (#32147940)

I never said that I do not run AV on Windows or Linux. I run it on both. I have not rebuild either my Windows install or my Linux install since I purchased my current desktop in 2008 (but have upgraded from Fedora 7 -> 12 and Vista -> 7). In that time, I have failed to see any infections on either install. My previous desktop was a similar situation. The last wipe-reload was an upgrade to XP Pro in 2006, at which point I switched to Gentoo out of convenience.

Re:Ubuntu (1)

Zaiff Urgulbunger (591514) | more than 4 years ago | (#32148178)

Having used Linux for a couple years now, I know that rebuilding your Linux machine is a monthly occurrence up until a year or so ago , and now it's every few months.

(My emphasis)

Erm.... you sure about that?!! There's a number of things Linux could be criticised for, but the need to rebuild really isn't one of them.

Re:Ubuntu (1, Funny)

Anonymous Coward | more than 4 years ago | (#32148366)

I gave ubuntu a try a few days ago.
First: my Nvidia 7600GO stopped working, reinstalled the drivers.. no joy, whent to the irc help channel, noone responded. looked through the forums, found a few others with similar problems, but no solutions.
gah, so i reinstalled ubuntu. Shit worked now!
Then wifi suddenly started toggling on and off.. no help from forums or irc ... reinstalled, for the second time in 2 days.
after a whole day of use, with no problems, screen started flickering... GAH.. reboot doesnt help, i boot to windows see if the problems there aswell, nope. works great in windows!
I uninstalled the piece of shit OS, 3 major issues in 3 days.
4 years of windows on the same machine, without any reason to reinstall the OS. ( i upgraded from XP->Vista->Windows 7 ).
Im not a ms chill, i really wanted to like ubuntu.

PS Windows 7 is faster ( after boot ) then Ubuntu... with Aero on.

Re:AHHHHHHHH (0, Troll)

Ihmhi (1206036) | more than 4 years ago | (#32147432)

Good for you. I prefer to be able to play games and use programs unavailable in Linux without performance hits (from running through WINE or a VM) so I am not as fortunate to have the same option that you do.

I await the day that Linux is as popular as OSX - nay, as Windows - so that Linux users who make these sorts of comments ("Haha, I don't have to worry about viruses") get a few moments of glory about Linux finally being widely used on desktops and then several years of having to deal with the same shit as 90%ish of the desktop-using world does.

As an aside, my bicycle gets great gas mileage. Never have to worry about filling it up!

Re:AHHHHHHHH (1)

armanox (826486) | more than 4 years ago | (#32147892)

Seeing how the I don't play many games anymore, it allows me to run Linux most of the time. For most of the games I play (Starcraft, Diablo, Thief), WINE handles them excellently.

Aside from two games that I do need Windows for (both are on Steam, and WINE doesn't perform well enough like you said), I have any programs that I use that do not have Linux versions or equivalents.

As an aside, I am happy for you that your bicycle works well. Since work is 40 miles from home, my Blazer and Saturn get sufficient gas milage (21MPG and 32, respectively) to keep me happy.

Re:AHHHHHHHH (1)

makomk (752139) | more than 4 years ago | (#32147458)

I think some early Linux security frameworks had a similar issue with swapping out parameters of system calls. The key word there is "had" - pretty much everyone knows not to write code that's vulnerable to this attack now, and even if they don't it's unlikely to be allowed into the kernel.

Re:AHHHHHHHH (0)

Anonymous Coward | more than 4 years ago | (#32147910)

B-B-B-BUT Linux has AV! This infects AV!
YOU'RE DOOMED!

Re:AHHHHHHHH (1)

meuhlavache (1101089) | more than 4 years ago | (#32148348)

Can't remember where I saw this but a virus (or trojan) was found into a Gnome's theme. Linux is not virus-free but it's just a little more dumb-proof (except Ubuntu).

Re:AHHHHHHHH (1)

Securityemo (1407943) | more than 4 years ago | (#32146814)

We run Linux/*nix.

Joke's on them! (5, Funny)

Abstrackt (609015) | more than 4 years ago | (#32146798)

I don't run AV software! Ha!

Re:Joke's on them! (1)

WrongSizeGlass (838941) | more than 4 years ago | (#32146912)

I don't run AV software! Ha!

Suuuuure you do, you just didn't install it. One of those nice PC bugs has probably already inoculated you against everything but itself ;-)

It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC.

So, if you're already infected then they can bypass your AV software ... hmm ...

I guess this is going to be a new attack vector for those 'fake AV' programs that download & run but can't do much harm because the user has a limited account.

Not really new (5, Insightful)

Florian Weimer (88405) | more than 4 years ago | (#32146806)

These problems have been known for a while and used to defeat e.g. systrace in OpenBSD (CVE-2007-4305). It also does not affect AV software per se, but anomaly-based detection, which kicks in only if something bad is already running on your machine. If this approach is actually used in the wild, detection logic will be added for it. Business as usual, really.

Re:Not really new (2, Informative)

Christophe Devine (856702) | more than 4 years ago | (#32146950)

Yep. Furthermore this requires not just admin privileges, but also being able to load a kernel module which has been severely restricted under 64-bit Windows (the driver's catalog has to be signed by Microsoft). Still, many people use Windows XP with an admin account, but the flaw itself does not lie with the AV themselves -- a few of them will even warn when a program attemps to load a unsigned kernel driver. KAV also warns when running an unsigned program from outside Program Files.

However for compatibility with existing malware^W legitimate corporate drivers, Microsoft decided not to block the loading of unsigned kernel drivers in Windows 7 32-bit. In fact NX protection is neither enabled by default in 32 and 64-bit versions (it can be enabled manually in the "Advanced systems settings" tab).

Re:Not really new (2)

Christophe Devine (856702) | more than 4 years ago | (#32146988)

Hmm obviously I read the article too quickly, this attack does not depend on loading a kernel driver. My bad ;)

Re:Not really new (1)

vistapwns (1103935) | more than 4 years ago | (#32147088)

NX is enabled by default, for Windows components, Windows programs and the kernel, but not for 3rd party programs. Not sure if that's what you meant or..

Re:Not really new (1)

andymadigan (792996) | more than 4 years ago | (#32147876)

Running Windows 7 64-bit here, unless I missed something VirtualBox's drivers are not signed, that's why I had to click OK when they were installing. I thought they got rid of the signing requirement for Win7 64.

Re:Not really new (1)

wvmarle (1070040) | more than 4 years ago | (#32146978)

And the malware will find different ways to get around that again of course.

Isn't this simply a case of when a system is compromised, it can not reliably detect this by itself? Viruses that switch off AV, that hide from AV, that pretend to be not there - of course this can happen when a system is compromised already, and when the process you are trying to detect knows it may be detected and can defend itself against this.

The only way to reliably detect whether a system is compromised is to take the hard disk, put it in a known-good system, mount it read-only, and scan for anomalies. That's at least what I have been told over the last decade or more. And the above "critical flaw" is yet another point in case.

Re:Not really new (2, Interesting)

riskpundit (1609597) | more than 4 years ago | (#32148160)

While this is surely interesting research, there are far simpler ways of bypassing AV software. Drive-by browser-based attacks of the type exemplified by Zeus and Koobface are far easier to execute. Today, attackers are focused on stealing money and intellectual property. They will take the path of least resistance. The AV vendors have yet to respond to the more obvious existential threat to their existence.

No way around strict privilege separation (5, Insightful)

Arancaytar (966377) | more than 4 years ago | (#32146810)

So it seems that relying on runtime checks doesn't just slow the system down, but also is vulnerable to concurrency attacks.

That may be alarming, but it's not like antivirus software was ever powerful enough to let users shut off their brains when using their computer.

Re:No way around strict privilege separation (3, Interesting)

Sycraft-fu (314770) | more than 4 years ago | (#32148040)

Also AV's main power for a long time has been on access/creation scanning. More or less it stops the viruses before they've a chance to become active. You run a virus scanner and anything coming in from the web, or a flash drive, or whatever is scanned. If a virus is detected, access is blocked. The virus can't get around that, since it isn't running. The AV stops it cold, before it has a chance to try anything.

Now that's not perfect, of course, the AV software has to have a signature for the virus, but it works pretty damn well. It is a good layer of security. Shouldn't be your only layer, but no layer should be your only layer.

This attack sounds like it is more useful against behavioural anti-virus. The AV notices a program doing shit it shouldn't and tries to stop it. Another good layer to have, but getting around it only gets you anywhere if you got the program to run in the first place.

As you say though, no matter what you just can't shut your brain off. There is no such thing as perfect security, physical or otherwise, and anyone who sells it to you is lying. Good security requires defense in depth and requires someone to be watching to make sure things are working and not getting broken through. AV software is useful, firewalls are useful, privilege separation (like UAC or sudo) is useful, but all of them still need you as a user not to be an idiot about it.

All AV software? (4, Interesting)

xulfer (1368787) | more than 4 years ago | (#32146816)

All AV software seems a little broad. This only seems to cover virus utilities that prevent viruses from attaching in the first place. I fail to see how this vulnerability would affect the large portion of av utilities that are simply scanners... e.g. clamav, etc.

Flaw explained in plain English here (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32146818)

For those of us without CS degrees AV Flaw Grave, Analyists Say [bit.ly] .

Re:Flaw explained in plain English here (3, Insightful)

phoenix321 (734987) | more than 4 years ago | (#32146910)

All I see is an article that is applauding Apple for doing infrequent security updates for Safari, contrasted with Firefox, that does security updates with an - for that blogger - absolutely unbearable frequency and install time. Though, in objective reality, Firefox releases an update every two months or so and the update takes about a minute on any recent PC.

Also, I remember the rabid verbal attacks on Microsoft for NOT updating their browser fast and often enough. But Apple isn't perceived to leave known vulnerabilities unpatched like Microsoft did, they are seen as to spare their users from annoyances.

Their marketing dept is godlike.

Re:Flaw explained in plain English here (1)

Runaway1956 (1322357) | more than 4 years ago | (#32147170)

Your evaluation of Trollaxor's article is spot on. Opening sentence tells us that his computer is left idle for "weeks at a time" - which might be a fortnight, or six months, or even a year. If he returns to his computer after weeks away from it, the system is going to offer updates anyway - be it Windows or Linux. The computing world doesn't stop just because he has his head up some mummy's ass, or whatever the hell he does at a dig. Hmmmm. Wonder what his wife or girlfreind is doing during all those weeks he is making chummy with old dead boners - I meant bones . . . .

So all its good for is a proof of concept (0)

Anonymous Coward | more than 4 years ago | (#32146856)

Sounds like its impractical for an actual attack unless you wanted to really pull something off on a machine that you probably already have access to since you can already run binaries on it. Interesting concept but not terrible useful.

So.. (5, Insightful)

Anrego (830717) | more than 4 years ago | (#32146874)

Anti virus software has become increasingly ineffective? Potentially opens up even more venues for attack! The Windows system of limiting privileges isn't always effective??!!??!!

Next you'll be telling me that fire is hot, water is wet, sci.. you know the rest

I mean this is cool and all, it's a neat discovery... but I think the whole concept of anti virus software is critically flawed and has become completely ineffective.

Um, no... (1)

Joce640k (829181) | more than 4 years ago | (#32147418)

This attack requires that badware is already running inside the machine it's trying to attack.

If badware is already running then ... um, how exactly does this attack up the ante?

Re:So.. (1)

poena.dare (306891) | more than 4 years ago | (#32148250)

"the whole concept of anti virus software is critically flawed and has become completely ineffective"

I agree, but I'm still going to tell Grandpa to keep Norton updated. I also tell him not to browse pr0n sites, but since he saw Betty White on SNL last night I've got a whole new set a headaches to deal with!

Is this a joke? (1)

joxeanpiti (789529) | more than 4 years ago | (#32146954)

It is far from being a "critical flaw". In the article they say that when running kernel code you can bypass any antivirus. Surprise. Did we missed the point that you first need to gain kernel level privileges?

The real problem behind the AV industry is that almost all Windows users tend to use a user with Administrator level privileges and when they gets infected the malware runs with full administrator privileges. If they would use a normal account and not the Windows environment's "root" equivalent we would not talk about this "critical problem" as the malware would need to infect and scalate privileges in order to install a kernel level componente, a rootkit.

As previously said, it is far from being a "critical flaw".

Re:Is this a joke? (1)

Rockoon (1252108) | more than 4 years ago | (#32147108)

Limited accounts only helps when the user CANT give permissions, but thats certainly not reality on home desktops where that user is God even if the account he is using doesn't say so.

User downloads XYZ_INSTALLER
User runs XYZ_INSTALLER
User discovers that XYZ_INSTALLER needs better permissions to install.
Users wants XYZ (thats why the user downloaded it) so user hands XYZ_INSTALLER the keys to the kingdom.

Part of the windows problem is that nearly all installers require escalation, therefore there is nothing out of the ordinary when XYZ_INSTALLER requests it. The rest of the problem is that nearly all windows users don't even care about security.

Re:Is this a joke? (0)

Anonymous Coward | more than 4 years ago | (#32147314)

Maybe if people weren't stupid and would leave their UAC on, they wouldn't have this problem, or if they actually took the time to read the UAC prompts before allowing execution. (Though, running under a limited account and forcing yourself to supply admin credentials during installs would definitely be a better idea for security reasons)

Re:Is this a joke? (0)

Anonymous Coward | more than 4 years ago | (#32147900)

It doesn't require admin rights, dumbass. RTFA. The exploit works even when running as a non-privileged user.

Antivirus Design Flaw (0)

Anonymous Coward | more than 4 years ago | (#32146956)

I don't understand how antivirus software is ever supposed to detect problems once the machine is already infected. Perhaps vendors should start shipping CDs that can scan the drive and repair without having to boot into the OS.

Re:Antivirus Design Flaw (4, Interesting)

Runaway1956 (1322357) | more than 4 years ago | (#32147192)

Long, long, long ago, I was out of town, and my laptop got dicked. I wasn't about to pay for a new Windows disk, nor did I have time or money to have a professional fix it. I went into a computer shop, talked awhile, and came out with an OnTrack SystemSuite disk, for which I paid about 15 bucks. Booted to it, ran the AV utility, and found nothing. Ran the rest of the utilities, and found that an improper shutdown had corrupted my MBR. Fixed the MBR, and booted up. Money well spent.

And, yes, you are right. That is precisely what the rest of the AV industry needs to peddle. If you can't boot to a clean environment, you're just screwed, whether it be virus problems, or any number of other problems.

An attacker with ability to run binary? (0)

Anonymous Coward | more than 4 years ago | (#32147022)

"It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC"

So, basically a user with administrator privileges or the ability to click "Allow"? Not much of a barrier.

Found In Virtually All AV Software (1)

trifish (826353) | more than 4 years ago | (#32147042)

They tested every obscure antivirus program out there, yet they did not test one of the most important ones -- Microsoft Security Essentials.

Seeing how obscure some of the tested AVs are, it's hard to believe their statement that "the only reason there are not more products in the following table is our time limitation."

Was MSE intentionally omitted because it is not vulnerable? Slashdot is more likely to reject such an article... It is actually very likely that MSE is not vulnerable, because Microsoft products do not patch the Windows kernel.

Judge for yourselves what they tested:

3D EQSecure Professional Edition 4.2
avast! Internet Security 5.0.462
AVG Internet Security 9.0.791
Avira Premium Security Suite 10.0.0.536
BitDefender Total Security 2010 13.0.20.347
Blink Professional 4.6.1
CA Internet Security Suite Plus 2010 6.0.0.272
Comodo Internet Security Free 4.0.138377.779
DefenseWall Personal Firewall 3.00
Dr.Web Security Space Pro 6.0.0.03100
ESET Smart Security 4.2.35.3
F-Secure Internet Security 2010 10.00 build 246
G DATA TotalCare 2010
Kaspersky Internet Security 2010 9.0.0.736
KingSoft Personal Firewall 9 Plus 2009.05.07.70
Malware Defender 2.6.0
McAfee Total Protection 2010 10.0.580
Norman Security Suite PRO 8.0
Norton Internet Security 2010 17.5.0.127
Online Armor Premium 4.0.0.35
Online Solutions Security Suite 1.5.14905.0
Outpost Security Suite Pro 6.7.3.3063.452.0726
Outpost Security Suite Pro 7.0.3330.505.1221 BETA VERSION
Panda Internet Security 2010 15.01.00
PC Tools Firewall Plus 6.0.0.88
PrivateFirewall 7.0.20.37
Security Shield 2010 13.0.16.313
Sophos Endpoint Security and Control 9.0.5
ThreatFire 4.7.0.17
Trend Micro Internet Security Pro 2010 17.50.1647.0000
Vba32 Personal 3.12.12.4
VIPRE Antivirus Premium 4.0.3272
VirusBuster Internet Security Suite 3.2
Webroot Internet Security Essentials 6.1.0.145
ZoneAlarm Extreme Security 9.1.507.000

Re:Found In Virtually All AV Software (1)

Vellmont (569020) | more than 4 years ago | (#32147234)

You're right, they should have tested it. But I'd take serious issue with your contention that it's "one of the most important ones". MSE 1.0 was released on the 29th of September, 2009. So it's essentially a 7 month old product. I'd also note that it doesn't come as part of the OS, and it looks like you need to download and install the software yourself.

So given that, why do you think it's one of the most important ones?

Re:Found In Virtually All AV Software (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32147262)

So given that, why do you think it's one of the most important ones?
Because it is free and high-quality (according to independent tests) and provided by a company that Windows users have to trust anyway. I don't want any Symantec or Russian shit drivers on my OS. Just look at the tests in TFA.

Re:Found In Virtually All AV Software (2, Informative)

Runaway1956 (1322357) | more than 4 years ago | (#32147310)

MSSE is important for the following reasons:

1: it's from Microsoft, hence, the nontechies will trust it to run well (The old mentality that "detroit knows best" when it comes to cars)
2: my testing indicates that MSSE is at least as effective as the "free" AV's, and possibly equal to the best paid AV's
3: the semi-computer literate can quickly find that MSSE is far less demanding of resources than almost any other AV
and
4: it's another "free" product which appeals to millions of people - AND any Bing search will probably turn up MSSE ahead of the competition

I've tested MSSE on XP and Win7, and quickly decided that it was more than sufficient for any virtual machine which I chose to protect. Disclaimer: I've not put MSSE to the test in any real world enterprise situation, subjecting it to unwanted testing by hackers/crackers/scriptkiddies.

Re:Found In Virtually All AV Software (0)

Anonymous Coward | more than 4 years ago | (#32147616)

I thought the general Slashdot consensus has been MSE > * for 5-6 months now. Which should tell you something, considering it's from Microsoft.

All AVs (even NOD) have historically been shitty in one way or another. I remember hoping back in 2005 that Microsoft would come out with an AV that would blow this stagnant and non-innovative industry out of the water. So I wasn't surprised when MSE swept the competition, as Microsoft's products are almost always better tied in to the OS and of better quality than the competitor's.

But give it another 3 years, and I expect MSE to become surpassed, as it flounders and the AV industry realizes they can't win by sitting on their asses doing nothing.

Re:Found In Virtually All AV Software (0)

Anonymous Coward | more than 4 years ago | (#32147670)

You're right, they should have tested it.

They very likely have, mate.

Re:Found In Virtually All AV Software (1)

maxume (22995) | more than 4 years ago | (#32148006)

No casual users really have any idea how effective the various programs are, and MSE seems as effective as anything else, and it isn't nearly as annoying as AVG/Avast/etc., so it is spreading like wildfire through that user group.

(My group is somewhat poorly defined, anyway, the group of people capable of uninstalling the old and then installing the new, but utterly uninterested in trying to find responsible research into the capabilities of the various programs, so they just notice a few comments and try things out)

Re:Found In Virtually All AV Software (0, Redundant)

WaroDaBeast (1211048) | more than 4 years ago | (#32147538)

ESET Smart Security 4.2.35.3

Eset Smart Security's latest version is 4.2.40.1! That so-called study is therefore completely irrelevant! HAH!

Re:Found In Virtually All AV Software (1)

NicknamesAreStupid (1040118) | more than 4 years ago | (#32148198)

Microsoft may not patch the kernel to integrate MSE, but MSE sure generates a lot of extra interrupts. And the overhead of handling them is onerous. I suspect they hook into the disc I/O. That would seem like a potential vulnerability.

Anagram? (4, Funny)

Theaetetus (590071) | more than 4 years ago | (#32147132)

"Matousec"? Hmm...
"To use Mac"? Hey!

Re:Anagram? (0)

Anonymous Coward | more than 4 years ago | (#32147882)

It's a cookbook!

Follow Apple? (2, Interesting)

ITI_guy (1021879) | more than 4 years ago | (#32147184)

If M$ would have only used the App Store model for software distribution we wouldn't need AV at all, and think of the profit!

Re:Follow Apple? (0)

Anonymous Coward | more than 4 years ago | (#32147890)

Yeah, I'm sure Microsoft dreams of having profits like Apple.

Syscall Wrapper Exploits (1)

oggiejnr (999258) | more than 4 years ago | (#32147274)

Can someone tell me what the difference is between this and syscall wrapper exploits which have been known about long enough to be lectured in undergraduate security courses?

Congradulations! (1)

jeff4747 (256583) | more than 4 years ago | (#32147582)

TFA has discovered "the rootkit".

Slashdot has really gone downhill (1)

MyLongNickName (822545) | more than 4 years ago | (#32147822)

Okay, so basically your PC has some type of rootkit on it already. Then your AV is ineffective due to some obscure attack. Rent a clue, editors! If you have a rootkit, you are fucked anyway. There is no magical piece of software that will protect you from your machine being owned.... that is the definition of owned.

I can understand the general populous not getting this. I cannot understand Slashdot editors not getting such a basic concept.

Re:Slashdot has really gone downhill (1)

Securityemo (1407943) | more than 4 years ago | (#32147856)

This attack is apparently effective when the code executes as an unprivileged user, and from the model they've implemented it seems to not require any previous malicious code to reside on the system. Where did you get that from?

Re:Slashdot has really gone downhill (0)

Anonymous Coward | more than 4 years ago | (#32148162)

FTS:

It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC."

Um, wouldn't that require previous malicious code, or physical access to the machine? Either way, your system's pre-pwned.

and this is why LIVE FILESYSTEM ROMs are needed (3, Insightful)

RobertLTux (260313) | more than 4 years ago | (#32147950)

whatever platform the program is based on if you are booted to the system you are trying to clean then you have already lost ground.

of course a Posix type solution has the advantage of being mostly immune to the viruses on a Windows system.

So ... (1)

daveime (1253762) | more than 4 years ago | (#32148112)

So basically ...

It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC

Anyone who already has the ability to run a binary on your box can p0wn it ... well, no shit Sherlock. As that applies to every O/S, I wonder why Windows has been targeted as the "guilty party". Ah, Soulskill, say no more ...

Critical Flaw In "AV" Software? (1)

rawler (1005089) | more than 4 years ago | (#32148148)

And here I thought someone had found an exploit of a common audio-video codec, or just plain DCT or something interesting.

Anti-virus is an arms-race, and IMHO causes about as much problems as it solves. (Except the caused problems are rarely truly evil like the attacks stopped.)

Other examples where anti-virus software just fails;
  * Decompression bombs
  * McAfee:s recent XP borking
  * Even good reputable AV seems to have problems catching up with months-old malware
  * Let's not start talking performance-hogging

I wish security would be more built-into rather than bolted-on.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>