Greetz from academe: Full frontal


John Aycock

University of Calgary, Canada
Editor: Helen Martin


In the latest of his ‘Greetz from Academe’ series, highlighting some of the work going on in academic circles, John Aycock looks at a piece of research that reveals an anti-virus design vulnerability that leaves several of the major anti-virus products open to attack.

Table of contents

A funny thing happened on the way to last month’s ‘Greetz from Academe’. My office can best be described as an extreme fire hazard: it is adorned with an over-generous number of printed research papers stacked precariously around the room. Early in my career, a much more senior colleague told me that he hoped he died before he retired so that he wouldn’t have to clean out his own disaster of an office. I fully understand his point of view now.

When, in putting together last month’s article, I wanted to refer to Lhee and Chapin’s buffer overflow paper [1], I knew that a dead tree version of it resided somewhere in my office, but it seemed far faster just to search for it online. I found it, of course, but in the process I stumbled across another paper that looked like it might be highly relevant to the anti-virus community: Min et al.’s ‘Antivirus security: naked during updates’ [2].

Some journals – Software: Practice and Experience among them – try to work around their publication latency by making articles available online prior to their actually appearing in a printed journal issue. That is the case here, and ‘naked’ was revealed online in April 2013 (at the time of writing this article, the paper has yet to appear in a journal issue). However, other journal publication delays remain – the paper was initially received in November 2012. Hopefully, the problems the researchers describe will all have been safely addressed by now, making the paper but a historical footnote. Hopefully.

Design vulnerability

We have long been accustomed to ever more frequent anti-virus updates to ensure the latest and greatest protection, of course, but what Min et al. found is that protection is not only a matter of how often, but also how. In other words, the way in which anti-virus products perform updates can potentially leave them open to attack. This is no theoretical attack, either. Quoting from the paper [2, p.1]: ‘We have investigated this design vulnerability with several of the major anti-virus software products such as Avira, AVG, McAfee, Microsoft, and Symantec and found that they are vulnerable to this new attack vector.’ The paper used Avira as an example to illustrate the attacks because the researchers found that, of the anti-virus products that fell prey to their attacks (not all did), it was the hardest to compromise. That seems like a bit of a back handed compliment, but it’s probably a preferable characterization to ‘AVG, McAfee and Microsoft are relatively easy targets’ [2, p.14].

The premise is that a dropper already exists on a target system – the dropper is unknown to the installed anti-virus, and does not exhibit any malicious behaviour. This is a plausible targeted attack scenario. The dropper monitors the target system’s anti-virus until it updates, or triggers an anti-virus update itself if possible, and waits. Vulnerable anti-virus products will disable protection for the update, in whole or in part, thus allowing the waiting dropper a small window of opportunity in which there is no active anti-virus protection on the system.

One solution the researchers suggest is for the non updated anti-virus to remain running temporarily to cover the potential window of vulnerability while the updated version is started. The researchers also discovered that some anti-virus self-protection worked less well than intended. For example, checking the digital signatures on DLLs seems like a good idea, but the researchers noted that in practice, third-party DLLs used by anti-virus software weren’t always checked, and a changed signature acted as a crude but effective mechanism for a denial of service attack against the software.

It is fairly normal in cases like this, where research has uncovered a flaw in widely deployed software, to see a statement in the paper saying ‘Company X was notified about the problem and it has been fixed in the latest release.’ This is possible even when the flaw is something of Internet scale, like the Herculean efforts to patch the DNS flaw that Dan Kaminsky found back in 2008 [3], [4]. I was looking for such a statement in the paper, and I’m afraid to say that I didn’t find one. That doesn’t mean that anti-virus vendors weren’t notified, of course (or maybe I missed it somehow when I read the paper). But if not, well… surprise! Let’s hope that 2014 isn’t the year of anti-virus nudism.


[1] Lhee K.-S.; Chapin, S. J. Buffer overflow and format string overflow vulnerabilities. Software: Practice and Experience 33(5), 2003, pp.423–460.

[2] Min, B.; Varadharajan, V.; Tupakula, U.; Hitchens, M. Antivirus security: naked during updates. Software: Practice and Experience, 2013.

[3] Zetter, K. Kaminsky on how he discovered DNS flaw and more. Wired, 22 July 2008.

[4] CERT. Multiple DNS implementations vulnerable to cache poisoning. Vulnerability note VU#800113, 2008.



Latest articles:

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…

Dissecting the design and vulnerabilities in AZORult C&C panels

Aditya K Sood looks at the command-and-control (C&C) design of the AZORult malware, discussing his team's findings related to the C&C design and some security issues they identified during the research.

Excel Formula/Macro in .xlsb?

Excel Formula, or XLM – does it ever stop giving pain to researchers? Kurt Natvig takes us through his analysis of a new sample using the xlsb file format.

Decompiling Excel Formula (XF) 4.0 malware

Office malware has been around for a long time, but until recently Excel Formula (XF) 4.0 was not something researcher Kurt Natvig was very familiar with. In this article Kurt allows us to learn with him as he takes a deeper look at XF 4.0.

Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.