In the latest of his ‘Greetz from Academe’ series, highlighting some of the work going on in academic circles, John Aycock looks at a piece of research that reveals an anti-virus design vulnerability that leaves several of the major anti-virus products open to attack.
Copyright © 2014 Virus Bulletin
A funny thing happened on the way to last month’s ‘Greetz from Academe’. My office can best be described as an extreme fire hazard: it is adorned with an over-generous number of printed research papers stacked precariously around the room. Early in my career, a much more senior colleague told me that he hoped he died before he retired so that he wouldn’t have to clean out his own disaster of an office. I fully understand his point of view now.
When, in putting together last month’s article, I wanted to refer to Lhee and Chapin’s buffer overflow paper , I knew that a dead tree version of it resided somewhere in my office, but it seemed far faster just to search for it online. I found it, of course, but in the process I stumbled across another paper that looked like it might be highly relevant to the anti-virus community: Min et al.’s ‘Antivirus security: naked during updates’ .
Some journals – Software: Practice and Experience among them – try to work around their publication latency by making articles available online prior to their actually appearing in a printed journal issue. That is the case here, and ‘naked’ was revealed online in April 2013 (at the time of writing this article, the paper has yet to appear in a journal issue). However, other journal publication delays remain – the paper was initially received in November 2012. Hopefully, the problems the researchers describe will all have been safely addressed by now, making the paper but a historical footnote. Hopefully.
We have long been accustomed to ever more frequent anti-virus updates to ensure the latest and greatest protection, of course, but what Min et al. found is that protection is not only a matter of how often, but also how. In other words, the way in which anti-virus products perform updates can potentially leave them open to attack. This is no theoretical attack, either. Quoting from the paper [2, p.1]: ‘We have investigated this design vulnerability with several of the major anti-virus software products such as Avira, AVG, McAfee, Microsoft, and Symantec and found that they are vulnerable to this new attack vector.’ The paper used Avira as an example to illustrate the attacks because the researchers found that, of the anti-virus products that fell prey to their attacks (not all did), it was the hardest to compromise. That seems like a bit of a back handed compliment, but it’s probably a preferable characterization to ‘AVG, McAfee and Microsoft are relatively easy targets’ [2, p.14].
The premise is that a dropper already exists on a target system – the dropper is unknown to the installed anti-virus, and does not exhibit any malicious behaviour. This is a plausible targeted attack scenario. The dropper monitors the target system’s anti-virus until it updates, or triggers an anti-virus update itself if possible, and waits. Vulnerable anti-virus products will disable protection for the update, in whole or in part, thus allowing the waiting dropper a small window of opportunity in which there is no active anti-virus protection on the system.
One solution the researchers suggest is for the non updated anti-virus to remain running temporarily to cover the potential window of vulnerability while the updated version is started. The researchers also discovered that some anti-virus self-protection worked less well than intended. For example, checking the digital signatures on DLLs seems like a good idea, but the researchers noted that in practice, third-party DLLs used by anti-virus software weren’t always checked, and a changed signature acted as a crude but effective mechanism for a denial of service attack against the software.
It is fairly normal in cases like this, where research has uncovered a flaw in widely deployed software, to see a statement in the paper saying ‘Company X was notified about the problem and it has been fixed in the latest release.’ This is possible even when the flaw is something of Internet scale, like the Herculean efforts to patch the DNS flaw that Dan Kaminsky found back in 2008 , . I was looking for such a statement in the paper, and I’m afraid to say that I didn’t find one. That doesn’t mean that anti-virus vendors weren’t notified, of course (or maybe I missed it somehow when I read the paper). But if not, well… surprise! Let’s hope that 2014 isn’t the year of anti-virus nudism.
 Lhee K.-S.; Chapin, S. J. Buffer overflow and format string overflow vulnerabilities. Software: Practice and Experience 33(5), 2003, pp.423–460.
 Min, B.; Varadharajan, V.; Tupakula, U.; Hitchens, M. Antivirus security: naked during updates. Software: Practice and Experience, 2013. http://dx.doi.org/10.1002/spe.2197.
 Zetter, K. Kaminsky on how he discovered DNS flaw and more. Wired, 22 July 2008. http://www.wired.com/threatlevel/2008/07/kaminsky-on-how/.
 CERT. Multiple DNS implementations vulnerable to cache poisoning. Vulnerability note VU#800113, 2008. http://www.kb.cert.org/vuls/id/800113.