Saturday, 7 April 2012

Anti-Virus… or Door for a hacker?


Security Tools are supposed to prevent attacks. Can the same tool be a door for a hacker? iViZ Vulnerability Research Team discovers attack which uses Anti Virus as the Door !



With rising cases of security incidents, more and more people have started using security software like anti-virus, firewalls, anti-spyware etc. These are meant to protect the users from common security attacks and vulnerabilities. However, the rising popularity of such software has lured the attackers to target the security software itself as the means to break into. Imagine this situation: you are running a secure system with anti-virus and other necessary software running on it. You assume that you are safe from the latest threats. But what if the anti-virus itself is vulnerable? It means that when a hacker exploits the vulnerability in your security software, he has complete access to your system! This article describes iViZ’s original security research on how the security software itself could be targeted by a hacker.



Your shield can be the attacker’s arrow! Hackers are targeting the security software to break into user’s systems.



How iViZ team found “holes” in Anti-Virus?

iViZ has state-of- art security research lab where we conduct research on discovering new vulnerabilities and attack techniques. Our belief is that if we need to secure ourselves then we need to stay one step ahead of the hackers. iViZ team has discovered previously that several of the security tools themselves are vulnerable. While conducting our research, we discovered that some anti-virus software behaved in a way which is not normal. We informed the vendors about such anomalous behavior and probed deeper to do the reality check.

Antivirus Vulnerability Research is conducted using a variety of file fuzzing techniques. During our research on this topic, we identified that many of the antivirus software, both commercial and open source, many a times do not properly handle complex or unusual executable header data especially in case of executables packed with 3rd party packers like UPX, FSG etc. Under such condition, we were able to hit multiple bugs in Antivirus Software while process malformed packed executables. Some of these bugs are proved to be security vulnerabilities because of their nature.



Vendor: AVG
 
Version: 7.5.51 (current), possibly others.
 
Vulnerability Description:
 
Multiple vulnerabilities were discovered in AVG Antivirus when analyzing specially crafted UPX packed files. Initial analysis shows that some of the vulnerabilities can theoretically be exploited to execute arbitrary code on the affected system with the privilege of the user running the vulnerable antivirus process or at least cause a Denial of Service Condition.
 
These vulnerabilities should be considered critical particularly in setup where the affected Antivirus Product is used for scanning incoming e-mails on a Mail Server.
 
Impact:
An attacker can remotely break into a victim’s system by sending him a mail with a malicious attachment. This vulnerability results in execution of malicious codes like Trojans, keyloggers, crimewares on the victim’s system to steal information. An attacker can also cause a Denial of Service condition using this vulnerability. 


Vendor: F-Secure F-Prot
 
Version: F-Prot version 4.6.8 for GNU/Linux
 
Vulnerability Description:
 
It is possible to protect an ELF binary against F-Prot by corrupting its ELF header, while letting the binary completely functional. F-prot will crash when analyzing the file, letting the possible malware undetected. This might result in complete bypass of Antivirus Protection.
 
Impact:
 
Any malicious content/attachments will pass completely undetected. Believing the attachments are clean and safe, the victim is most likely to execute it leading to complete system compromise.
 




Vendor: Sophos
 
Version: Sophos SAVScan 4.33.0 for Linux, possibly others
 
Vulnerability Description: Multiple Vulnerabilities have been discovered in Sophos Antivirus Product in parsing of specially crafted packed files from multiple packers including Armadillo, ASProtect, ASProtectSKE etc. Initial analysis shows that some of the vulnerabilities can theoretically be exploited to execute arbitrary code on the affected system with the privilege of the user running the vulnerable antivirus process or at least cause a Denial of Service Condition.
 
These vulnerabilities should be considered critical particularly in setup where the affected Antivirus Product is used for scanning incoming e-mails on a Mail Server.
 
Impact: An attacker can remotely break into a victim’s system by sending him a mail with a malicious attachment. This vulnerability results in execution of malicious codes like Trojans, keyloggers, crimewares on the victim’s system to steal information. An attacker can also cause a Denial of Service condition using this vulnerability.


Vendor: ClamAV
 
Version: ClamAV 0.93.3 and prior
 
Vulnerability Description:
 
ClamAV uses external unpackers for unpacking files packed with a variety of compression and encoding algorithms. There is vulnerability in specially crafted LZH packed files in the unpacker used by ClamAV. This vulnerability can be exploited to execute arbitrary code on the vulnerable system or at least cause a Denial of Service condition by forcing ClamAV to scan a malicious LZH packed file.
 
The vendor has removed support for external packers in the product from ClamAV 0.94 onwards
 
Impact:
An attacker can remotely break into a victim’s system by sending him a mail with a malicious attachment. This vulnerability results in execution of malicious codes like Trojans, keyloggers, crimewares on the victim’s system to steal information. An attacker can also cause a Denial of Service condition using this vulnerability. 

Vendor: Bitdefender
 
Version: v7 for Linux, possibly others
 
Vulnerability Description:
 
Multiple integer overflows were discovered in the GNU/Linux version of Bitdefender when analyzing specially crasted Portable Executable binaries packed with Neolite and ASProtect packers. Initial analysis shows that some of the vulnerabilities can theoretically be exploited to execute arbitrary code on the affected system with the privilege of the user running the vulnerable antivirus process or at least cause a Denial of Service Condition.
 
These vulnerabilities should be considered critical particularly in setup where the affected Antivirus Product is used for scanning incoming e-mails on a Mail Server.
 
Impact:
An attacker can remotely break into a victim’s system by sending him a mail with a malicious attachment. This vulnerability results in execution of malicious codes like Trojans, keyloggers, crimewares on the victim’s system to steal information. An attacker can also cause a Denial of Service condition using this vulnerability.
 


Vendor: Avast
Version: Avast for Workstations v1.0.8
 
Vulnerability Description:
 
Multiple buffer overflow vulnerabilities were discovered in the GNU/Linux version of Avast when analyzing specially crafted ISO and RPM files. Initial analysis shows that some of the vulnerabilities can theoretically be exploited to execute arbitrary code on the affected system with the privilege of the user running the vulnerable antivirus process or at least cause a Denial of Service Condition.
 
These vulnerabilities should be considered critical particularly in setup where the affected Antivirus Product is used for scanning incoming e-mails on a Mail Server.
 
Impact:
An attacker can remotely break into a victim’s system by sending him a mail with a malicious attachment. This vulnerability results in execution of malicious codes like Trojans, keyloggers, crimewares on the victim’s system to steal information. An attacker can also cause a Denial of Service condition using this vulnerability. 




How hackers can break into your system through anti-virus?
Step 1: Hacker does remote identification of antivirus - Some company Inc is running an antivirus in its mail server. The antivirus checks for every incoming mail for possible virus infection. If the mail is clean, the antivirus passes it and the mail is then forwarded to recipient. Else the mail gets dropped or rejected. The first step of an attacker is to identify the antivirus running in the server. He accomplishes this by using multiple techniques like services identification, open ports and vulnerability assessment or by checking a bounced mail.
Step 2: Hacker sends a mail with malicious attachment - Once the target antivirus is identified in the server gateway, the attacker crafts a mail targeted to a user registered on that mail server. At this time, he also attaches an executable that contains the malicious payload specifically meant for that antivirus. Incase the attackers objective isn't to attack the mail server antivirus software directly and he only wants to evade its detection he can use several techniques like Multiple  filename  or  boundary  fields  in  Content-Type,  Content-Disposition, skipped file name,CR without LF, Exploitation of poisoned NULL byte, Exploitation of unsafe fgets() problem etc. These techniques are useful when the intention of the attack is to get the attachment by the client systems.
Step 3: Anti Virus Scans the malicious mail attachment - Once the malicious email mail is received by the mail server software, the vulnerable AV software will try to scan the malicious executable. This may result either in antivirus software crash or execution of arbitrary code which results in complete security bypass.
Step 4: Attacker crashes the Antivirus and/or breaks into the system: If the attack is directly meant for the antivirus in the server gateway, it leads in full compromise of the server or else it results in client system compromise when the attachments are executed. In certain cases direct compromise can happen else only the anti-virus gets crashed.

iViZ Responsible Vulnerability Disclosure Practice
iViZ considers user security as the highest priority and thus follows strong responsible disclosure practice. We do not disclose any vulnerability details in public until we disclose it to the vendor. We closely work with the vendors and help them with all the details and at times in writing the patch. We disclose the vulnerability details in public only in close coordination with the vendors so that the user’s safety is always ensured. iViZ does not release the proof of concept exploits that demonstrate such real attacks in public. This is to ensure that iViZ research cannot be used by attackers with malicious intent.

Are we ready to be secure?

We deploy a security system to protect us. But it is also necessary to check whether the security system is itself secure. We hate the police system which themselves are party to crime. We hate a judicial system which is flawed.  But are we doing the same when it comes to building our security systems? We are living in the world of satisfaction with IDS/IPS and firewalls.. There is nothing in the world that can shake our confidence. The obvious question is “Did we configure the security tools properly so that they can do their job right?” But the non obvious yet very critical question is “Are the security tools themselves secure?”


We hate the police system which itself is party to crime. We hate the judicial system which itself is flawed.  But are we doing the same when it comes to building our security systems?



2 comments:

  1. It is not that easy to understand every post. But this blog post is written by using simple words and sentence and hence, one can easily

    understand the information which is given in this post.secure Yahoo Account using Two-Step Verification | I print contacts in AOL mail

    ReplyDelete
  2. The website design and also the content that has been written here very impressively each and everything would be very clear in the head of the user. Bullguard Customer Service UK +44-800-368-9064 Support Service Number

    ReplyDelete