Approximately 800 vulnerabilities discovered in antivirus products

Approximately 800 vulnerabilities discovered in antivirus products

Summary: UPDATE: McAfee debunks recent vulnerabilities in AV software research, n.runs restates its position.

TOPICS: Malware, Security

UPDATE: McAfee debunks recent vulnerabilities in AV software research, n.runs restates its position. In what appears to be either a common scenario of "when the security solution ends up the security problem itself", or aVulnerabilities Antivirus Software 2005/2007 product launch basing its strategy on outlining the increasing number of critical vulnerabilities found in competing antivirus products, the IT/Security consulting firm n.runs AG claims to have discovered approximately 800 vulnerabilities within antivirus products based on exploiting a standard malware scanning process known as "parsing" :

"During the past few months, specialists from the n.runs AG, along with other security experts, have discovered approximately 800 vulnerabilties in anti-virus products. The conclusion: contrary to their actual function, the products open the door to attackers, enable them to penetrate company networks and infect them with destructive code. The positioning of anti-virus software in central areas of the company now poses an accordingly high security risk. The tests performed by the consulting company and solutions developer n.runs have indicated that every virus scanner currently on the market immediately revealed up to several highly critical vulnerabilities. These then pave the way for Denial of Service (DoS) attacks and enable the infiltration of destructive code – past the security solution into the network. With that, anti-virus solutions actually allow the very thing they should instead prevent."

In between the ongoing efforts put by malware authors to obfuscate their binaries, release as many as possible in the shortest time frame achievable, or ensure that they bypass the most popular personal firewalls before releasing them by applying quality assurance to their malware campaigns, can antivirus products be a security issue themselves? But of course, and the increasing number of vulnerabilities discovered is clearly indicating the increasing interest in proving the point in general.

How did n.runs manage to discover the vulnerabilities they claim they found? By following the very same logic on which a great deal of theVulnerabilities Antivirus Software Q1 2008 current vulnerabilities are based on, the way in which the scanner parses the file it's supposed to scan :

"In this context, n.runs was able to make out so-called "parsing" as one of the main causes of this boomerang effect. The principle functions as follows: virus scanners must recognise as many "Malware" applications as possible – and thereby comprehend and process a large number of file formats. In order to be able to interpret the formats, an application must partition the corresponding file into blocks and structures. This separation of data into analysable individual parts is called "parsing". Mistaken assumptions in the course of programming the parsing code create constellations which enable the infiltration and subsequent running of programme code. Moreover, the quick reactions time expected by developers (regarding threats) contributes to a decrease in the quality of the code. In short: the more parsing that takes place, the higher the recognition rate and the degree of protection from destructive software, but at the same time, the larger the attack surface – which makes the anti-virus solution itself a target."

The research they cite is based on Secunia's tracking of advisories affecting antivirus products, as well as research conducted by the University of Michigan emphasizing on the severity of the vulnerabilities on a per product basis. For instance, between 2002 and 2005 there were 50 advisories regarding vulnerabilities affecting antivirus products, but between 2005 and 2007, there's been an increase of 240% with 170 advisories. Moreover, according to a research paper by Feng Xue, presented at this year's Blackhat Europe, according to the U.S national vulnerability database, 165 vulnerabilities within antivirus products have been reported during the last 4 years. It's even more ironic to point out that the now fixed remote code execution vulnerability in Panda Security's online virus scanner, further proves that the security solution can indeed end up the security problem itself.

With the increasing interest and success into finding critical security vulnerabilities within antivirus products, are we going to see more abuse of these "windows of opportunity" by malware authors themselves? I don't think so, at least not on a large scale. What they are going to continue researching are ways in which to shut down the antivirus solution silently, prevent it from reaching its hard coded update locations, and most importantly ensure the malware has been pre-tested against the most popular security solutions before it's released in the wild - precisely what they've been doing for the last couple of years.

Topics: Malware, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • No matter what you do---

    You'll never get rid of virus.This could even be a threat to the United Nations.
    • Re: No matter what you do---

      Well, it is, since in April the official site of the United nations got SQL injected and was serving malware for a while :
  • Oh the Humanity!

    D T Schmitz
    • What is "nt"?

      Ok, I keep seeing "nt" sprinkled through talkbacks like this one. What do people mean when they write that?
      • nt = no text

        nt = no text

        no text in message, just the subject. No need to open the message as there is no content.
        • Aha!

          Thanks for the clarification. Since I usually read these talkbacks in Flat View, this meaning did not occur to me.
        • Put nt in subject, not message

          I see it more often in the body, which defeats the intended purpose: saving you from needing to open the message. It would be cool if the forums would automatically add [nt] to the subject when the message is empty.
          • Which is damn near impossible...

            [b]I see it more often in the body, which defeats the intended purpose: saving you from needing to open the message. It would be cool if the forums would automatically add [nt] to the subject when the message is empty. [/b]

            ...given ZDNet's messages REQUIRE you to type something - it won't post a completely empty message.
          • Hmm, didn't know that.

            Well, we can surely all agree that "nt" should be placed on the subject line, then again in the message if some characters are necessary. Message only is the real issue.
          • a single period is enough (nt)

  • RE: Approximately 800 vulnerabilities discovered in antivirus products

    Parsing error can occur in all products that reads or scan files. It's a big problem for the the Antivirus Companies. The parsing error can lead to a Denail of Service or in worst case code execution.
  • You know it's pretty bad when AV vulnerabilities are found... [url=]hacks like me[/url].
  • That's how computer viruses work

    They try to outwit the AV scanners, and yes it's an uphill battle for the AV companies to catch up with threats, especially given the very high prevalence and
    seriousness of successful virus attacks.

    AV companies work CONSTANTLY to try to cover vulnerabilities in their own scanners.

    That's why it's so important to use a RANGE of products.

    But as to the technical issue of parsing, YES AV programs can be enabled to deal with these threats, but first this is VERY COSTLY and second, we would all have to get into the habit of doing MUCH LENGTHIER all night AV scans for parsing attacks, perhaps as an extra option, if AV companies give us this ability.

    AV companies DO TAKE vulnerabilities in their own code VERY SERIOUSLY.

    It's just that covering ALL attack threats is a) very difficult b)takes a huge amount of time AND technical expertise to achieve.

    I can only assume the publicity about these vulnerabilities is to try to coerce AV companies to respond and deal with such.

    It would be FAR more responsible if security researchers outside of AV companies PRIVATELY contact AV companies, rather than give this information directly to possible virus attackers.....
    • So what about AV vendors that claim not...

      to use scanning?

      I know my NOD32 always seems to catch the virus without scanning; so I tend not to use the feature in that product.
    • It would be FAR more responsible...

      You express a reasonable thought here, but there is
      one serious drawback that [i]both[/i] OS companies are
      vilified for-- the AV companies would just sweep this
      information under the rug if it were given to them
      privately; hoping that the lack of publicity would
      protect them from attacks along that vector. By making
      a public statement, you force these companies to act
      immediately or be seen as a poor solution to the
      malware problem.
  • The danger of running under the System account

    In order to protect you at the level they want to protect you at, antivirus user-mode apps often run under the System account. This makes any flaw especially dangerous as the attacker gets full control over the machine.

    Yes, System is more dangerous than Administrator (note that it's not really right when people compare Windows's Administrator account(s) with Unix's root account -- root is more like System, even more powerful than Administrator).

    There needs to be another way for these apps to run -- in some kind of special account which has certain privileges but short of System. Not sure what all this would entail, or even if it's possible/plausible with today's Windows' security architecture, but its the direction they need to go in.

    This is not to mention the various kernel drivers that AV software includes. And some AV vendors (was it McAfee or Symantec, I don't remember) had the gall to whine to Microsoft about PatchGuard?
    • RE:The danger of running under the System account

      Well what if you set the AV scanner to run with an account that is assigned to the 'backup operator' account.... it has full privelege to the system FILES to scan, etc..but not to execute anything at the admin/system level, right?
    • A better approach ...

      ... is not to let ANYTHING EXCEPT the Kernel run in this mode. This "micro-kernel" approach prevents any code from operating outside of it's own address space. If no code can operate outside of its own address space, you may put the AV folks out of business but you also put the hackers out of business by limiting the system's 'cross-section' of vulnerability to the kernel itself.
      M Wagner
  • So which AV products are any good?

    Did they say which AV products are any good? Which had the least number of flaws?
    • The free ones are best

      AntiVir XP is a good one, and it's free. It is also much less taxing of system resources than McAfee or Norton. I think that AV software is like a safety on a gun. You shouldn't rely on it as a "fail-safe", but just one layer of protection.

      Quite frankly, no AV software can protect some users, and it's really only a few that can ruin things for everyone else.

      I haven't used any AV software on any of my machines for some years now. I only use a firewall (Zone Alarm, free also) and so far so good, however I am not much of a "surfer" and I use extreme caution with all things internet. I rarely click on links in emails (so i guess I'll miss out on "smacking the penguin", oh well), and just generally use rare-sense* when on the net.

      *Rare-sense used to be called Common-sense, but it isn't really very common any more.
      Mike Hunt