Zero Day
Ryan Naraine and Dancho DanchevApproximately 800 vulnerabilities discovered in antivirus products
Summary
UPDATE: McAfee debunks recent vulnerabilities in AV software research, n.runs restates its position. In what appears to be either a common scenario of “when the security solution ends up the security problem itself”, or a product launch basing its strategy on outlining the increasing number of critical vulnerabilities found in competing antivirus products, the IT/Security [...]
Topics
Blogger Info
Ryan Naraine
Biography
Ryan Naraine
Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.
Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.
Dancho Danchev
Biography
Dancho Danchev
UPDATE: McAfee debunks recent vulnerabilities in AV software research, n.runs restates its position. In what appears to be either a common scenario of “when the security solution ends up the security problem itself”, or a
product launch basing its strategy on outlining the increasing number of critical vulnerabilities found in competing antivirus products, the IT/Security consulting firm n.runs AG claims to have discovered approximately 800 vulnerabilities within antivirus products based on exploiting a standard malware scanning process known as “parsing” :
“During the past few months, specialists from the n.runs AG, along with other security experts, have discovered approximately 800 vulnerabilties in anti-virus products. The conclusion: contrary to their actual function, the products open the door to attackers, enable them to penetrate company networks and infect them with destructive code. The positioning of anti-virus software in central areas of the company now poses an accordingly high security risk. The tests performed by the consulting company and solutions developer n.runs have indicated that every virus scanner currently on the market immediately revealed up to several highly critical vulnerabilities. These then pave the way for Denial of Service (DoS) attacks and enable the infiltration of destructive code – past the security solution into the network. With that, anti-virus solutions actually allow the very thing they should instead prevent.”
In between the ongoing efforts put by malware authors to obfuscate their binaries, release as many as possible in the shortest time frame achievable, or ensure that they bypass the most popular personal firewalls before releasing them by applying quality assurance to their malware campaigns, can antivirus products be a security issue themselves? But of course, and the increasing number of vulnerabilities discovered is clearly indicating the increasing interest in proving the point in general.
How did n.runs manage to discover the vulnerabilities they claim they found? By following the very same logic on which a great deal of the
current vulnerabilities are based on, the way in which the scanner parses the file it’s supposed to scan :
“In this context, n.runs was able to make out so-called “parsing” as one of the main causes of this boomerang effect. The principle functions as follows: virus scanners must recognise as many “Malware” applications as possible – and thereby comprehend and process a large number of file formats. In order to be able to interpret the formats, an application must partition the corresponding file into blocks and structures. This separation of data into analysable individual parts is called “parsing”. Mistaken assumptions in the course of programming the parsing code create constellations which enable the infiltration and subsequent running of programme code. Moreover, the quick reactions time expected by developers (regarding threats) contributes to a decrease in the quality of the code. In short: the more parsing that takes place, the higher the recognition rate and the degree of protection from destructive software, but at the same time, the larger the attack surface – which makes the anti-virus solution itself a target.”
The research they cite is based on Secunia’s tracking of advisories affecting antivirus products, as well as research conducted by the University of Michigan emphasizing on the severity of the vulnerabilities on a per product basis. For instance, between 2002 and 2005 there were 50 advisories regarding vulnerabilities affecting antivirus products, but between 2005 and 2007, there’s been an increase of 240% with 170 advisories. Moreover, according to a research paper by Feng Xue, presented at this year’s Blackhat Europe, according to the U.S national vulnerability database, 165 vulnerabilities within antivirus products have been reported during the last 4 years. It’s even more ironic to point out that the now fixed remote code execution vulnerability in Panda Security’s online virus scanner, further proves that the security solution can indeed end up the security problem itself.
With the increasing interest and success into finding critical security vulnerabilities within antivirus products, are we going to see more abuse of these “windows of opportunity” by malware authors themselves? I don’t think so, at least not on a large scale. What they are going to continue researching are ways in which to shut down the antivirus solution silently, prevent it from reaching its hard coded update locations, and most importantly ensure the malware has been pre-tested against the most popular security solutions before it’s released in the wild - precisely what they’ve been doing for the last couple of years.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.
Disclosure
Dancho Danchev
Biography
Dancho Danchev
More from “Zero Day”
Related Discussions on TechRepublic
Did you know you can take part in these discussions with your ZDNet membership?Talkback Most Recent of 173 Talkback(s)
-
No matter what you do---
You'll never get rid of virus.This could even be a threat to the United Nations.
BALTHOR07/07/2008 01:58 PM -
ZDNet Blogger
Re: No matter what you do---
Well, it is, since in April the official site of the United nations got SQL injected and was serving malware for a while :
http://ddanchev.blogspot.com/2008/04/united-nations-serving-malware.html
ddanchev07/07/2008 02:00 PM -
D T Schmitz07/07/2008 04:09 PM -
What is "nt"?
Ok, I keep seeing "nt" sprinkled through talkbacks like this one. What do people mean when they write that?
MauiMike07/08/2008 11:39 AM -
nt = no text
nt = no text
no text in message, just the subject. No need to open the message as there is no content.
Happydawg07/08/2008 11:52 AM -
Aha!
Thanks for the clarification. Since I usually read these talkbacks in Flat View, this meaning did not occur to me.MauiMike07/08/2008 12:00 PM -
Put nt in subject, not message
I see it more often in the body, which defeats the intended purpose: saving you from needing to open the message. It would be cool if the forums would automatically add [nt] to the subject when the message is empty.
Embedded6607/08/2008 12:08 PM -
Which is damn near impossible...
I see it more often in the body, which defeats the intended purpose: saving you from needing to open the message. It would be cool if the forums would automatically add [nt] to the subject when the message is empty.
...given ZDNet's messages REQUIRE you to type something - it won't post a completely empty message.
Wolfie2K307/08/2008 03:11 PM -
Hmm, didn't know that.
Well, we can surely all agree that "nt" should be placed on the subject line, then again in the message if some characters are necessary. Message only is the real issue.Embedded6607/09/2008 01:07 PM -
rtk07/11/2008 07:32 PM -
RE: Approximately 800 vulnerabilities discovered in antivirus products
Parsing error can occur in all products that reads or scan files. It's a big problem for the the Antivirus Companies. The parsing error can lead to a Denail of Service or in worst case code execution.
MrViklund07/07/2008 04:35 PM -
You know it's pretty bad when AV vulnerabilities are found...
...by [url=http://secunia.com/advisories/19284/]hacks like me[/url].
toadlife07/07/2008 04:47 PM -
That's how computer viruses work
They try to outwit the AV scanners, and yes it's an uphill battle for the AV companies to catch up with threats, especially given the very high prevalence and
seriousness of successful virus attacks.
AV companies work CONSTANTLY to try to cover vulnerabilities in their own scanners.
That's why it's so important to use a RANGE of products.
But as to the technical issue of parsing, YES AV programs can be enabled to deal with these threats, but first this is VERY COSTLY and second, we would all have to get into the habit of doing MUCH LENGTHIER all night AV scans for parsing attacks, perhaps as an extra option, if AV companies give us this ability.
AV companies DO TAKE vulnerabilities in their own code VERY SERIOUSLY.
It's just that covering ALL attack threats is a) very difficult b)takes a huge amount of time AND technical expertise to achieve.
I can only assume the publicity about these vulnerabilities is to try to coerce AV companies to respond and deal with such.
It would be FAR more responsible if security researchers outside of AV companies PRIVATELY contact AV companies, rather than give this information directly to possible virus attackers.....
chaz1507/07/2008 05:44 PM -
So what about AV vendors that claim not...
to use scanning?
I know my NOD32 always seems to catch the virus without scanning; so I tend not to use the feature in that product.
JCitizen07/08/2008 09:07 AM -
It would be FAR more responsible...
You express a reasonable thought here, but there is
one serious drawback that both OS companies are
vilified for-- the AV companies would just sweep this
information under the rug if it were given to them
privately; hoping that the lack of publicity would
protect them from attacks along that vector. By making
a public statement, you force these companies to act
immediately or be seen as a poor solution to the
malware problem.
vulpine@...07/08/2008 10:33 AM
Talkback - Tell Us What You Think
Get it the way you want it
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Vendor Showcase
Blog Roll
- All About Microsoft
- The Apple Core
- Between the Lines
- BriefingsDirect
- Collaboration 2.0
- Dev Connection
- A Developer's View
- Digital Cameras & Camcorders
- Ed Bott's Microsoft Report
- Emerging Tech
- Enterprise Web 2.0
- Five Nines: The Next Gen Datacenter
- Forrester Research
- Googling Google
- GreenTech Pastures
- Hardware 2.0
- Home Theater
- iGeneration
- India IT
- Irregular Enterprise
- IT Project Failures
- Laptops & Desktops
- Lawgarithms
- Linux and Open Source
- Managing L'unix
- The Mobile Gadgeteer
- On Sustainability
- The Semantic Web
- Service Oriented
- Smartphones and Cell Phones
- Social Business
- Social CRM: The Conversation
- Software & Services Safari
- Software as Services
- Storage Bits
- Team Think
- Tech Broiler
- Tom Foremski: IMHO
- The ToyBox
- Virtually Speaking
- The Web Life
- ZDNet Education
- ZDNet Government
- ZDNet Healthcare
- Zero Day
Blog Archive
White Papers, Webcasts, & Resources
- 2010 IT Skills & Salary ReportAre you wondering how your salary compares to your colleagues? Or how ... (Global Knowledge) Download Now
- Dealing With Specific Types of Difficult PeopleAbout 10 percent of the typical workforce falls into the category of ... (Global Knowledge) Download Now
- 10 Dying IT SkillsThere are some things in life, like good manners, which never go out of ... (Global Knowledge) Download Now
