The AntiVirus Era

For the last 30 years the computer security industry has been dominated by antivirus. Companies like Symantec are worth billions of dollars, and their products are deployed across millions of enterprise machines. For the average home user products like your typical antivirus may be enough, though I wouldn’t count on it alone. When it comes to an enterprise environment AV technology is critically flawed, and incapable of handling the threats presented to it.

An antivirus is based on the idea that if you can analyze malware from the past you can detect malware in the future. It’s a simple idea, and it can be effective for massive campaigns that are meant to be spread out across as many users as possible, because attackers only have time to create one payload, and then ‘crypt’ it, and try to avoid detection through automated means.

Basing security on research having to do with ‘in the wild’ malware is something I’ve talked briefly about on Twitter. I’d like to expand on that. When you build a security product around the threat landscape, and when you focus your research on the current threat landscape, it will probably be outdated by the time you publish it. For one thing, malware campaigns change drastically from country to country – trying to average it out or boil it all down is going to be way too broad to be useful. On top of that, malware is constantly changing. We see new threats, drastically new threats even, every year. In the last few years some of the most advanced atypical malware has been discovered, and there are many people who believe this will continue. So for research to talk about ‘the now’ in a field that is so fast paced, to me, is a waste of time.

In the case of what has been dubbed ‘Advanced Persistent Threats’ (APT), an oft overused term, the threats are targeted to the intended victims. Instead of attacking the world you go after a company. The effort involved in a targeted attack is greater, and it may take more time, but the payout can be estimated as ’10x’ what a mass campaign would be. Beyond pure monetary gain there’s also other motivators, such as belief in a cause – hacking as a form of activism is referred to as ‘hacktivism‘, and it has become far more prominent over the last few years.

If we take what we know about an AV, that it must rely on detection, and that the detection it uses relies on analyzing past malware, it isn’t difficult to see how a highly targeted attack would bypass it. Simply by virtue of being targeted, and new, an attacker will have a massive advantage against any antivirus. This has been shown many times, but most recently we can see this demonstrated through the New York Times. As some of you may know the New York Times was recently hacked, and they reported on the findings surrounding the incident. One highlight from the piece:

Over the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.

To put it bluntly, Symantec failed somewhat miserably. But you can’t really blame a product like theirs for being ill equipped at dealing with something so outside of what it’s meant to deal with. And I don’t think any other antivirus would have done all that much better – they’re simply not able to deal with these situations.

This is one in quite a few cases. Zero-Day exploits are being sold to governments, and those governments are in turn hacking each others citizens. There has been evidence in the past that exploits shown by Vupen, and purchased by their customers, have been used in the wild. Stuxnet, Duqu, Flame,  all advanced pieces of malware delivered through advanced exploits, and they infected numerous users. And it took a very long time for antivirus vendors to catch on to them and create definitions for them.

So this really begs the question – is this ‘era of antivirus’ finally over? The antivirus industry has been dominated by a very specific type of program, is that really going to change?

The answer is complicated, it’s one of those annoying ‘yes and no’ situations. Obviously antivirus is a terrible addition to your security, and in my own opinion it’s far more of a burden than a benefit, but that doesn’t mean it’s going anywhere. There are no decent replacements. If we dump the antivirus we’re left with, god forbid, Firewalls – another massive waste of money that companies like to pour resources into.

Some replacements have cropped up. Nothing impressive… at all. Various products take different approaches, a few even implement sandboxes, but they’re pretty pathetic and feel very ‘thrown together’. Comodo Internet Security is a very ‘different’ product – it’s a HIPS and AV built around their Firewall. While it can in theory be used to prevent against APT there is absolutely no way it will in practice, anyone who has tried using it will be able to attest to that. And most other products suffer from the same issues, OK in theory, horrible in practice.

Beyond all of that, companies aren’t run by security experts. Hell, even IT teams aren’t run by security experts. I happen to go to a school that has a focus on computer security, and even it focuses on the wrong topics (though it’s far better than most). Reflecting this is the culture surrounding security incidents. You generally have two responses:

1) Blame some user somewhere for clicking something

2) Invest in more expensive Firewalls and other useless security software that has failed time and time again (I don’t hate Firewalls, I hate Firewall businesses)

So I wouldn’t expect the response to actually be, you know, productive in some way. So even if there were products to fill the gap that AV would leave it would make no difference, IT is broken.

I hope to personally kill the AV one day, and I’ll be happy when it’s dead. Detection isn’t a bad thing, testing against current threats isn’t a bad thing, but god damn do not make it the core of your product. I’ve seen so many pathetically insecure products touting how great they are just because, oh my god, they can block some generic malware – not too impressive.

Security is, as always, about principals. Some things are universal – entropy, uncertainty, least privilege. You know what makes APT hard? When an attacker doesn’t know what they’re up against, when a remote attack might fail. There is nothing scarier to a hacker than a potentially failed attack – if a system gets accidentally DOS’d, as opposed to hacked, the IT team is going to be on alert. Security research should focus on further implementation of these principals, not on how to stop yesterdays malware using techniques from the late 80’s.

Malware Using Hacked Adobe Certificates

Adobe has just released a statement that one of its build servers has been compromised and attackers have used it to sign their malware with Adobe certificates. Due to how Windows 7 UAC works an attacker could sign their malware with this Adobe certificate and gain instant privilege escalation. Even with UAC on Max (as is the default for Vista) the attackers have a legitimate certificate, which will make convincing a user that it’s a legitimate application much easier. Certain policies that rely on digital signatures to secure systems will also fail here – for example some policies restrict execution to signed programs.

There are two malicious samples found. One seems to steal password hashes from the operating system and the other works as an ISAPI Filter (in other words it filters your HTTP requests and then acts based on those requests). No further details are given for the two malicious entries. The malware is likely part of a sophisticated and targeted attack – not something the average user will run across.

Adobe has stated that it is working with security vendors and that a current fix would be to add the MD5 hashes of the malware to your Software Restriction Policies. Adding the certificates to ‘Untrusted Certificates’ would also potentially work but it would also block legitimate Adobe products.

The investigation into the compromise of the build server is ongoing. No source code has been stolen or tampered with. It seems that a build server was not configured properly and it’s as simple as that.

You can read more about this straight from Adobe. (Here)

And honestly, kudos to Adobe for putting this out there. This isn’t us reading about it weeks later and Adobe trying to cover it (which is surprisingly common with these things) but they owned up, said a server was misconfigured, and as far as I can tell they’re doing everything right. So often a website gets hacked and all they do is play damage control with the press or try to cover it up. Adobe’s certificate got hacked and they’ve responded well.

I think that’s really a testament to how Adobe has changed. Flash isn’t the security hole it once was – it’s not amazing but they’ve made significant improvements both to the security (ASLR, Sandboxing) and performance (multithreaded video decoding, GPU accelerated, etc). The same goes for Adobe Reader. So good for them for owning up and taking the right steps to fix their mistakes yet again.

What Attackers Want And What Attackers Need

I think there’s often a lot of confusion when it comes to understanding why malware works the way it does. People forget that malware is a business, very little malware serves only to needlessly destroy or mess with people and the vast majority of it is used to make money somehow.

Typically an infection occurs through the following process:

1) A user is tricked or forced to view an exploit page running either blackhole or ivy or some other kit.

2) The users browser or browser plugin is exploit allowing an attacker to gain control of the process.

3) The now infected process downloads a separate payload.

4) The infected process executes that payload.

That’s your typical infection. There are more sophisticated attacks and attacks that might stay within a browser or do something entirely different but most of the time this is how it goes.

And this is where the confusion starts. Attackers do this because it’s easy – having your exploit code call a separate payload means that you can change your payload at any time. From a managerial standpoint the benefits are numerous – if you’re selling this exploit page you can customize the payload on a per customer basis, if one payload is detected you just replace it on the server’s end and you keep your exploit page the same, you can tailor the payload to the system, etc.

At no point does an attacker need to use a separate payload. Anything payload.exe can do so can the process that launched it. This is why antiexecutables are great for preventing your typical malware but anyone can see the weakness.

Attackers also don’t necessarily need the highest privilege necessary. From a standard user account I can do quite a lot. If I’ve just infected your browser process I’ve got access to everything your browser has. I can install a malicious extension (a form of persistence) or plugin and work as a bank trojan. There are a ton of things you can do without admin privilege. And you don’t need to patch the kernel anymore either – ZeroAccess ditched its kernelmode 32bit driver because maintaining one driver is simpler.

Defending against an attacker shouldn’t start by finding out what they want it should start out by preventing what they need. Find the critical part of an attack and prevent that part.

Google For Security – Search Detects State Sponsored Attack


So once in a while Google does this thing where they’ll be able to detect if you’re infected just by you doing a google search. I only recall one other time that this happened with a DNS hijacking malware or some such thing but it’s here again today.

If you perform a Google search and they believe you’re infected you’ll receive a little message.

If you see this warning it does not necessarily mean that your account has been hijacked. It just means that we believe you may be a target, of phishing or malware for example, and that you should take immediate steps to secure your account. Here are some things you should do immediately: create a unique password that has a good mix of capital and lowercase letters, as well punctuation marks and numbers; enable 2-step verification as additional security; and update your browser, operating system, plugins, and document editors. Attackers often send links to fake sign-in pages to try to steal your password, so be careful about where you sign in to Google and look for in your browser bar. These warnings are not being shown because Google’s internal systems have been compromised or because of a particular attack. 

You might ask how we know this activity is state-sponsored. We can’t go into the details without giving away information that would be helpful to these bad actors, but our detailed analysis—as well as victim reports—strongly suggest the involvement of states or groups that are state-sponsored.

They don’t explicitly state “Flame” but it’s possible. Or it could be entirely new malware, they really don’t seem to say.

To Clarify Flame And AutoUpdate Security

The Flame used a MITM attack on users via a forged Microsoft certificate. Yes, it attacked you via Windows Update – it sucks but this can happen. Windows update does use a secure connection but apparently one of the certs was using a weak cryptographic hash (this is the most likely avenue of attack, not confirmed that it wasn’t hacked, Microsoft says ‘collison attack’) and, as I posted about the other day, Flame used this against its victims.

This is scary in that it’s kinda like your antivirus being exploited or some such thing. Updates should keep you safe, not put you in danger.

That said this wasn’t a typical case. While it still demonstrates the issue of trusting a single authority to verify contents (I’m not sure how well the Windows Update feature is handled, Linux has a lot of verification) it isn’t the typical case – they needed a few things to line up and one of those was probably a really weak cert as well as a mistake that led to those certs being connected to root certs. Most root certs aren’t MD5 anymore so it makes things more difficult for attackers to MITM without outright stealing them.

A lot of people have been critical of Chrome and Adobe Flash’s new autoupdate features. They say that this will be exploited. While it’s possible it isn’t hard to make autoupdating fairly difficult to hack, it’s a matter of strong crypto and a lot of verification. Remaining up to speed on patches is far more important than worrying about targeted attacks involving hacked certs – exercise some risk management here.

Think about it this way. If you didn’t ever update you were safe from the Flame directly trying to MITM you but it also attacked you using vulnerabilities that have patches out already. And there are a hundred other vulnerabilities it could have used if you hadn’t patched.

If you’re super paranoid you can try to download patches directly from what you can verify is a ‘trusted’ network and then implement them like hotfixes. I don’t recommend this. In fact, forget I said it.

Anyways, (and I say this with full knowledge of the irony) you should run Windows Update to remove the faulty certs.

If you’re fully up to date that should really cover it for preventing Flame infections.

PatchGuard Should Mimic SecureBoot

PatchGuard is Microsoft’s implementation of Kernel Patch Protection available on Vista/7/8 64bit systems. The idea is to prevent any code from patching the kernel ie: third party code can not modify or change kernel code.

This has had an immense effect on the security of Windows 64bit systems. Rootkits are far more limited in what they can do and how they can hide.

The problem here is that no one’s allowed to patch it. That means we’re locked into the Microsoft security model, which until Windows 8 has been pretty awful (integrity levels.) So while a security company on 32bit can implement their own security model and have it act on a kernel-level (you need to be same rights or higher to properly intercept SYS_CALL etc) they’re just as limited as rootkits now, having to resort to other means to limit malware.

SecureBoot is another feature aimed at preventing bootkits. Where SecureBoot differs is that it maintains a whitelist so that signed software can actually ‘bypass’ (not truly a bypass as this is the design and strength of it) it.

It would have been cool if PatchGuard had done something similar. Had Microsoft implemented a vetting system for PatchGuard certs we’d still see security products on Windows capable of performing up-to-par with the 32bit counterparts.

I Am Unsatisfied With The State Of Security

I’m running Linux Ubuntu, which I have patched up and locked down in various ways but I’m still unsatisfied with the level of security provided to me.

While my system is heavily protected against exploits it does nothing to stop me from being an idiot. Yeah, I can browser a website with a vulnerability without worry but I can’t download malware and install it. That’s what I want. I want to be able to download malware, install it, and still be secure.

Is that too much to ask for?

I can think of at least one security model that would protect a user from themselves without restricting the users abilities. It’s hard to imagine that I’m the only one who’s thought of it.

Dealing With Advanced Threats – Where AV Fails

If the Flame malware gets one message to the masses it should be that antiviruses are a failure.

The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. [1]

Yeah, no kidding.

The fact is that, at best, a few antiviruses would give a warning about generic heuristic detection for Flame and obviously that wasn’t enough because it’s been around for years. Potentially quite a few years, actually. And it’s not the first, Stuxnet went undercover sometime as well as various others.

Antiviruses, in terms of blacklists and heuristics, are actually a necessary part of security. I currently wouldn’t touch a single one of them out there but I appreciate the principal, that I as a human am not capable of knowing whether a file is malicious or not therefor an AV automates the process on a level only achievable programatically.

The point is, whether AVs can or can’t be great in some ideal world, the current security solutions aimed at users are not enough and trying to lock a users computer down beyond that is impractical with the tools we have been provided with. If we’re ever going to see improvement we need something radically new.

Did We Really Need Proof?

The latest news is confirmation that the US ordered Stuxnet.Of course, everyone who’s been paying attention already knew this. I swear I think I remember knowing this before I even knew what Stuxnet was.

Anyways, it was never publicly discussed, which I always found strange since it seems both obvious and widespread knowledge. That’s changed though as the NYTimes has published confirmation (so-called) that the US was involved and that Obama accelerated the program.

So, there we have it. If you’ve been paying attention this isn’t really news… but now everyone knows about it and you don’t sound crazy when you say “Yes, the US government is behind Stuxnet.” So there’s that.

First The Flame And Now Tinba

The latest malware news has been featuring The Flame. A malware made famous for its complexity, sophistication, and massive size – a full 20MB.

Just a day later we meet Tinba, a banking trojan that performs MITM in-browser attacks. Whereas Flame is 20MB Tinba is 1/1024th the size, 20KB.

Just to put some perspective on things.

Apparently Tinba is “The worlds smallest banking trojan” but it’s plenty dangerous, hijacking the browser and stealing information from banking sites.

Both of the malicious programs attempt to steal or spy on the user but they go about it in vastly different ways.