How do Viruses Attack Anti-Virus Programs

Similar documents
Protecting Anti-virus Programs From Viral Attacks

Malicious Software. Ola Flygt Växjö University, Sweden Viruses and Related Threats

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

Computer Viruses: How to Avoid Infection

Contact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details:

Desktop and Laptop Security Policy

Network Incident Report

ANTIVIRUS BEST PRACTICES

Willem Wiechers 3 rd March 2015

Online Security Awareness - UAE Exchange - Foreign Exchange Send Money UAE Exchange

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Evaluating the Perceptions of People towards Online Security

Worms, Trojan Horses and Root Kits

Cryptography and Network Security Chapter 21. Malicious Software. Backdoor or Trapdoor. Logic Bomb 4/19/2010. Chapter 21 Malicious Software

Intruders and viruses. 8: Network Security 8-1

Computer Security DD2395

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Security Engineering Part III Network Security. Intruders, Malware, Firewalls, and IDSs

CS549: Cryptography and Network Security

How to build and use a Honeypot. Ralph Edward Sutton, Jr. DTEC 6873 Section 01

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

Spam, Spyware, Malware and You! Don't give up just yet! Presented by: Mervin Istace Provincial Library Saskatchewan Learning

Statistical Analysis of Internet Security Threats. Daniel G. James

PROACTIVE PROTECTION MADE EASY

Trends in Zero-Day Kernel Exploits and Protection 2015

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

FAKE ANTIVIRUS MALWARE This information has come from - a very useful resource if you are having computer issues.

What Do You Mean My Cloud Data Isn t Secure?

Self Protection Techniques in Malware

Chapter 14 Computer Threats

Hacking Database for Owning your Data

Virus Infected Files A TRIZ based analysis

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Malicious Software. Malicious Software. Overview. Backdoor or Trapdoor. Raj Jain. Washington University in St. Louis

Welcome To The L.R.F.H.S. Computer Group Wednesday 27 th November 2013

E-BUSINESS THREATS AND SOLUTIONS

Common Cyber Threats. Common cyber threats include:

1. Threat Types Express familiarity with different threat types such as Virus, Malware, Trojan, Spyware, and Downloaders.

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Hope is not a strategy. Jérôme Bei

Anti-Virus Comparative - Proactive/retrospective test May 2009

Information Security Services

An overwhelming majority of IaaS clouds leverage virtualization for their foundation.

Detecting Computer Viruses

UMHLABUYALINGANA MUNICIPALITY ANTIVIRUS MANAGEMENT POLICY

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

Malware. Björn Victor 1 Feb [Based on Stallings&Brown]

Emsi Software a-squared Anti-Malware 4.5

GFI White Paper PCI-DSS compliance and GFI Software products

Passing PCI Compliance How to Address the Application Security Mandates

Desktop Security. Overview and Technology Guidance. Michael Ramsey Network Specialist, NC DPI

ESET SMART SECURITY 6

ESET SMART SECURITY 9

Topics. Virus Protection and Intrusion Detection. What is a Virus? Three related ideas

Viruses, Worms, and Trojan Horses

Virus Protection for Small to Medium Networks

Malware Detection and Removal: An examination of personal anti-virus software

Sophos Endpoint Security and Control Help. Product version: 11

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

TIME TO LIVE ON THE NETWORK

Keeping you and your computer safe in the digital world.

Anti-Virus Evasion Techniques and Countermeasures

FOR MAC. Quick Start Guide. Click here to download the most recent version of this document

Anti-Virus Comparative

When you listen to the news, you hear about many different forms of computer infection(s). The most common are:

NetDefend Firewall UTM Services

Fighting Advanced Threats

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

CS 356 Lecture 9 Malicious Code. Spring 2013

Sophos Endpoint Security and Control Help

Defending Against Cyber Attacks with SessionLevel Network Security

KASPERSKY LAB PROVIDES BEST IN THE INDUSTRY PROTECTION*

How To Protect Your Network From Attack From A Virus And Attack From Your Network (D-Link)

Keylogging Identity The Defense System TM. Whitepaper. Legal Club of America 7771 W. Oakland Park Blvd. #217 Sunrise, Florida

ESAP Release Notes. Version Published

Endpoint Business Products Testing Report. Performed by AV-Test GmbH

McAfee Deep Safe. Security beyond the OS. Kai-Ping Seidenschnur Senior Security Engineer. October 16, 2012

Cyber Security Solutions for Small Businesses Comparison Report: A Sampling of Cyber Security Solutions Designed for the Small Business Community

NetDefend Firewall UTM Services

Anti-Virus Comparative

Security & SMEs. An Introduction by Jan Gessin. Introduction to the problem

Executable Integrity Verification

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 2 Systems Threats and Risks

Security Suites for Mac OS X: For on-demand detection, only four products achieved the 100-percent mark (AV-TEST August 2014).

Penetration Testing //Vulnerability Assessment //Remedy

STANDARD ON CONTROLS AGAINST MALICIOUS CODE

Network Security and the Small Business

Host-based Intrusion Prevention System (HIPS)

Spyware Analysis. Security Event - April 28, 2004 Page 1

In the recent past, there were several computer-based

Reduce Your Virus Exposure with Active Virus Protection

DSL and Cable Modems: The Dangers of Having a Static IP Address

Computer Security Maintenance Information and Self-Check Activities

Introduction to Computer Security Table of Contents

Smartphone Security. A Holistic view of Layered Defenses. David M. Wheeler, CISSP, CSSLP, GSLC. (C) 2012 SecureComm, Inc. All Rights Reserved

ESAP Release Notes

ESET Endpoint Security 6 ESET Endpoint Antivirus 6 for Windows

Transcription:

How do Viruses Attack Anti-Virus Programs By- Umakant Mishra, Bangalore, India umakant@trizsite.tk, http://umakant.trizsite.tk Contents 1. War between viruses and anti-viruses...1 2. Why is an anti-virus targeted...2 3. History of attacks on anti-viruses...2 4. Why is it easy to attack anti-viruses...3 5. Methods of fooling and attacking the anti-virus...4 6. How to protect anti-viruses from viral attacks...7 Reference:...7 1. War between viruses and anti-viruses With the improvement of virus detection technologies the virus creators found it difficult to create viruses that were capable of surviving long. This situation made them to innovate new methods for the survival of their viruses. Some important stealth techniques such as encryption, polymorphism and metamorphism were developed in order to make the viruses capable of escaping conventional scanning methods. But the war between virus creators and anti-virus creators was far from being over. The anti-virus creators implemented new techniques such as heuristic scanning and emulation techniques which were capable of detecting encrypted polymorphic viruses. Some modern anti-viruses used automatic learning, neural networks, data mining, hidden markov models, static and dynamic heuristics, rootkit heuristics and many other methods to remove almost every virus hidden anywhere in the computer.

2. Why is an anti-virus targeted When the virus creators failed to hide their malware from the advanced detection technologies they came up with various offensive techniques to attack and make the anti-virus program to paralyze. If the anti-virus can be screwed and compromised then the computer can be a safe haven for virus proliferation. The anti-virus software works at a highly trusted level of the operating system. Generally virus creators look for such type of levels to attack the computer system. So the virus creators are always in search of vulnerabilities in operating systems and anti-virus systems which can give them golden opportunity to attack and take control over the computer system. Traditionally the loopholes of Windows operating system has led to creation of various types of viruses, worms and other malware to attack the Windows based computers. When the loopholes of the operating system are closed by security patches, the loopholes in anti-virus systems open up new avenues for the virus creators to defend their malign creatures. 3. History of attacks on anti-viruses While anti-viruses are built with an intention to protect computers from virus attacks they are not always strong enough to do their intended job. Recently I went to a cybercafe with 4 files in my pendrive. When I opened my pen drive I saw many more files, and the files are increasing and decreasing dynamically. I checked the computer and found that an anti-virus was installed. So I did not think of viruses nor could really understand anything. When I came back home I found 36 files in my pen drive, excluding my original 4 files, the rest 32 are worms, trojans and other viruses. I formatted the drive.

Any vulnerability in the anti-virus becomes an opportunity of the virus creators. All anti-virus vendors including popular names like McAfee, Symantec, TrendMicro, VBA32, Panda, PC Tools, CA etrust, ZoneAlarm, AVG, BitDefender, Avast!, Kaspersky, Sophos etc. have faced such kind of experiences. BusinessWire # mentions that about 800 vulnerabilities (in 2008) including system access, DoS (denial of service), privilege escalation, security bypassing etc. were discovered in various anti-virus products. The conclusion: contrary to their actual function, the products open the door to attackers, enable them to penetrate company networks and infect them with destructive code.. Let s see why the attackers try to exploit such vulnerabilities: 4. Why is it easy to attack anti-viruses Viruses are present in almost every system even though there are anti-viruses installed. If the anti-virus is not reliable or not updated or compromised then the viruses can breed and grow safely in the system. Besides every anti-virus, however good that may be, leads to some extent of false positives and false negatives. Our faith on the anti-virus system often makes us more careless about hygienic habits which increases the possibility of infection. Let s analyze the reasons why do the anti-viruses are targeted by the viruses. Complexity of testing AV product- every anti-virus is bundled with various types of scanning and detection techniques with lots of heuristics and other methods. This makes the scanning engine extremely complex and creates great difficulty for the quality control staff to ensure a proper quality check before releasing the product. Minor imperfections in the detection algorithm not only leads to false positives and false negatives but also leads to vulnerabilities for viral attacks. Insufficient time for testing AV product- One of the weaknesses of any anti-virus product is that it goes through frequent updates and modifications. With the development of new techniques and algorithms most commercial anti-virus companies upgrade their software product almost in every quarter. This has a serious impact on in-house testing and debugging as the developer never gets enough time to test the new components implemented in every release, thereby leaving some unfixed bugs in the product.

Usually people have tremendous faith on anti-virus programs. Even if the anti-virus program malfunctions or behaves in slightly unnatural way people never bother about such anomalies. (For example, my AVG antivirus gives avgmfapx.exe error message every 3-4 days. But I hardly bother to read the details and find any remedy). This mindset of the users helps the virus creators to exploit the vulnerabilities of anti-virus with greater ease. 5. Methods of fooling and attacking the anti-virus As we discussed above, the vulnerabilities of anti-virus programs are exploited by the viruses and hackers. Besides in some cases there are bugs in anti-virus programs that give great opportunities to the attackers. Let s see some methods of cheating and attacking the anti-virus by different viruses. Memory resident viruses- one of the oldest methods of defeating the antivirus is by using memory resident techniques. The memory resident viruses remain resident in the memory and try to deceive the anti-virus program. They hook to the Int 13h and keep on fooling the anti-virus program by paralyzing the crucial functions of the anti-virus program. Boot sector replacement- boot sector viruses may modify the actual MBR and create a façade MBR at a location other than the actual location of the MBR and fill the façade with the content of the original MBR. When the anti-virus checks the MBR to determine its integrity the comparison is performed on the façade MBR instead of the modified MBR. This method hides the infection from integrity checker. One of the weaknesses of anti-virus programs is that they cannot scan the compressed files. Hence the anti-virus needs to decompress the compressed files and data before scanning. But the attackers sometimes create specially made compressed files using nested compression or using infinite loops to fool the anti-virus. When the anti-virus tries to decompress the file it falls into an infinite loop which causes high CPU usage and leads to Denial of Service (DoS). In order to avoid this problem some anti-virus programs use a time-out method to stop protracted scanning and get out of the infinite loop. However it is difficult to decide whether the compressed file is a genuine file or a virus made special file to fool the anti-virus. This situation leads to the following contradiction.

If a protracted scanning is not timed out, then the anti-virus system will continue using system resources and impacting the system performance. But using a time-out may inappropriately terminate a genuine scanning operation in a slow or overloaded computer. We want to terminate the prolonged scanning operations to save system resources but don t want to terminate a prolonged scanning in a genuinely slow or stressed system. Similarly, in some other cases the attacker uses specially compressed files that require huge amount of disk space. For instance, a small zip file may consume as much as 4GB of disk space and make the hard disk full leading to insufficient disk space error. Similarly the encrypted and password protected files cannot be checked for viruses because they cannot be seen from outside. Many viruses and hackers pack their malware code in zip files, encrypted files, password protected files etc. and send them as email attachments to potential victims (sometimes even with the decryption password). As in most cases the scanner is not able to scan the content of the encrypted files, the malware code remains in the computer for long time. Sometimes rootkits are used to gain administrative-level control over a computer system. A rootkit provides the modified versions of the original utilities used for administering a computer. A rootkit infected computer do all its usual functions along with the special jobs programmed inside the rootkit. Often the rootkits are used to avoid detection of backdoors and specific virus infections. Using bait files or exploit files the exploit files are built specifically keeping the vulnerability of specific anti-viruses in mind. The attackers may put the exploit files on their websites and convince victims to download the exploit files by using social engineering techniques. Alternatively the exploit file may get downloaded without user s explicit permission. When the anti-virus of the user computer scans the exploit file, the anti-virus engine is compromised. Local privilege escalation problems- when the anti-virus software gives Full control permission to everyone group, anyone can modify installed files. As every anti-virus software has to run some system services, the attackers may replace an installed service file with a malicious Trojan or rootkit which can later run with system privileges.

Some ActiveX controls may have design errors which include insecure methods. Besides ActiveX controls often lead to memory corruption. Attackers will pass very long strings as parameters to the vulnerable ActiveX controls in order to cause a memory corruption. Some vulnerabilities are caused by misutilising the SERVUCE_CHANGE_CONFIG permission. The attackers may use sc.exe to stop an anti-virus service and start it again after making modifications in the anti-virus program or environment. Loopholes at the mail server- some mail servers are configured to scan mails by anti-virus scan engines. Such situations create opportunities for the attackers to exploit the loopholes of the anti-virus engines. The attacker will send virus emails to randomly collected addresses. When the engine will scan the emails the engine and the mail server will be compromised. Loopholes at the mail client- individual users may be attacked by sending virus emails which will take advantage of the anti-virus engine vulnerability. The victim s computer will be compromised when the email is scanned by the anti-virus installed on his computer. Generally the anti-virus stores the previously scanned data in an AV state database in order to avoid repetitive scanning of the same files in subsequent scanning sessions. Some malware target to attack these AV state database and try to change the status of files to virus free in order to avoid scanning of infected files by the anti-virus. The modern viruses use many anti-anti-virus techniques to escape detection. There are anti-emulation techniques to avoid CPU emulation and anti-heuristic techniques to avoid heuristic scanning. These techniques fool the anti-virus systems and make their effort go waste. Attacks on signature scanning- some viruses attempt to alter the virus scanning executables and virus signature databases so that they cannot detect the viruses. However with the development of security mechanism these operations have been extremely difficult. Attacks on integrity checkers- there are some viruses which target to integrity checkers and infect only on intentional file modification. When the user allows the changes to the executable file, the infections are also allowed and added to the database. Besides, some viruses use stealth techniques to bypass file reads thus fooling the integrity checkers which believe that the checksums remain the same.

Some viruses target to manipulate the integrity database which stores the checksums or hash strings of the original files. They try to delete or modify the integrity database in order to confuse the integrity checker and avoid detection. If the integrity checker recreates the deleted integrity database, it has to calculate the checksums of the infected files. Fooling the CPU emulator- some viruses try to fool the CPU emulator. When the encrypted virus decrypt its body it shows its body only part by part so that only a small part of their decrypted body is visible to the scanner at any point of time. As the decrypted portion is small the scanner cannot find any virus signatures in the decrypted portion. Attacking memory scanning- Some viruses may work simultaneously on multiple processes. In other cases multiple copies of a worm may run watching each other. These situations are difficult for the anti-virus to tackle. 6. How to protect anti-viruses from viral attacks As the anti-viruses run in a trusted kernel level any loophole in the anti-virus program can enable attackers to take full control over the computer system and steal data or do serious damages. Hence the anti-virus engines must be developed with proper security in mind. The ant-virus should be able to any type of specially created executable files, compression packages or documents that are intentionally created to exploit the anti-virus s weakness. It is necessary for an anti-virus to detect and destroy the malware before its own files are detected and destroyed by the malware. Is it necessary to install another software such as firewall, Intrusion detection System or something else to protect the anti-virus? We will discuss the methods of protecting anti-virus program from malware attacks in a separate article. Reference: 1. Umakant Mishra, Using TRIZ for Anti-Virus Development- Building better software through Continuous Innovation, 2013, http://pothi.com/pothi/book/umakantmishra-using-triz-anti-virus-development 2. Umakant Mishra, Methods of Virus detection and their limitations, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1916708

3. Umakant Mishra, Solving Virus Problems by Anti-Virus Developers - A TRIZ Perspective, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1978385 4. Umakant Mishra, An Introduction to Computer Viruses, http://papers.ssrn.com/abstract=1916631 5. Umakant Mishra, An Introduction to Virus Scanners, http://papers.ssrn.com/abstract=1916673 6. Feng Xue, Attacking Antivirus, http://www.blackhat.com/presentations/bheurope-08/feng-xue/whitepaper/bh-eu-08-xue-wp.pdf 7. # BusinessWire, n.runs warns Anti-virus Software from Sentinel to spy, http://www.businesswire.com/portal/site/google/?ndmviewid=news_view&ne wsid=20080627005299&newslang=en 8. Umakant Mishra, Detecting Boot Sector Viruses- Applying TRIZ to improve anti-virus programs, http://papers.ssrn.com/abstract=1981886 9. Umakant Mishra, Improving Speed of Virus Scanning- Applying TRIZ to Improve Anti-Virus Programs, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1980638 10. Frans Veldman, Heuristic Anti-Virus Technology, http://mirror.sweon.net/madchat/vxdevl/vdat/epheurs1.htm 11. Peter Szor, The Art of Computer Virus Research and Defense, http://computervirus.uw.hu/index.html 12. US Patent and Trademark Office (USPTO) site, http://www.uspto.gov/

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information