Author Topic: Does AV make your system vulnerable? (Read 3727 times)

polonus · « **on:** September 25, 2015, 10:41:16 PM »

Is old-school AV enlarging the attack platform on your computer? Since the HackingTeam hack we know that there is a dauntling underground market for specific AV vulnerabilties exploited by cybercriminals. Read about the analysis of such exploits by Google Project Zero's Travis Ormandy: http://googleprojectzero.blogspot.com/2015/09/kaspersky-mo-unpackers-mo-problems.html

AV software with it's constant catching and analyzing network traffic makes it into an ideal target for cybercriminals and forms an ever larger target platform for all malcreants while constantly attacking the software through AV-exploits.

In the case of the Hacking Team hack a weakness in ESET software was being abused. AV vendors should critically analyze theiir software for such holes. Kaspersky seems to be one of the first vendors to have reacted successfully to such threats.

So we should realize that criminals for their malcreations rely more and more on vulnerabilities, bugs and holes that are to be found in AV software anyway. So an obvious trojan trap often functions.

One of the best things Avast did was to emphasize the importance of keeping the OS and third party software always fully updated and patched. The Avast Software Updater along with the Shields were the best improvements that came to the program.

So traditional AV has to concentrate more and more on issues like network intrusion detection, ssl interception and file scanning to browser integration and local privilege escalation. Blind SQL is becoming an ever more important attack vector.

We cannot do without traditional resident AV, but we also have to find solutions to the threats from this new attack arena.
Info credits for the above info cited from an article by Henk-Jan Buis.

Like to hear your reactions as some here even have become opponents of using traditional AV......

polonus

Secondmineboy · « **Reply #1 on:** September 25, 2015, 10:48:18 PM »

I start to hate where most AVs are going these days.

Junkware. Bloatware. And other stuff that has nothing to do with security anymore.

If they would stop working on this bloatware they could get much better protection going.

And also all this launcher stuff or Central or whatever the heck else, why? You dont need that junk.

And AVs which collect your data and which track you like AVG will start selling your browser data October 15th, WTF?

AVs are supposed to protect you against viruses and thats it. Nothing more.

I would love to get the old 2007 days back where you were updating your XP Machine every week or two andd you just installed
an AV and you could forget it, it wasnt nagging with ads or collecting data about you and what youre doing........

And now you get ads for TuneUp junk and bloatware, the interface has these nice TuneUp(Not installed banners) or Tune your PC up for 30 bucks a year etc.

Or you misclick once and you have a Trialware of their paid version running........

And why do you need to create a stupid account just to use a trial of their software or their software overall?

Or popups for their extra features?

^^Thats all unneccessary junk

And yes, AVs are a good target for attackers since thats the first thing to shut down or alter to get system level permissions going

DavidR · « **Reply #2 on:** September 25, 2015, 11:00:15 PM »

Lets put it this way regardless of this, having an AV that could possibly be hacked, has to be better than having none at all.

An AV has to be just one line of defence in your over all security. Firewalls have been the traditional defence against network intrusion (HIPS, etc. etc.).

Even if an exploit is found, there has to be a means of targeting the system, e.g. how does it find its target, someone with that AV. That presumably has to be the same way other malware gets launched, be that hacked sites, drive by downloads, etc. and then finding out if you have an AV with a vulnerability.

When all said and done, these type of articles are fear mongers (not even sure if they are more damaging than the issue), not everyone is going to be directly targeted just because you have an AV with a supposed vulnerability.

So you have to have a robust backup and recovery strategy to be able to recover from any potential issues, be that malware or other computer issue. I have been saying this for years and this doesn't change that, only emphasises it.

polonus · « **Reply #3 on:** September 25, 2015, 11:58:56 PM »

Hi DavidR,

Fearmongering or not (the article stems from one of the Kaspersky researchers, so an inside story really), we should get the facts straight, that is all that there is to it. And therefore I thank you for your reaction. We have an evangelist here, FwF, whose motto was "Do not surf in the nude" and we also have to show the other side of the medal without AV protection the time without an infection of sorts stands at 20 minutes for the happy go lucky ignorants. So it is not really an option. That cybercriminals try to play all tricks in the book is known. Also we know where Avast has an almost complete share of the market, the efforts to go under the detection radar are hefty and strong. This is or was rather the situation for the Brazilian theater, I do not know how the situation is now. We have Lisandro as Avast Team Member and old pal to keep an eye out there

I hope Avast also will investigate the issues sketched by Google Project Zero and I do not doubt they are hardening the software in various ways in that direction. My reporting here was only meant to keep young renegades from finding an excuse, a very unwise thing. Discuss every theme put before us and keep to what has proven itself through the years - Avast resident AV a form of protection that your OS cannot be without.

polonus

DavidR · « **Reply #4 on:** September 26, 2015, 01:21:58 AM »

Does it really matter where it comes from, when there is very little that any AV user can do - I'm of the school of thought, why worry about things outside your control, it will give you a headache.

It isn't beyond the realms of first give the end user a headache and then sell him the aspirin.

We already have many tools available to the end user (anti-exploit, anti-this that and the other), to have a competent multi layer defence. Unfortunately for the majority of end users they just don't know about this sort of stuff and live in blissful ignorance.

So if all else fails have a robust backup and recovery strategy. As they say, if you fail to plan, then you plan to fail.

Asyn · « **Reply #5 on:** September 26, 2015, 08:43:55 AM »

Quote from: polonus on September 25, 2015, 10:41:16 PM

Read about the analysis of such exploits by Google Project Zero's Travis Ormandy: http://googleprojectzero.blogspot.com/2015/09/kaspersky-mo-unpackers-mo-problems.html

Seems Avast is next on his list: https://twitter.com/taviso/status/647408764505579520

Dwarden · « **Reply #6 on:** September 26, 2015, 08:54:26 AM »

Quote from: Asyn on September 26, 2015, 08:43:55 AM

Quote from: polonus on September 25, 2015, 10:41:16 PM
Read about the analysis of such exploits by Google Project Zero's Travis Ormandy: http://googleprojectzero.blogspot.com/2015/09/kaspersky-mo-unpackers-mo-problems.html
Seems Avast is next on his list: https://twitter.com/taviso/status/647408764505579520

hopefully Avast can fix and resolve it ASAP

Secondmineboy · « **Reply #7 on:** September 26, 2015, 01:39:19 PM »

I hope Avast will take up on these issues. But NO AV is bulletproof for issues or vulnerabilities.

polonus · « **Reply #8 on:** September 26, 2015, 02:01:30 PM »

OK, Steven Winderlich, you are right there.

But there is also a thing we call "user responsibility"!
Everyone could take care his OS and all of his third party software on a particular device are fully updated, upgraded and fully patched.

Also what DavidR always reminds us to do, is working the computer on a normal user account level.
This is also an important measure of protection.
Use a (full or or other) admin account only when you cannot do without it for certain tasks.

There is more but these are basic precautions everyone with a bit of brains could perform,
then when someone abuses your trust, you only have yourself to blame.

For the more computer savvy amongst our user bunch, there is also a list of computer behavioral patterns,
that should alert something is out of the ordinairy and signs that some cybercriminal party tries to stealthily
sneak into your network.

Pay attention to the following signs of trouble:

Do you or someone else that uses that computer experience behavioral signs like?:

1. Unauthorised connections to user accounts and computers that normally would not connect.
2. Activity on unexpected moments.
3. Several connections from one and the same account, but from various locations.
4. Unexpected data traffic sources and destinations.
5. Unexpected paths in network connections (server to server, server to client, client to client, client to server, etc).
6. Larger bandwidth than usual or greater file activity.
7. Use of rare admin-utilities.
8. Terminating AV-software.
9. Unexpected reboots.
10. Unexpected halts in activity.
11. Larger amounts of data to a location outside of the network.
12. Unplanned data migration at night.
13. Unexpected meeting of parameters of local, critical files.
14. Unexpected SSL/TLS-connections. *
15. Unexpected archive files or encrypted packets.

So without such stealth activity going on and no particulars found from the event monitor logs,
you could let Avast AV do the rest and feel at ease.

I also have MBAM Premium watch my computer, cleanse using CCleaner and work the browser in sandboxie.
All updated and patched. Then I think that I did what I could do as a responsible user, the rest is out of my hands.

And know what Para-Noid always tells us all. You can only fully trust what you have tested yourself.

polonus

schmidthouse · « **Reply #9 on:** September 26, 2015, 07:24:08 PM »

Interesting conversation.
I also think that many of us here are aware of and use a 'layered security profile' to protect our data/OS from being compromised. And obviously David has a point that many users are blissful in their lack of knowledge related to Internet threats/security.
I've been using a layered security approach since I first started using the internet. It just made sense to me and logical, that even 15-20 years ago an AV couldn't/didn't protect you from many threats; Worms, Trojans etc.
I believe, as it already has, security will change and take on a different face as threats evolve. I'm not sure what that face will look like but I am sure it will look different from today.

bob3160 · « **Reply #10 on:** September 27, 2015, 02:19:19 PM »

Not only have AV's evolved but so has the operating system.
These attacks were leveraged against Window 7. Would this same attack really work on Windows 8.1 or Windows 10

I certainly agree that sandboxing needs to be a part of effective protection. Especially when we're talking about zero day detection or more
importantly, protection against zero day attacks.

polonus · « **Reply #11 on:** September 28, 2015, 12:41:44 AM »

Thanks to everyone for the input. It again comes to show to me how much I have learned during all those years since I have joined this wonderful forum with a bunch of really wonderful people.
"Keeping the pulse" of many, many websites over the last couple of years has produced an enormous amount of scanning experience. For someone driven by his ongoing support for the Avast product there is a golden treasure chest of code knowledge out on the Interwebs and I also do a lot of reading offline, at the moment I am working myself through the contentts of the Javascript Bible (nothing religious but a pdf file just to help me with the analysis), also reading from Chinese translated sources on static PHP hardening at the mo. And also all the assistance here from all good friends I get I am grateful for

There is a battle going on between the good, the bad and the ugly on the Interwebs, and because of the tremendous scale of this enduring battle it is hard to keep up with all new events.

Just to-day I did a VSB infected page scan on Sucuri´s website scanner, and it made that the browser (which luckily for me ran inside a sandbox) started to crash or rather fall apart. There was no way to restore the chrome browser, it came down again like a drunken knocked down boxer

and finally after closing the browser down, the scan computer (an old Vista with 8 years behind the ears) rebooted spontaniously.

I looked over the virus analysis and looked in Task Manager for any signs of an infection via svchost etc. and I gave a sigh of relief that sandboxie apparently had saved my glorious behind and that very laptop. Normally I take all kind of precautions like never go to a site to scan, always use third party cold reconnaissance scanning, block third party code, do an assesment of any risks beforehand etc. and again never say never. So we need this discussion on how to best protects us and where our beloved Avast is going. I hope this posting of mine wasn't as dull as dishwater, so now time to go back to my favorite hiding place at Avast support forums, which is "the virus and worms".

Damian (volunteer website security analyst and website error-hunter)