Speaking at the SyScan 360 security conference in Beijing, China earlier this month, Koret explained how he had used a custom fuzzing suite to find bugs in 17 of the major antivirus engines that power antivirus software products from vendors such as Avast, Bitdefender, Avira, AVG, Comodo, ClamAV, DrWeb, ESET, F-Prot, F-Secure, Panda and eScan.
Koret's presentation slides became available (PDF) late on Monday and they claim that most anti-virus products offer too much administrator privilege, that they could be exposed to man-in-the-middle (MiTM) attacks and that they are “as vulnerable to zero-day attacks as the applications it tries to protect from.”
Most anti-virus software products are written in C or C++, run operating system drivers and support a wide range of file formats, all of which – according to the COSEINC researcher – open them up to issues such as buffer and heap overflow exploitation, local escalation of privileges and file format bugs.
He blamed human error for the possibility of ‘zero-day' flaws, pointing to insecure HTTP connections being used for updates and to the fact that updates are not cryptographically signed. He added that some software was running old code, that some firms were not conducting proper source code reviews or fuzzing, and added – such is the lack of proper signing – that MiTM attackers could insert themselves between the update server and AV software to gain access to AV programs on home and business PCs, something he said would result in hackers “completely owning [their] machine”.
For this reason, Koret urges companies to keep AV programs with additional capabilities away from the main corporate network.
The researcher added that as most AV products offer the ability to scan the network and modify or remove malicious programs; a hacker could abuse these rights and take full control of a computer if the anti-virus software was compromised.
By the time of Koret's presentation, some antivirus vendors – such as Avast and ESET – were said to have patched their software, with Avast having offered a bug bounty to identify the problems. Other larger suppliers were not notified on the assumption that they already have sizeable budgets to carry out security research.
“Some AV companies don't give a f**k about security in their products,” said Koret, who went onto urge users to not trust their AV products. “I cannot stress it enough,” he said in his conclusion.
Koret – who first starting digging into the vulnerabilities 'for fun' – in turn advised AV companies to audit their products, establish a bounty programmes, to not trust their own processes and to run dangerous code inside an emulator, virtual machine or sandbox. He also strongly recommended that they use SSL/TLS security protocols for updating products, digitally sign all files and drop useless and dated code.
Industry commentators said that Koret's proof was more a ‘proof-of-concept' rather than evidence of widespread malware, and that the diverse nature of the AV market would mean that they would likely not be targeted in a world where other vulnerable software – like Java – remain easier pickings for cyber-criminals.
Sarb Sembhi, a director with Storm Guidance, told SCMagazineUK.com that some of the information disclosed should not be new to the AV community – or others in the information security field – but said that this was the first time he was aware that a researcher had publicly revealed such extensive faults on the popular anti-virus engines on a public forum.
“The chances are that some of this has been in hacker circles for some time,” said Sembhi.
Sembhi added that the detailed analysis would help in a sense that AV companies and companies could see the commonalities between products – from the use of C and C++ to the adoption of certain file formats. “This commonalities approach is used by hackers to identify which mass adopted targets to exploit.”
“The best advice I can give is don't blindly trust the AV product,” said Sembhi, who suggested that there's often an element of misplaced trust from people when they receive goods from those operating in the security space. “Who watches the watchers?” he asked.
“There is currently no assurance scheme that is cheaply available to all AV vendors around the world to provide the confidence that every file that is being installed on our systems is written using accepted secure software development practices.
Brian Honan, consultant and founder of BH Consulting, agreed with Sembhi that many of the vulnerabilities are ‘nothing new' and pointed to the ‘false assumption' that security software is always secure itself.
“While we often assume the security software we employ to protect our networks is itself secure, this, in many cases, can prove to be a false assumption,” Honan told SC.
“Security software, like all software, has bugs in it and those bugs can be exploited to allow attackers bypass the security software or use the security software to as a means to attack our systems. This is why it is important that we do not rely on one single security solution or layer to protect our systems.”
Honan has urged companies to employ multiple security controls and to “include people and processes to complement the technology.”