Current Trends in Antivirus Protection - Current Trends and Recommendations - The Antivirus Hacker's Handbook (2015)

The Antivirus Hacker's Handbook (2015)

Part IV. Current Trends and Recommendations

In This Part

1. Chapter 16: Current Trends in Antivirus Protection

2. Chapter 17: Recommendations and the Possible Future

Chapter 16. Current Trends in Antivirus Protection

The robustness and effectiveness of the protection offered by antivirus products is not exclusively determined by the qualitSy of the antivirus product, but also by the target audience.

Nowadays, everybody is a target for malware authors. However, it is unlikely that the owner of your neighborhood supermarket is going to be the victim of an attack perpetrated by an actor using zero-day exploits. On the other hand, a government or a big corporation is going to be targeted by any and all possible malware writers around the world, ranging from the not-so-knowledgeable authors of rogue antivirus software and other malware to state-level actors. Almost weekly, you can read in the news about how the National Security Agency (NSA), Government Communications Headquarters (GCHQ), or some other agency has launched campaigns—or cyber-attacks, as they are usually called—against telecommunication companies, ISPs, and other big companies. Such corporations, local or foreign, are interesting targets in helping to spy on foreign countries, specific individuals (political personnel, activists, and whistle-blowers), armed groups, and so on.

The target audience of consumers for antivirus software can be divided into four major groups: home users, small to medium-sized companies, governments and big companies, and the targets of governments.

This chapter discusses the current trends and the protection levels offered by the antivirus industry to its major target audience groups and what each group should expect.

Matching the Attack Technique with the Target

This book covers various techniques, weaknesses, attack vectors, potential vulnerabilities, and published exploits that could be used to mount an attack on a machine that employs an antivirus solution. Those techniques and methods vary in complexity, cost, and the time they take to produce and weaponize. Therefore, it stands to reason that there should be a justification factor that dictates how to choose the appropriate attack technique for a given target.

The following section will explain the various factors that play a role in choosing which attack technique to use against which target.

The Diversity of Antivirus Products

The market holds a diverse number of antivirus products; therefore, it is impossible to target all users with the same technique. The list of antivirus products is so long that even if the most popular antivirus software on the market were successfully targeted, it would only mean that roughly 20 percent of all users were actually being targeted.

Because of this diversity, if the target is not worth it, using an antivirus suite as an attack vector is not worth it. Therefore, it is better to use exploits for less diverse but much more popular software such as web browsers (Firefox, Internet Explorer, and so on) and Office suites (Microsoft Office, Apache OpenOffice, and so on). The following sections discuss types of attacks and their targets.

Zero-Day Bugs

Zero-day bugs are security bugs that are not yet disclosed or fixed and that can be used to own a system. These kinds of bugs are so powerful that they cost a lot of money and time to acquire. It can be argued that zero-days can be considered cyber-weapons.

For that reason, it makes no sense for an attacker to elect to use a zero-day against a low-profile target. There is also the risk of losing the zero-day if a malware sample is caught by an antivirus solution or by a researcher and is then dissected and studied. This means the bug will be fixed and that the zero-day will become worthless in a matter of days or weeks.

When it comes to small targets, using a zero-day bug means expending a lot of valuable resources. It is like using a bazooka to kill a fly or using an F-16 to go to the grocery store around the corner.

Since 2014, how often do you hear that a new zero-day is being used on a massive scale? Not very often. Attackers simply do not need to waste such resources. They can save zero-day exploits, if they happen to have them, for high-profile targets.

Patched Bugs

Using zero-day bugs inappropriately can render them useless if they are caught in the wild. As an alternative, attackers can use older security bugs that have been patched. The bet here is that there will always be computers that do not have the latest security patches installed.

Most exploit kits that are sold on the black market do not contain even a single zero-day exploit but rather contain exploits for known vulnerabilities that have been fixed recently or even years ago. It is very common to discover modified and repurposed exploits in Metasploit (an exploitation framework) or in massive attacks focused on infecting as many home-level users as possible. Actually, this scheme works better than using real zero-day exploits.

Targeting Home Users

A home user should not be too worried about many of the attack techniques mentioned in the previous sections. When it comes to home users, attackers want to maximize the number of infected users, and therefore they tend to care less about using advanced techniques and focus more on using simple techniques that achieve quick results when applied to a large number of home users.

There are many reasons why malicious attackers target home users (for example, by trying to infect the computers of our mothers or grandmothers), but their main motivation is usually the same: to make money in one way or another. Here is how some attacks can benefit attackers monetarily:

· The infected computer can be monitored to capture banking details or any other kind of data that can be directly converted into money, such as PayPal or Amazon accounts, and so on.

· The infected computer can be part of a zombie network that can be rented for distributed denial-of-service (DDoS) attacks, spam campaigns, mining of cryptocoins, and so on.

· The infected computer's documents, images, and other data can be encrypted and a ransom demanded to decrypt them.

· Using social engineering techniques, attackers can trick users into installing a piece of software that claims to be a security suite (such as an antivirus) but is actually not. The rogue protection suite displays fake messages about multiple, non-existent, and invented infections to scare the user into buying the full version of this fake antivirus solution in order to clean the infected machine.

It is clear from this list that none of those motivations apply to a government trying to spy on political dissidents, or a company that contracts a group of attackers to penetrate a high-profile competitor to steal secrets and intellectual property.

Targeting Small to Medium-Sized Companies

Small to medium-sized companies may need to worry, but not too much, in my opinion, as they are very similar in many ways to home users. A small company that, for example, sells insurance is unlikely to be the target of an attacker using zero-day exploits. It can, however, be the target of another insurance company trying to steal its customer database. Attackers targeting smaller companies would likely employ techniques similar to those used to attack home users: social engineering, exploit kits, and already-patched zero-day bugs.

It is extremely unlikely that a government or other big actor would use a zero-day exploit against a small to medium-sized company and risk losing the exploit; it is not worth the money. After all, what is the point of a foreign government owning, say, a car wash business? Its data is not very interesting, nor is its infrastructure.

For these reasons, small to medium-sized companies probably don't need to worry about vulnerabilities in antivirus products, at least not yet. However, if an audit of an antivirus product reveals a lot of vulnerabilities, this means that the quality of the antivirus product is poor. So, even though these companies do not need to worry about zero-day vulnerabilities, they do need to worry about the quality of the product they have installed on their office computers.

Wouldn't you think that an antivirus product with a lot of vulnerabilities will have a different quality level when it comes to providing protection, detection, disinfection, and other capabilities?

Targeting Governments and Big Companies

Governments and big companies make interesting targets, although attacking them requires the use of more complicated techniques. These targets need to worry about any and all possible attackers on a world scale. For example, non-targeted, large-scale attacks that were meant to own home users may also inadvertently target government and big companies' computers.

Governments and big companies need to worry about actors who have no qualms about using zero-day vulnerabilities, because they are a constant target for foreign countries or companies in the same field. For example, do competing car manufacturers need to worry about industrial espionage from each other? Absolutely. The same applies to pharmaceuticals, movie producers, book publishers, and, even worse, weapons manufacturers, nuclear plant managers, and other high-profile targets.

These target types really do need to worry about an actor using an exploit against the antivirus solution or solutions used in their environments. Take a look at the following hypothetical situation:

1. A company or foreign government A wants to steal some data from target government or company B.

2. The perimeter of target B is heavily fortified, all computers have installed an antivirus solution, and all internal network traffic is inspected by antivirus products.

3. Attacker A decides to send an email that will be received by target B's email gateway server, with an embedded exploit targeting the antivirus product.

4. And voilà! Company or government B becomes owned by company or foreign government A.

But it can be even worse: what if the actual exploit installs an implant that integrates with the antivirus solution? For example, what if the implant from the malicious actor A installed on target B's infrastructure runs within the context of the antivirus solutions? If target B actually trusts the antivirus product, it is going to be a complete disaster, because it trusts a vulnerable piece of software that was owned. This is a completely hypothetical case, but there is a good possibility of this occurring. There is little doubt it is happening right now while you are reading this book.

There are very few cases of malicious state-level actors targeting antivirus products. However, one such case is The Mask (also known as Careto). This high-stakes, state-sponsored malware attack launched against governments in North Africa, southern Europe, South America, and the Middle East over the course of at least five years was attributed to the Spanish government. According to Kaspersky's reports, The Mask was abusing some vulnerability on Kaspersky antivirus products. No additional data was ever published by Kaspersky about this attack; nevertheless, this is an example of a real breach of unspecified vulnerabilities on an antivirus product that affected many companies worldwide—a piece of software mistakenly trusted.

The Targets of Governments

A journalist (or, at least, one not on the government payroll) or a political dissident in any country will certainly be the target of a government agency. A realistic target of a government, such as a journalist, a politician of an opposing political party, or a member of a human rights organization, must worry about what I have discussed in this book. Although such targets are not a government or a big company, the odds of their being an interesting target for a government are very high, and a government is an actor with the capabilities and resources to use zero-day attacks against multiple antivirus products. For such people, antiviruses are tools that governments can use to spy on them.

Another example target of governments are antivirus companies themselves. For example, consider the recently discovered attack against Kaspersky: an attack from a government targeted the Kaspersky labs in what may have been a lateral attack (to spy on its customers) or a direct attack to have privileged knowledge about their technologies and how they advance in the research of other nation-sponsored malware.

In summary: antivirus products can be more of a danger than a benefit in some cases, and their own products cannot protect anyone, not even themselves, from nation-state attackers. For anyone under government surveillance, the security of their computers and their ability to conduct confidential and private communications are unfortunately the least of their problems.

Summary

It is important to be realistic about the odds that an actor with almost unlimited resources, such as a very big company or a government, can break protection software that costs about US$50. What are the odds that such an actor can break the most-used protection software suites? Close to 100 percent, in my opinion.

After researching antivirus products for almost two years, I believe that the probablities are very high, because I found weaknesses in most of the antivirus products that I researched over that time.

One can argue that the “business-level” protection suites are different, and it is true that they are. However, they are based on the same software. What I usually discovered was that an exploit working against the retail version of a product had to be adapted to work against the business protection suite because a different ASLR bypassing technique had to be used, different paths were used, services were listening in different ports and pipes, and so on. However, because the business software and desktop software shared the same kernel, a vulnerability targeting a file format parser, for example, had the same effect against both editions of the same product.

It is my opinion that the current level of protection offered by antivirus products is not enough to protect against malicious attackers that are willing to use zero-day bugs. Sometimes, installing an antivirus product can make computers and networks even less secure than not having an antivirus product at all, because the attack surface dramatically increases, and vulnerabilities can be, and actually are, included at both local and remote levels.

Some antivirus software companies do not worry at all about security in their products because average users do not know how to really measure it (who cares about writing security-aware tools when a non-security-aware tool is going to sell anyway?). Self-protection security measures, if implemented at all, are rudimentary at best and focus exclusively on preventing the termination of the antivirus products by malware. There are some exceptions (AV companies that are concerned about security in their products), but they are actually the exceptions to the rule: antivirus companies only care about marketing campaigns.

In the future, the situation may change, but today, it unfortunately looks dire. The next chapter discusses possible improvements that I think will be added at some point or that are actually implemented by a few antivirus products.