Tuesday, October 21, 2008

Is Anti-Virus is safe??????

What we think after installation of an Anti-virus in a system............that we are safe now....are we think again..

Now i'm going to show you some back side truth of Anti-viruses.

• Why can AV be targeted
• Finding vulnerability of Antivirus
• Exploiting Antivirus
• Few words
• Future work

Why Can AV Be Targeted - Continue
• Antivirus is a common component
– Over 80% of people are using antivirus software [Reference-8]
• Cross-platform exploitation
– As great as the Java and Adobe vulnerabilities
• Antivirus is error-prone

Why AV is error prone?
• User input (files being scanned) is totally unpredictable
• Too many format to deal with
– How can AV process hundreds of formats correctly?
• Lots of the vulnerabilities exist in the following major
components of Antivirus engine:
�� Unpack
�� Decompression

!!!!!!!!!!!!!!!!!!!!!Finding vulnerabilities of Antivirus!!!!!!!!!!!!!
Audit Antivirus
• Local Privilege Escalation
• ActiveX
• Engine
– Source code audit
– Reversing
– Fuzzing
• Management

Audit – ActiveX Control
• Installed by Antivirus product; Free Online Scan
Service; Download Manager
• Insecure Method: Design error
– CA – SigUpdatePathFTP()
– Kaspersky - StartUploading()
• Buffer Overflow
– Symantec, CA, Authentium, RAV, etc

Audit – ActiveX Control
Fuzzing and Manually audit
• AxMan Script fuzzer for memory corruption
• ComRaider GUI fuzzer for memory corruption
• OleView Manually audit ActiveX
• FileMon File Operation
• RegMon Registry Operation
• TCPview Port, Network connection
• Wireshark Sniff network traffic

Audit – Engine
Most of the Engine problem exists in the Format Parsing
• Memory Corruption
– Stack overflow, Heap overflow, Memory Access/Modification
• Denial of Service
– CPU (Most of the AV vulnerable to ZIP/CHM processing
problem in the past)
– DISK Space (NOD32 will eat 4GB disk when scanning a
malicious ARJ file, which is only 1kb, no patch yet)
• Detection Bypass

Audit – Engine: Source Code
• Must have access to the source code
• Time consuming
• Open Source ClamAV is the best one for practice
– 49 CVE matches
• Tools: FlawFinder, RATS ,ITS4, SPLINT, CodeScan,

Audit – Engine: Reversing
• Reverse the file format plugin one by one!
– Kaspersky: Arj.ppl base64.ppl cab.ppl lha.ppl rar.ppl
– Bitdefender: arc.xmd arj.xmd bzip2.xmd cab.xmd
• Typical: Memory allocation, string copy, integer
– Effective against all Closed Source AV
– Can uncover more subtle vulnerabilities
– Extremely time consuming
– Tools: IDA, Hex-rays

Audit – Engine: Fuzzing!
• Few people thought about fuzzing Antivirus
• Few Antivirus fuzzer published
– Vxfuzz – Taviso
– nrun’s private Fuzzer-Framework v1.0
– My in-house script, and yours
• Fuzzing Antivirus is easier than most of the other
• Even a dozen lines script could uncover many
exploitable vulnerabilities!
Audit – Engine: Fuzzing!
What we need?
• Good samples
– rar, zip, chm, arj, lha, lzh, tar, tgz, doc, xls, upx, fsg, more
– CreateARJ, MakeCAB, WACE, WinZIP, WinRAR, PowerISO,
various PE packers, Google (filetype:xxx)
• A big hard disk.
– For test case
• Debugger
– Windbg, Ollydbg, Immunitydebugger
• Fuzzer
– Original fuzzer is actually a File generator
– Script language: Python/Perl/C
– May need to deal with the CRC
Audit – Engine: Fuzzing!
How? 4 steps
• Create test case.
– By using the script you wrote, samples created
– 0xFFFFFFFF, 0xFFFF, 0x0000, 0x0001, etc,
• Download the trial version AV and install
• Scan! Do not forget to start the debugger
• Go to Sleep: Leave your computer fuzzing

Audit – Engine: Fuzzing!
Demo 2
Fuzzing Mcafee Antivirus for 0day ;)

Audit Result
By auditing the mainstream Antivirus Engine, we have
found and published:
• AhnLab AV Remote Kernel Memory Corruption
• TrendMicro AV UUE Decoding Format String
• Avast! AV TGZ Parsing Heap Corruption
• Mcafee AV BZIP2 Parsinig Memory Corruption
(working with vendors)
• NOD32 Heap Overflow (unpublished,0day)
• More upcoming

Post a Comment