Abusing security products to bypass mitigations

[sman]

My AV, Avast, seems vulnerable as per the AVulnerability checker tool in http://breakingmalware.com/vulnerabilities/sedating-watchdog-abusing-security-products-bypass-mitigations/ ..

 

Now, how serious is this threat and MBAE protection?

 

If needed, this topic may be moved to MBAE section.. Tks. in advance..

 

PS : This tool was tested in Avast and test reports, it is vulnerable..

[David H. Lipman]

What organization has validated that the test provides accurate results ?

[sman]

I found it first in http://www.theregister.co.uk/2015/12/11/anti_virus_trips_up_windows_defences/ ..

 

 

Instead of checking the issue itself enSilo has put together a free checking utility called AVulnerabilityChecker which it has uploaded to GitHub.

 

Independent tests using the tool by Simon Edwards, technical director at Dennis Technology Labs, an experienced antivirus tester and chairman of the Anti-Malware Testing Standards Organization, suggest that products from Symantec and BitDefender (among others) might be vulnerable. Security products from Microsoft and others avoid the problem, according to preliminary testing.

 

“We used that vulnerability scanner to check 22 anti-malware products, including a lot that we regularly test,” Edwards told El Reg. “We found that 12 were ‘likely to be vulnerable.”

[David H. Lipman]

That shows a news outlet indicating "Independent tests" but that's not an authoritative statement.

 

At this point it is best to take it with "a grain of salt" and await Secunia, MITRE, SANS, AV Comparatives', NIST or other groups or reports to qualify, quantify and verify what is purported.

 

If a vulnerability is indeed present, a Common Vulnerabilities and Exposures (CVE) ID will be assigned by MITRE and the write-up will indicate whether that tool is valid or not as an indicator as well as the CVE will indicate what software is vulnerable.

 

At this time it is just something to take "note of" and not something to "react to"... Yet.

[sman]

i did the first test with FF & then Chrome.. I did a re-check now, but with browsers in reverse order, Chrome then FF and comes up that 'Avast is Not Vulnerable' ..

 

In fact, CHIP also mentions about this tool in http://www.chip.de/downloads/AVulnerabilityChecker_86729921.html..

 

However, concerns still persist on the first test..

[David H. Lipman]

i did the first test with FF & then Chrome.. I did a re-check now, but with browsers in reverse order, Chrome then FF and comes up that 'Avast is Not Vulnerable' ..

 

In fact, CHIP also mentions about this tool in http://www.chip.de/downloads/AVulnerabilityChecker_86729921.html..

 

However, concerns still persist on the first test..

 

 

"At this time it is just something to take "note of" and not something to "react to"... Yet."

[sman]

How CVE is released and when security products will be patched is not going to stop hackers in taking advantage of the vulnerability, which has been posted in Github as an 'Open source'..

 

As can be seen, the report that Mcafee has already patched it's enterprise edition, is a pointer to the vulnerability..

 

The question, now is, in case of any fallibility Will MBAE protect from it? Tks. in advance

 

PS : if needed, this topic may be moved to MBAE section..

[sman]

Here is another article on the vulnerability in ..http://blog.morphisec.com/security-products-its-not-a-vulnerability-its-a-feature/

depicting a grim picture..

 

The recent discovery of vulnerabilities in antivirus software by enSilo sparked curiosity among the Morphisec Labs team. After a long deep dive and to our surprise, our research found that the vulnerability wasn’t an unintentional flaw in the code, it was a feature! Here is how it works.

 

 

OPEN DOORS FOR HACKERS

 

How can an attacker exploit this "feature" to compromise the endpoint? It’s very simple – it can be done via any application running on the endpoint that is “protected” by the security product. It does not matter that the makers of applications such as Adobe Flash, Silverlight, Microsoft IE and Office are hard at work trying to mitigate their vulnerabilities. Once these host applications are being "infected" by an endpoint security product using this injection technique, they become vulnerable. Once an application is vulnerable, a simple buffer/integer/stack-overflow, use-after-free or type confusion vulnerability will allow the attack to hijack the application flow and the shellcode can be written to and executed from the predictable memory address. That's all, game over for the endpoint. It is a vulnerability in a security product that replicates and infects every application running on the endpoint, infecting it with this vulnerability. Because it is a trusted application (legitimately acquired and willingly implemented by the end customer), in effect it can become a Trojan, a back door for other attacks.

[David H. Lipman]

You miss the point.  It does not matter how many articles are written on enSilo findings.  Those finding must be corroborated and the tool vetted.  Just because a so-called detection tool is placed on Github does not mean exploit code is in the wild and is actively being exploited. 

 

You have brought the article up and provided attention to it.  Thank you.

 

Now you can stand down.  It isn't the end of the world.

[sman]

I'm happy, that you have taken note of it.. There is but a lot of noise/attention on it by the IT world, even a explicit reference to 'Malwarebytes' by PCWorld very recently in http://www.pcworld.com/article/3020327/antivirus-software-could-make-your-company-more-vulnerable.html ..

 

 

This scenario might sound far-fetched, but it's not. According to vulnerability researchers who have analyzed antivirus programs in the past, such attacks are quite likely, and may already have occurred. Some of them have tried to sound the alarm about the ease of finding and exploiting critical flaws in endpoint antivirus products for years.

 

Since June, researchers have found and reported several dozen serious flaws in antivirus products from vendors such as Kaspersky Lab, ESET, Avast, AVG Technologies, Intel Security (formerly McAfee) and Malwarebytes. Many of those vulnerabilities would have allowed attackers to remotely execute malicious code on computers, to abuse the functionality of the antivirus products themselves, to gain higher privileges on compromised systems and even to defeat the anti-exploitation defenses of third-party applications.

 

Exploiting some of those vulnerabilities required no user interaction and could have allowed the creation of computer worms -- self-propagating malware programs. In many cases, attackers would have only needed to send specially crafted email messages to potential victims, to inject malicious code into legitimate websites visited by them, or to plug in USB drives with malformed files into their computers.

[daledoc1]

Hi:

 

I'm happy, that you have taken note of it.. There is but a lot of noise/attention on it by the IT world, even a explicit reference to 'Malwarebytes' by PCWorld very recently in http://www.pcworld.com/article/3020327/antivirus-software-could-make-your-company-more-vulnerable.html ..

 

Did you read Marcin's blogpost?

 

https://blog.malwarebytes.org/news/2016/02/malwarebytes-anti-malware-vulnerability-disclosure/

[sman]

Marcin's post makes reference to vulnerabilities as per Tavis Ormandy and no reference to Ensilo's Vulnerability (which seems the crux of PCWorld's article, to sum up the vulnerabilities of AV)..

 

No reference is made to CVE by PCWorld nor in Marcin's post, and even in MWB's Hall of Fame, CVE is linked to only one induction.. The 'Bug Bounty programme' of MWB is also not linked to CVE..

 

The bigger picture and of serious concern is the very security product which is supposed to safeguard the user, is prone/vulnerable to be a attack vector by itself..

 

That 'the vulnerabilities will allow ...even to defeat the anti-exploitation defenses of third-party applications' as per PCWORLD article, is what would like to know, as to how safe the user is?

[David H. Lipman]

Malwarebytes related CVE listings.

CVE-2014-4936

CVE-2014-100039

[sman]

The 'Bug Bounty' programme launched just a few days back by MWB is clear signal, for identifying/acting on vulnerabilities, before they become a real problem..

 

Here is another look into 'An experiment in AV evasion' in http://www.securitysift.com/pecloak-py-an-experiment-in-av-evasion/ ..

 

 

Running the Experiment (peCloak in action)

Now that I had the tool, it was time to see how effective it was. Using the previously identified list of AV vendors, I downloaded their respective free AV products and got to testing. Again, my goal was to evade AV detection for each of the four test executables without breaking the exploit’s functionality.

 

Here is a summary of the results:

As you can see, a green check mark indicates successful evasion, a red X indicates peCloak could not successfully bypass AV evasion, and N/A indicates the AV product did not even detect the original uncloaked version so additional encoding was unnecessary. It should be noted that several products did not detect any of the uncloaked malicious executables (McAfee, Spybot, and TrendMicro) despite updated virus definitions. There were no apparent configuration problems or errors indicated by the product so the reason for detection failure is unknown. Regardless, these products were disqualified from further testing as a result. That left a total of 12 AV products that were tested.

 

The summary is pretty telling … I was able to successfully hide all four executables from detection in 9 of the 12 products (in some cases, evasion was unnecessary for one or two of the files as the original, unencoded files were not even detected. The only products that provided at least partial protection were Avast ,Bitdefender, and BullGuard. This is largely because any bytes contained outside of the PE file sections (.text, .data, .rdata, .rsrc, etc) are not modified by my peCloak script. For example, in at least one of these AV products, the signature detection was the result of bytes contained within the PE Header, which my script does not attempt to modify.

 

A quick glance at the table, will demonstrate that despite a few of the products detecting some of the executables, the best method of evading AV detection is by cloaking a backdoored executable (as I did with strings.exe). In fact, as you’ll see below, one of the products actually automatically whitelisted my backdoored executable without any action on my part!

 

 

Malwarebytes Anti-Malware Free (Evasion: 2/2, 2 N/A)

This product did not detect the unencoded versions of the vdmallowed.exe or strings_evil.exe files but did detect both Metasploit stand-alone executables which were successfully cloaked by encoding a portion of the .data section.

peCloak.py -e .text,.data:50:500 av_test_msfmet_rev_tcp.exe

peCloak.py -e .text,.data:50:500 av_test_msfshell_rev_tcp.exe

[sman]

Here, the discussion in the Wilder's forum on the 'An experiment in AV evasion' in http://www.wilderssecurity.com/threads/av-evasion-using-cloaked-malware-exploits.378810/ ..

 

 

AV Evasion Using Cloaked Malware/Exploits

Discussion in 'other anti-virus software' started by itman, Aug 13, 2015.

 

Page 1 of 21 2 Next >

1. 

   itman Registered Member

   Joined: Jun 22, 2010 Posts: 2,109 Location: U.S.A.

   For those who have said conventional AVs don't protect you anymore, here's another justification.

   
   
   

   Ref.:

   http://www.securitysift.com/pecloak-py-an-experiment-in-av-evasion/
   
   Summary
   
   Here is a summary of the results:
   
   http://www.securitysift.com/wp-content/uploads/2015/03/pecloak5.jpg
   
   As you can see, a green check mark indicates successful evasion, a red X indicates peCloak could not successfully bypass AV evasion, and N/A indicates the AV product did not even detect the original uncloaked version so additional encoding was unnecessary. It should be noted that several products did not detect any of the uncloaked malicious executables (McAfee, Spybot, and TrendMicro) despite updated virus definitions. There were no apparent configuration problems or errors indicated by the product so the reason for detection failure is unknown. Regardless, these products were disqualified from further testing as a result. That left a total of 12 AV products that were tested.

    

   itman, Aug 13, 2015

   #1