Researchers Explore Idea of Sabotage via Antivirus Engines

[frogboy]

Four researchers from two universities in Germany have devised a method of turning an antivirus engine’s malware scanning engine into an attack weapon.

The attack is centered around malware signatures, an old malware identification technique that relies on filters to look for patterns inside the bytes of a file. These malware signatures are created by malware analysts who study malware samples and create a signature to be used by the antivirus (AV) engine.

When the AV engine scans a new file, it looks at the malware signature, which tells it to look between bytes X and Y for certain content. If a file matches this filter, then the AV marks the file as malware and deletes or quarantines the file.

Using AVs to delete logs and browser cookies
The research team says that by finding a way to extract these signatures from the antivirus engine, or inferring the way they work, an attacker could use the AV engine itself to destroy an organization’s files, in so-called “antivirus-assisted attacks.”

Full Article. Researchers Explore Idea of Sabotage via Antivirus Engines

 

[HarborFront]

OK, signature-less system is the way to go

 

[Winter Soldier]

They used ClamAV and others not mentioned malware scanners for the study, but currently the best AVs don't rely only on the signatures, but use them as part of the complex detection technology, so I think this method developed by these researchers is not objectively so effective.

 

[shmu26]

They used ClamAV and others not mentioned malware scanners for the study, but currently the best AVs don't rely only on the signatures, but use them as part of the complex detection technology, so I think this method developed by these researchers is not objectively so effective.

The article does in fact mention this important point later on, if I understood right:

"Security experts are not impressed
Nonetheless, their proposed attack has not impressed some infosec experts, such as Dr. Vesselin Bontchev, one of the engineers that worked on designing the macro scanning engine for the F-PROT antivirus engine.

“[T]he author seems to [...] think that scanners still rely on "signatures" (i.e., sequences of bytes) to detect malware. This hasn't been the case for most respectable anti-virus products since the early '90s, when the heavily polymorphic viruses became widespread,” Dr. Bontchev told Bleeping Computer in an email.

“Nowadays much more advanced methods are used for malware detection. In some cases "scan strings" are not used at all,” he added. “Most of the time, scan strings are used only as a hint to the scanner to engage its more sophisticated (but slower) detection algorithms.”

 

[Winter Soldier]

The article does in fact mention this important point later on, if I understood right:

"Security experts are not impressed
Nonetheless, their proposed attack has not impressed some infosec experts, such as Dr. Vesselin Bontchev, one of the engineers that worked on designing the macro scanning engine for the F-PROT antivirus engine.

“[T]he author seems to [...] think that scanners still rely on "signatures" (i.e., sequences of bytes) to detect malware. This hasn't been the case for most respectable anti-virus products since the early '90s, when the heavily polymorphic viruses became widespread,” Dr. Bontchev told Bleeping Computer in an email.

“Nowadays much more advanced methods are used for malware detection. In some cases "scan strings" are not used at all,” he added. “Most of the time, scan strings are used only as a hint to the scanner to engage its more sophisticated (but slower) detection algorithms.”

Yes indeed, I read the whole article so I agree with that

 

[Nightwalker]

Many "security experts" think that modern antivirus solutions still rely on technology from early '90s, nothing could be further from the truth, this antivirus bashing nonsense is getting annoying.

Signature-less and AI protection arent silver bullets, if they were security firms like Kaspersky/Eset/Trend Micro would rely 100 % from then, but they dont, because the modern antivirus solution are a pack of balanced technologies that protect devices without much usability and performance problems.

Those who bash antivirus arent really helping anyone.

Next gen AI machine learning ultimate sandbox security? ha-ha-ha

Next-gen security software: Myths and marketing
A bomb just dropped in endpoint security... and I'm not sure anyone noticed - Alex Eckelberry

What about HIPS?

 

[Deleted member 178]

Beginners needs an AV , they don't have the skills to use anything else.
Advanced Users don't need an AV, they have the skills to use something more effective.

But with the actual malware landscape , no one , not even experts, can stay without a security software (built-in or not) .

Fileless malwares, exploited legit applications/websites/OSes/hardware...you can be the top expert in the universe, you can't defend against what you can't see.

 

[Elpibe]

Beginners needs an AV , they don't have the skills to use anything else.
Advanced Users don't need an AV, they have the skills to use something more effective.

But with the actual malware landscape , no one , not even experts, can stay without a security software (built-in or not) .

Fileless malwares, exploited legit applications/websites/OSes/hardware...you can be the top expert in the universe, you can't defend against what you can't see.

Im in the middle of Begginer and Advanced and i think AV are the first barrier in security. There are a lot of security programs to protect a pc, that most advanced users can take advantage of, but AVs works very well for most ppl. If you have a little knowledge and dont do anything risky in the internet your pretty much safe with an AV, at least for me... For ex. i have shadow defender but i never used it or never intall VoodooShield. AV is not bulletproof so i know that if someone really wants to infect my pc, it will probably succeed, because i dont use all the tools i have or know.

 

[DJ Panda]

I feel like I am slowly getting into the advanced category. However, many of the tools that can be used in place for an AV don't seem to work well for my computer.

 

[Deletedmessiah]

Im in the middle of Begginer and Advanced and i think AV are the first barrier in security. There are a lot of security programs to protect a pc, that most advanced users can take advantage of, but AVs works very well for most ppl. If you have a little knowledge and dont do anything risky in the internet your pretty much safe with an AV, at least for me... For ex. i have shadow defender but i never used it or never intall VoodooShield. AV is not bulletproof so i know that if someone really wants to infect my pc, it will probably succeed, because i dont use all the tools i have or know.

I think I'm on the same level. Definitely know more and less chance to get infected compared to average user but nowhere near "advanced" level. I tried a HIPS software once to see what HIPS is like, couldn't understand it and removed it. No choice but antivirus, adblock and proper browsing habits.

 

[Deleted member 178]

What makes a safe user is to admit its self-limitations, and not trying to use what they can't understand or handle; with time , they may evolve by spending more times on the subject.

 

[Deletedmessiah]

What makes a safe user is to admit its self-limitations, and not trying to use what they can't understand or handle; with time , they may evolve by spending more times on the subject.

Exactly. With time, hopefully I too will learn more about these things. Already have much more knowledge than I had 2 years ago. Learning things slowly is the right way to do rather than overestimating yourself.

 

[frogboy]

Exactly. With time, hopefully I too will learn more about these things. Already have much more knowledge than I had 2 years ago. Learning things slowly is the right way to do rather than overestimating yourself.

Same here, I have learned so much since joining MT, it is a great place to learn.

 

[Deletedmessiah]

Same here, I have learned so much since joining MT, it is a great place to learn.

And you have gone all the way up to level 61 .

 

[shmu26]

If you want to learn a little, make frequent system images, and then make lots of mistakes.
If you want to become an expert, figure out how to undo your mistakes without using your system images...

 

[frogboy]

If you want to learn a little, make frequent system images, and then make lots of mistakes.
If you want to become an expert, figure out how to undo your mistakes without using your system images...

I am not that smart yet that I can survive without backups.

 

[Entreri]

AV is the first line of defense. One has to play with the default settings on these applications to get good protection.

The best protection is common sense.

 

[_CyberGhosT_]

The attack is centered around malware signatures,

And now is where I reaffirm my stance on going Sig-less
Going Sig-less is a move that a lot you may want to consider, or at least start
learning about

 

[Deletedmessiah]

AV is the first line of defense. One has to play with the default settings on these applications to get good protection.

The best protection is common sense.

Common sense is indeed the best protection and is absolutely needed. However, its not enough. When a legitimate website or software is hacked, even common sense won't help.

 

[_CyberGhosT_]

AV is the first line of defense.

For you maybe don't assume to speak for all of us