Reliance on AV products isn't a good idea

[TheAnimus]

http://www.theregister.co.uk/2010/05...tch_av_bypass/

Most Anti-Virus systems on windows work by "hooking" that is to say intercepting the calls made between a users program, for example a web browser, and the underlying operating system.

Be it Linux, Windows or BSD, there are a bunch of services offered by the kernel to the users program. A virus scanner can look at how it uses these often to determine if something is potentially dangerous, if so it will read the whole program and analyse it for know patterns.

But if you've got a multi-core system, you can effect have someone manipulating the program, whilst its been inspected, simultaneously.

Its quite a hard one to solve because most attacks are not concurrent right now, its very very hard to understand all of the possible attack vectors. There was a really interesting paper a few months back about how certain cryptographic concepts can be spied upon by looking at the voltage fluctuations, and a very in depth understanding of the structure of the cores on the CPU.

Back in the first old days of the net, most machines where left pretty much open, telnet on standard ports. People slowly came about (MS slower noteably than others!) to realising the importance of spending time and limiting functionality.

But this could be a bit brave new world, as it makes obfuscation from the heuristic scanners a lot harder.

This might just bore everyone here, but hopefully some will find it interesting....

[benus]

Could you please provide a link to a document you mentioned you read few months ago...

[Mike Fishcake]

Extremely interested in this type of thing - we're (finally) starting a technical advisory group to deal with viruses in our organisation, so I need to keep track about stuff like this.

[badass]

http://www.theregister.co.uk/2010/05...tch_av_bypass/

Most Anti-Virus systems on windows work by "hooking" that is to say intercepting the calls made between a users program, for example a web browser, and the underlying operating system.

Be it Linux, Windows or BSD, there are a bunch of services offered by the kernel to the users program. A virus scanner can look at how it uses these often to determine if something is potentially dangerous, if so it will read the whole program and analyse it for know patterns.

But if you've got a multi-core system, you can effect have someone manipulating the program, whilst its been inspected, simultaneously.

Its quite a hard one to solve because most attacks are not concurrent right now, its very very hard to understand all of the possible attack vectors. There was a really interesting paper a few months back about how certain cryptographic concepts can be spied upon by looking at the voltage fluctuations, and a very in depth understanding of the structure of the cores on the CPU.

Back in the first old days of the net, most machines where left pretty much open, telnet on standard ports. People slowly came about (MS slower noteably than others!) to realising the importance of spending time and limiting functionality.

But this could be a bit brave new world, as it makes obfuscation from the heuristic scanners a lot harder.

This might just bore everyone here, but hopefully some will find it interesting....

The risks from these kinds of attacks can be hugely reduced by having proper endpoint security (in a business setup) and a layered security model.
Your security software is not capable of running the data it is inspecting - it is only checking it before passing it on to the host.
By the time an email gets to our users desktop, it has been scanned for viruses azt least twice adn a further time by the desktop A/V.

This type of attack can only bypass the desktop A/V.

A redesign of A/V software can also reduce the risk. Most email scanners for example scan outgoing email by running an SMTP server on your PC that your email client is configured to use as a smarthost. They can have the A/V software run a proxy server on your PC and your web browsers all access the web throught the proxy server. for all other network/internet access, they can run a security appliance style program that intercepts all network traffic incoming and outgoing and only passes it on once scanned. This only leaves local attacks being able to exploit this loophole.