I spy with my little Spy, something beginning with „Anti…“

René Pfeiffer/ June 27, 2015/ Discussion, High Entropy, Security

Anti-virus software developers made the news recently. The Intercept published an article describing details of what vendors were targeted and what information might be useful for attackers. Obtaining data, no matter how, has its place in the news since 2013 when the NSA documents went public. The current case is no surprise. This statement is not meant to downplay the severity of the issue. While technically there is no direct attack to speak of (yet), the news item shows how security measures will be reconnoitred by third parties. Why call it third parties? Because a lot of people dig into the operation of anti-virus protection software. The past two DeepSec conferences featured talks called „Why Antivirus Software fails“ and „Easy Ways To Bypass Anti-Virus Systems“. The Project Zero team at Google found a vulnerability in an anti-virus product enabling attackers to attack running systems. So reverse engineering is done all the time, not only by government bodies.

Frankly most software really invites reverse engineers by communicating without encryption or authentication with their (update) servers. Some protection software is just a botnet with corporate C&C servers, waiting for their commands to be extracted by curious researchers. You can even gather information about systems in a local network once you can take a peek at the network traffic and isolate the chatter from the anti-virus and intrusion detection software in place.

However, infosec researchers usually do not intercept emails from vendors or their developers: The chance of getting to know about a new 0day (or the indication that one’s own 0day has been found) are considerably higher when looking at anti-virus or intrusion detection companies. Samples of new malicious software are often sent to anti-virus companies for further analysis. Plus you get a warning as soon as one of the AV engines is vulnerable to a new exploit. It’s a kind of weather forecast, either legal or illegal, depending on the applicable laws. And it is a good example of valuable information well worth copying.

In turn this means that your network and your systems are part of this game. There is no virus or intrusion protection without a steady flow of updates on new threats. Given the fact that you most probably use a 7/24 Internet connection with your computing equipment, the door is virtually open. For reconnaissance, that is. Everything else depends on your additional defences and the willingness of the software vendors to use strong encryption, authentication, and secure code. Have a look into that. Your time isn’t wasted, and you might get ideas on how to improve your defensive skills.

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.


Comments are closed.