Back on August 25th Jigsaw reported on an issue with anti-virus technologies and the threat they actually pose to organizations. We wanted to put out an alert because we started seeing machines compromised through clever manipulation of anti-virus code that was running as Administrator (simply because it has to). So it was surprising while monitoring our OSINT sources today to see an article on Dark Reading titled "New Microsoft Kernel Bug Could Permit Malicious Modules". What is interesting is that the article is that it says that a vulnerability was discovered in all operating systems from Windows 2000 to 2010. Well we got news for you and it's not good. While we applaud security researching taking another look at this item they kind of missed the mark. As with our original article they missed the fact that while this vulnerability exist, the method of calling the vulnerability can take many forms such as what we reported in our original article when we mentioned Attacking the Load Chain.
The series of events that take place when anti-virus loads, runs and even the reporting of findings are all vulnerable to malicious activity. Last month we started reporting on some activity that we were seeing to other security researchers to see if they are observing fileless infections attacking the AV load chain and surprisingly most have reported that they have.
As part of our review of this issue we are advising all of our clients to disable their anti-virus software unless they are running it in a virtualized container (which may cause it to not be effective if it can't read the host filesystem) until such time as AV venders can fix the issue.
One thing the article got wrong is that there was no mention of WindowsXP and Vista (both of which are still running in medical and ATM networks). Both of these operating systems as well as all previous versions of Windows are still vulnerable to side loading attacking, load chain as well as manipulation of the anti-virus process itself by causing the AV to run code inadvertently during a scan.
A recent wscript file we have observed actually dumped out a binary when executed and then when AV tried to access the file it killed the AV, observed what files were taken out of memory and then overwrote the files that were running in memory. Taking advantage of the fact that AV will restart when Windows is reloaded and then the malware is activated because it runs instead of AV. Such deception is possible because no real checking is taking place to ensure that all dependencies of the anti-virus programs are the actual programs and libraries intended to be called when the products start.
Over the past few years we have been relying less on endpoint and anti-virus (except for forensics and incident response activity) because we realized that any program that is running privileged can be used to actually circumvent Windows security controls.
While the security professionals Dark Reading spoke to said that it's shocking, we don't think so. There are at least 2 additional known methods of using Anti-Virus to actually infect and backdoor a computer and probably additional methods being used by the intelligence agencies and espionage actors in the world.
We highly recommend customer look at the Jigsaw JPM (Auditing Framework) and employ technologies that actively stop the infection chain of events such as the FirstWatch sensor powered by Jigsaw Security Threat Intelligence. Our solutions stop this type of attack when it presents itself via a network or through phishing emails which are the number one threat to most organizations.