Attacking Antivirus

Feng Xue
Technical Lead, Nevis Labs.
Nevis Networks, Inc.
ABSTRAT
Antivirus solutions are now a co!!on co!"onent o# co!"uter s$ste!s. %owever, securit$
issues "ertaining to the antivirus so#tware itsel# have not ca"tured enough attentions o#
antivirus vendors and co!"uter users.
This "a"er discusses wh$ antivirus so#tware is vulnerable to various attacks and wh$ its
securit$ is so critical. It e&a!ines the tools and techni'ues, es"eciall$ #u((ing techni'ues,
used b$ attackers to e&"ose vulnerabilities in antivirus solutions. It also looks at the wa$s in
which attackers e&"loit these vulnerabilities
The "a"er thus ai!s to raise levels o# consciousness about the securit$ o# the securit$
"roduct.
)*+,-R.S/ Antivirus, Audit, *&"loitation, Fu((ing, Securit$ "roduct
0. INTR-.1TI-N
According to the 1.S. national vulnerabilit$ database 203, as shown in Figure 0, 045
vulnerabilities have been re"orted in antivirus so#tware in the "ast 6 $ears.
9
44
52
60
0
10
20
30
40
50
60
2004 2005 2006 2007
Antivirus Vulnerabilities
Figure 0 National 7ulnerabilit$ .atabase
Thus, it is clear that antivirus so#tware can be targeted 8ust likes other co!"onents or
services o# co!"uter s$ste!s.
Section 9 discusses wh$ antivirus so#tware is vulnerable to attacks. Section : discusses
the techni'ues used to unravel vulnerabilities o# antivirus so#tware ;; source code audits
#or e&a!"le, or reverse engineering and #u((ing. *&"loitation techni'ues will be
e&a!ined in Section 6.
.
9.
,%AT <A)*S ANTI7IR1S A =*RF*T TAR>*T
9.0 =eo"le have co!"lete #aith in it
The use o# antivirus so#tware has beco!e so!ething o# an act o# #aith. =eo"le see! to
#eel !ore sa#e not with a !ore secure o"erating s$ste!, or with the latest "atch, but
with so!e antivirus so#tware installed in their s$ste!s.
A recent stud$ 2:3 shows that ?0 "er cent o# all co!"uter users have antivirus so#tware
installed on their co!"uters. @uite clearl$, antivirus so#tware is a !ust;have #or !ost
users.
The 'uestions are/ Is that enoughA Is such blind #aith 8usti#iedA ,hat i# attackers attack
the antivirus so#tware itsel# instead o# the o"erating s$ste!A
Now that would turn the ga!e on its head, wouldnBt itA
onsider an average user, who gets so!e #iles Ce&ecutables, docu!ents, !edia, etc.D,
the installed antivirus on his co!"uter will scan the inco!ing #iles auto!aticall$ CThe
user !a$ !anuall$ scan it i# it looks sus"iciousD. And with this the antivirus would
serves the securit$ gate #or inco!ing #iles. Figure 9
Figure 9/ A7 Antivirus serves the securit$ gate #or inco!ing #iles.
,hat he or she does not know is that !an$ antivirus solutions develo"ed in the "ast,
were develo"ed without holistic securit$ in !ind. .evelo"ers would assu!e that non;
trusted #iles were sa#el$ being scanned b$ their so#tware. But what i# those ver$ #iles
hurt their solution so#tware itsel#A
The threat to antivirus securit$ is thus hel"ed along b$ two things/

The userBs blind acce"tance o# the antivirus as a silver bullet.

And the overcon#idence o# antivirus vendors in their so#twareBs i!!unit$ against

all #iles.
9.9 Antivirus "rocesses are error;"rone
Antivirus so#tware is one o# the !ost co!"licated a""lications. It has to deal with
hundreds o# #ile t$"es and #or!ats/

e&ecutables Ce&e, dll, !si, co!, "i#, c"l, el#, oc&, s$s, scr, etcDE

docu!ents Cdoc, &ls, ""t, "d#, rt#, ch!, hl", etcDE

co!"ressed archives Car8, arc, cab, tar, (i", rar, (, (oo, lha, l(h, ace, iso, etcDE

e&ecutable "ackers Cu"&, #sg, !ew, ns"ack, ww"ack, as"ack, etcDE

Trusted Antivirus
Incoming
files

!edia #iles C8"g, gi#, sw#, !":, r!, w!v, avi, w!#, etcD,
*ach o# these #or!ats can be 'uite co!"le&. %ence, it is e&tre!el$ di##icult #or
antivirus so#tware "rocess all these #or!at a""ro"riatel$.
This is a!"l$ clear in recent research into antivirus vulnerabilities. It reveals that !ost
vulnerabilities e&ist in the #ollowing two co!"onents/

*&ecutable deco!"ression 263.

.ata deco!"ression 253.

Antivirus so#tware will tr$ to deco!"ress the co!"ressed e&ecutable and data be#ore
"rocessing the!.
The "roble! with the deco!"ression o# e&ecutables and data is that both the "rocesses
are highl$ co!"licated. The antivirus !akes co!"le& calculations, allocates !e!or$,
and e&tracts data according to the calculation. An$ !istake in these throws o"en the
door #or vulnerabilities.
These "oints !a$ be co!"elling enough #or attackers to target antivirus solutions but
how do the$ go about #inding chinks in the antivirus ar!orA
:.
FIN>IN> 71LN*RABILITI*S -F ANTI7IR1S
Basicall$ there are #our kinds o# vulnerabilities seen in antivirus so#tware/

Local =rivilege *scalation

ActiveX;related

*ngine;based

<anage!ent CAd!inistrativeD inter#ace

The !ethodologies o# auditing antivirus "rocesses #or each o# the above are 'uite
di##erent #ro! one another.
:.0 Auditing the Local "rivilege escalation issues
:.0.0 ,eak .AL
Auditing weak .AL issues is one o# the easiest things, so!eti!es it can be done
!anuall$ without the hel" o# an$ tools.
To check whether an antivirus installation director$ C#ilesD is vulnerable to this issue,
$ou 8ust need to right click on the director$ C#ilesD and navigate to the Fsecurit$G tag.
I# the F*ver$oneG grou" has a F#ull controlG "er!ission, then "robabl$ itBs a brand
new local root vulnerabilit$H
hecking the AL o# services is a little bit di##erent #ro! the installation director$.
It can be done b$ using sc.e&e 243 #ro! <icroso#t, and the s"eci#ic a""roach goes
like this/
Login as a non;"rivilege user, and run the #ollowing co!!ands
I# error I5 does not a""ear, ongratulationsH
FAntivirus serviceG is the na!e o# the service the attacker want to e&"loit, and
/Jsc con#ig Kantivirus serviceK bin"athL ./JattackJattack.e&e
bin"ath is a binar$ #ile Ccould be a Tro8an, rootkit, or an$thingD under the attackerBs
control.
A#ter running this co!!and, the attacker !ight have success#ull$ changed the
binar$ "ath o# a ,indows service, which will result in the attackerBs own binar$
being launched as an elevated "rivilege Cusuall$ S+ST*< "rivilegeD.
:.0.9 .river I-TL handler
Securit$ researchers have uncovered nu!erous "roble!s o# drivers in 9MMN.
A !a8or "roble! is the driver I-TL handler issue. The "roble! is caused b$
insu##icient address s"ace veri#ication within I-TL handlers o# device drivers.
Auditing the driver I-TL "roble! can be done easil$ through #u((ing. Several
,in:9 I-TL #u((ers are "ublic available, such as ioctli(er 2N3.
)arto##el #ro! Reverse<ode 2?3 is also a great tool which ai!s #or testing the
securit$ and reliabilit$ o# the drivers.
So what need to be done is to #u(( the drivers installed b$ antivirus so#tware and
investigate ever$ BS-. Cblue screen o# deathD care#ull$.
:.9 Auditing the ActiveX issues
Auditing ActiveX issues o# antivirus so#tware is no di##erent #ro! auditing the! #or
other a""lications. It can be done either through #u((ing or through !anual auditing/

Fu((ing
ActiveX;based vulnerabilities beca!e !ore "revalent in 9MMN than ever. This was
"artiall$ caused b$ the "revalence o# ActiveX #u((ers.
Two "o"ular tools in this area are A&<an 2O3 and o!Radier 20M3.
A&<an is !ore "ower#ul, while o!Radier is !ore user;#riendl$.
A#ter installing antivirus so#tware, the s"eci#ic ActiveX control can be #u((ed b$
either choosing a single LSI. or s"eci#$ing a director$.

<anual auditing
,hile #u((ing can uncover lots o# !e!or$ corru"tion "roble!s, a !anual audit can
reveal so!e other interesting vulnerabilities at the design level. The unsa#e;!ethod
issues #or e&a!"le.
The Swiss;ar!$ knives o# !anual audits are -leview 2003, File<on, Reg<on,
Tc"7iew, 2093 and ,ireshark 20:3.
-le7iew "rovides a higher;level view o# in#or!ation contained in the registr$, and
it #eatures tree controls with #riendl$ na!es. it can be used to check i# a control is
!arked as sa#e or not, and enu!erate the !ethods "rovided.
File<on and Reg<on are also e&tre!el$ use#ul. The$ can be used to check what
kind o# #ile o"erations and registr$ o"erations are ha""ening when certain ActiveX
controls are initiated, or when certain !ethods are called.
Is ActiveX control tr$ing to readPwrite so!e #ilesPregistr$ ke$s s"eci#ied b$ user
controlled "ara!etersA
Tc"view can tell whether an ActiveX has so!e network activities.
.oes this ActiveX control listen to an$ T=P1.= "ortA
.ose it tr$ to connect to so!e I= address s"eci#ied b$ "ara!etersA
ItBs reco!!ended to kee" ,ireshark running during the whole "rocess.
It can tell whether an ActiveX control is tr$ing to connect to so!e website, I=
address, or whether it is tr$ing to download so!e #iles #ro! so!ewhere else and run
the!, or whether it is tr$ing to u"load so!e #iles #ro! $our co!"uters to
so!ewhere else.
:.: Auditing antivirus so#tware engine
The engine is the !ost co!"le& co!"onent o# antivirus so#tware thus auditing the
engine would be tough.
Basicall$ there are three wa$s o# auditing/

Source code audit

As the na!e suggests, to audit the source code, auditors need access to the source
code o# the antivirus so#tware.
%owever, #or securit$ researchers, !ost source code is unavailable, e&ce"t la!A7
2063.
la!A7 is a ver$ good target #or a source code audit. A 'uick glance at the
vulnerabilit$ database shows that there are 6O single 7* !atches #or la!A7.
Needless to sa$, a source code audit is a ti!e consu!ing 8ob.
There are several !ature tools #or source audits, including FlawFinder, RATS ,
ITS6, S=LINT, odeScan, and overit$.
It can also be done b$ !anuall$ navigating source code and looking #or dangerous
A=Is, integer calculations, !e!or$ o"erations, and logical errors.

Reverse engineering
Since !ost co!!ercial antivirus solutions are closed;source, source;code audit are
al!ost i!"ossible #or researchers.
Reverse engineering is one o# the best choices. Researchers can anal$(e the
asse!bl$ code directl$ and look #or "otential vulnerabilities.
,hile reverse engineering an antivirus so#tware engine, the target should be #ocused
on the co!"onent res"onsible #or "arsing all kinds o# #ile #or!ats.
These co!"onents are usuall$ i!"le!ented as inde"endent "lug;ins, here are two
e&a!"les/
)as"ersk$/ Ar8.""l base46.""l cab.""l lha.""l rar.""l, etc
Bitde#ender/ arc.&!d ar8.&!d b(i"9.&!d cab.&!d doc#ile.&!d, etc
Qust like other reverse engineering 8obs, auditing antivirus engines through reverse
engineering is e&tre!el$ ti!e;consu!ing. The good news is that %e&;ra$s 2053 Ca
"lug;in #or I.A "roD !akes deco!"iling !uch easierH Reading the asse!bl$ can be
as eas$ as reading source code.
Ale& ,heeler has done a ver$ good 8ob in this area. For !ore in#or!ation "lease
check his Blackhat "resentation FMwning Anti;7irusG 2043

Fu((ing
Fu((ing is an a!a(ing techni'ue, and it has accelerated so#tware securit$ a lot in the
"ast #ew $ears.
Researchers have alread$ "resented #u((ing !edia "la$ers, #u((ing server
a""lications, #u((ing web browsers, and "ublished lots o# #u((ers. %owever, #ew
"eo"le had ever talked about #u((ing antivirus so#tware.
There is onl$ one #u((er #or antivirus so#tware "ublished to the best o# !$
knowledge. That is v&#u(( 20N3 "ublished b$ Tavis -r!and$.
n.runs once !entioned that the$ had an in;house #u((er na!ed Fu((er;Fra!ework
v0.M 20?3.
Since !ost o# the engine;based vulnerabilities e&ist in the deco!"ression "rocess,
#u((ing antivirus engine !eans #u((ing various deco!"ressed data and e&ecutables,
this !akes it !uch easier than #u((ing an$thing else, #ro! !$ "oint o# view, here is
what is needed #or the #u((ing/
A. A big hard disk
This is because antivirus so#tware has to deal with hundreds o# di##erent #ile
#or!ats, itBs better to #u(( all the #or!ats su""orted. That is wh$ a big hard disk
is needed to store all #iles generated Cb$ the #u((erD.
B. .ebugger
hoose a debugger Cwindbg is reco!!ended #or this 8obD. -ll$dbg and
I!!unit$.ebugger are both good choices.
The usage o# the debugger will be introduced later.
. Fu((er
Actuall$, i!"le!enting an antivirus #u((er is 'uite eas$. The #u((er does not
need to handle e&ce"tions and launch the target a""lication again and again.
This is the !a8or di##erence between #u((ing other a""lications C,eb browsers,
<edia "la$ers, etcD and #u((ing antivirus so#tware.
Building a #u((er b$ using a scri"t language Ceither "$thon or "erlD is 'uick and
#un. %owever, i# there are hundreds and thousands o# #iles to be generated,
would be "er#ect #ro! the "er#or!ance "oint o# view.
Actuall$, a #u((er #or antivirus so#tware is 8ust a #ile generator. For e&a!"le, to
generate #iles, a ver$ si!"le antivirus #u((er onl$ needs to read sa!"les, re"lace
sa!"les #ro! b$tes to b$tes with #u((ing strings, and then save the! in the
director$ s"eci#ied.
hoosing #u((ing strings is usuall$ based on the e&"erience o# the designer. The
#u((ing string should contain so!e !agic value which !ight cause #aults
Cinteger over#low, stack;based over#low, etcD, such as M&FFFFFFFF,
M&NFFFFFFF, M&MMMM, M&MMMMMMMM, RBBS954, M&.
-ne thing !ight need to "a$ attention to is the R checksu!. For #ile #or!ats
such as RAR and TI=, the antivirus so#tware !ight check the R o# the #ile Cor
a certain "artD #irst, and i# it does not !atch, no #urther "rocess will be done.
usto! R #unction can be i!"le!ented within the #u((er #or certain #ile
#or!ats.
.. >ood sa!"les
>ood sa!"les are i!"ortant to #u((ing. As antivirus so#tware "rocesses so !an$
#ile #or!ats, auditors need to collect do(ens even hundreds o# sa!"les.
Tr$ to >oogle out F#ilet$"e/ e&tentionsG.
The sa!"les could even be created !anuall$. Thus, the auditor needs to collect
all the so#tware needed ;; ,inRAR, =owerIS-, <akeAB, and various =*
"ackers C1=X, FS>, AS=ack, etcD.
.
-nce thatBs read$, there are #our ste"s to #ollow.
A. Create test cases
This can be done b$ using the antivirus #u((er C#ile generatorD. The test cases
generated should be saved on a s"eci#ied director$ Cthe big hard diskD.
B. Download and install antivirus software
.ownload and install the antivirus so#tware which is to be #u((ed.
Antivirus vendors usuall$ "rovide a trial version on their websites, auditors can
download and install it.
.o not #orget to take a sna"shot a#ter installation.
. Scan!
Launch the scan against test cases.
.o not #orget to attach the #avorite debugger to the scanning "rocess o# the
antivirus so#tware.
I# itBs di##icult to deter!ine which "rocess it is, launch a scan and check the
=1 usage to #ind out.
.. Get some sleep
The scan !a$ take hours or even da$s, de"ending on how !an$ test cases have
been created.
>et so!e slee". -n waking u", check i# there are an$ e&ce"tions a""earing on
the debugger.
*ach e&ce"tion needs to be anal$(ed in de"th and #igure out whether it is
e&"loitable.
:.6 Auditing !anage!ent inter#ace

lientPServer !anage!ent
<ost PS;based !anage!ent "rotocols are "ro"rietar$, which !eans, no RF or
docu!ents are available. It will be di##icult to understand what the lient and
Server are talking about b$ ca"turing "ackets. The tra##ic !ight look 'uite rando!
or !ight be encr$"ted in so!e wa$.
Fu((ing is a good choice in this situation. S"ike 20O3 and Sulle$ 29M3 are two great
#u((ing #ra!eworks.
For !ore in#or!ation, "lease check the re#erence.

,eb inter#ace
Since !ost ,eb servers #or !anage!ent are develo"ed in;house b$ antivirus
vendors, the$ !a$ not be well audited and anal$(ed.
Fu((ing is alwa$s use#ul and worth tr$ing. There are lots o# web #u((ers "ublicl$
available, such as web#u(( 2903, S"ike and Sulle$.
B$ auditing antivirus so#tware, the author has discovered several vulnerabilities in
"o"ular antivirus "rogra!s. <ost o# these were done through #u((ing.
A #uture rise o# antivirus vulnerabilities in the #uture is e&"ected.
6.
*X=L-ITIN> ANTI7IR1S
The techni'ues e!"lo$ed b$ attackers to e&"loit antivirus vulnerabilities var$ #ro! case
to case.
6.0 Local =rivilege *scalation
Local "rivilege escalation "roble!s #aced b$ antivirus so#tware are no di##erent #ro!
those #aced b$ other so#tware. The "roble!s can be categori(ed as #ollows/
6.0.0 ,eak .AL
The weak .AL "roble! has occurred in both the installation director$ and
installed services.
As #ar as the installation director$ is concerned, vulnerabilities e&ist in the Access
ontrol List CALD settings which will be a""lied during installation. ,hen
antivirus so#tware gives FFull ontrolG "er!ission to the F*ver$oneG grou", an$one
can !odi#$ installed #iles. .ue to the #act that al!ost ever$ antivirus so#tware runs
so!e s$ste! services, attackers are able to si!"l$ re"lace an installed service #ile
with their own !alicious code CTro8an or rootkitD which can later be e&ecuted with
S+ST*< "rivileges.
This "roble! has been #aced b$ al!ost all antivirus vendors, including but not
li!ited to <cA#ee, S$!antec, Trend<icro, 7BA:9, =anda, = Tools, A eTrust,
ToneAlar!, A7>, Bit.e#ender, AvastH, and )as"ersk$.
AhnLab A7 Re!ote )ernel <e!or$ orru"tion
Trend<icro A7 11* .ecoding For!at String 7ulnerabilit$
AvastH A7 T>T =arsing %ea" orru"tion
N-.:9 %ea" -ver#low Cun"ublished, Mda$ at the ti!e o# the writingD
ase/ 7*;9MM5;00MN McAfee Internet Security Suite 2005 Insecure File
Permission Vulnerability 2993
McAfee Internet Security Suite 2005 uses insecure default ACLs for installed files,
wic allows local users to !ain "ri#ile!es or disable "rotection by modifyin!
certain files$
As #ar as installed services are concerned, vulnerabilities are usuall$ caused b$ the
#act that the S*R7I*U%AN>*U-NFI> "er!ission is assigned to F*ver$oneG.
Attackers can e&"loit such a vulnerabilit$ to gain escalated "rivileges b$ changing
the associated "rogra!. The attack can be achieved b$ using the S.e&e, which is
"ublished b$ <icroso#t.
%ere is an e&a!"le/
The weak .AL "roble!s have beco!e rare in the "ast #ew $ears.
6.0.9 .river I-TL %andler issues
ThereBs a dra!atic rise in driver I-TL handler issues in the "ast two $ears.
Securit$ researchers and hackers !oved to this "roble! in 9MM4, and "lent$ o#
vulnerabilities were 'uickl$ uncovered in securit$ "roducts, es"eciall$ in antivirus
so#tware and "ersonal #irewalls.
.river I-TL handler issues are usuall$ caused b$ insu##icient address s"ace
veri#ication within I-TL handlers o# device drivers installed b$ the antivirus
so#tware. Attackers can take advantage o# this b$ overwriting arbitrar$ !e!or$ and
then e&ecuting arbitrar$ code with kernel "rivilege.
Securit$ researchers have success#ull$ de!onstrated how to reliabl$ e&"loit these
issues either b$ hooking so!e rarel$ used s$ste! call or b$ adding a call gate in the
>.T C>lobal .escri"tor TableD. 29:3
ases/
7*;9MMN;:4N: Symantec AntiVirus symtdi$sys Local Pri#ile!e %scalation
Vulnerability 2963
Symantec symtdi$sys before &$0$0 allows local users to !ain "ri#ile!es #ia a crafted
Interru"t 'e(uest Pac)et *Ir"+ in an I,C-L 0./0022020 re(uest to 11sym-2I1,
wic results in memory o#erwrite$
7*;9MMN;M?54 -rend Micro Products I,C-L 3andler Pri#ile!e %scalation 2953
-mComm$sys 4$5$0$4052 assi!ns %#eryone write "ermission for te 11$1-mComm
2,S de#ice interface, wic allows local users to access "ri#ile!ed I,C-Ls and
e.ecute arbitrary code or o#erwrite arbitrary memory in te )ernel conte.t$
7*;9MM4;6O9N Symantec AntiVirus I,C-L 5ernel Pri#ile!e %scalation
Vulnerability 2943
C:\sc stop "vulnerable antivirus service"
C:\sc config "vulnerable antivirus service" binpath= D:\attack\attack.exe
C:\sc start "vulnerable antivirus service"
6AV%67$S8S and 6AV%945$S8S de#ice dri#ers 200:4$0$0$42 and later allow local
users to !ain "ri#ile!es by o#erwritin! critical system addresses usin! a crafted Ir"
to te I,C-L functions *4+ 0.222A20, *2+ 0.222A2&, and *0+ 0.222A2;$
7*;9MMN;:NNN AV7 Anti#irus AV7&C,'%$S8S I,C-L 3andler Pri#ile!e
%scalation 29N3
a#!&core$sys &$5$0$<<< in 7risoft AV7 Anti=Virus &$5$<</ and Free %dition &$5$<<:,
"ro#ides an internal function tat co"ies data to an arbitrary address, wic allows
local users to !ain "ri#ile!es #ia arbitrary address ar!uments to a function
"ro#ided by te 0.50</%00< I,C-L for te !eneric 2e#iceIoControl andler$
6.0.: Race condition
The race condition vulnerabilit$ usuall$ e&ists in antivirus so#tware on the
Linu&P1ni& "lat#or!. There are two cases/
7*;9MMN;45O5 Clam AntiVirus 'ace Condition Vulnerability 29?3
ClamAV 0$>2 allows local users to o#erwrite arbitrary files #ia a symlin) attac) on
*4+ tem"orary files in te cli?!entem"fd function in libclama#@oters$c or on *2+
$ascii files in si!tool, wen utf4:=decode is enabled$
7*;9MM6;M90N Symantec AntiVirus Scan %n!ine For 'ed 3at Linu. Insecure
-em"orary File Vulnerabilities 29O3
-e Li#eA"date ca"ability *li#eu"date$s+ in Symantec AntiVirus Scan %n!ine <$0
and <$0 for 'ed 3at Linu. allows local users to create or a""end to arbitrary files
#ia a symlin) attac) on @tm"@Li#eA"date$lo!$
These vulnerabilities e&ist because te!"orar$ #iles are created in an unsa#e !anner.
Attackers can e&"loit the! b$ creating a s$!bolic link C#ro! a critical #ile on the
s$ste! to the te!"orar$ #ilena!eD to cause antivirus so#tware to overwrite the
s$!linked #ile. This allows attackers to gain elevated access to the s$ste!.
6.0.6 -ther "roble!s
There have also been several other "roble!s in the "ast. %ere are so!e e&a!"les/

S$!antec Li#eA"date
S$!antec Liveu"date has a long histor$ o# being bothered b$ local "rivilege
escalation "roble!s. There have been nearl$ #ive vulnerabilities o# S$!antec
Liveu"date thus #ar/ S+<M6;M0?, 7*;9MM:;MOO6, 7*;9MM5;9N5O,
7*;9MM4;0?:4, 7*;9MM6;M90N. The "roble!s var$ #ro! an un;trusted
search "ath to ,indow launched as a S+ST*< "rivilege.

7*;9MM4;:99: A Antivirus Scan Qob .escri"tion For!at String

7ulnerabilit$. 2:M3
B$ creating a s"eciall$ cra#ted descri"tion Ccontaining a #or!at stringD o# a scan
8ob, attackers would be able to e&ecute arbitrar$ co!!and under S+ST*<
"rivileges.

7*;9MMN;:?MM S$!antec Anti7irus or"orate *dition Local =rivilege

*scalation 7ulnerabilit$ 2:03
S$!antec Real;Ti!e scanner did not "ro"erl$ dro" "rivileges while dis"la$ing
the noti#ication window which contains in#or!ation o# threat #ound on a s$ste!.
This vulnerabilit$ allows attackers easil$ escalate their "rivilege.
6.9 ActiveX
ActiveX based vulnerabilities beca!e !ore "revalent in 9MMN than ever. ActiveX
vulnerabilities have been "ublished ever$ da$. Antivirus so#tware is no e&ce"tion.
ActiveX controls are usuall$ installed during antivirus "roduction installation, or
when "eo"le tr$ to use antivirus vendorsB FFree online scanG services. So!eti!es, it is
also installed b$ download !anagers.
Basicall$ there are two kinds o# ActiveX "roble!s/

Insecure <ethod/ A design error

This "roble! is ver$ co!!on in antivirus so#tware because it generall$ includes the
#unctionalities o# #ile o"erations Ccreate, delete, and e&ecuteD and network;based
o"erations Cu"load and downloadD.
%ere are two e&a!"les/
A. 7*;9MM4;:ON4 CA e-rust AntiVirus BebScan Automatic A"date Code
%.ecution Vulnerability 2:93
According to <atthew <ur"h$, who identi#ied the "roble!/
B. 7*;9MMN;0009 )as"ersk$ Antivirus ActiveX ontrol 1nsa#e <ethod
7ulnerabilit$ 2::3
This is another t$"ical case o# the insecure !ethod vulnerabilit$, which allows
attackers to steal #iles #ro! co!"uters with the )as"ersk$ antivirus so#tware
installed.
ThereBs a !ethod called Start1"loadingCD. As the na!e suggests, attackers can
s"eci#$ which #ile to steal, and where to u"load. 2::3

<e!or$ corru"tion
The !e!or$ corru"tion "roble! o# ActiveX controls in antivirus so#tware is no
di##erent #ro! that #aced b$ other a""lications. Attackers construct !alicious in"ut
Cusuall$ an over;long stringD and "ass it to vulnerable calls or !ethods as a
"ara!eter. <e!or$ corru"tion will then occur, including t$"ical stack;based
A s"eci#ic #law e&ists during the auto!atic u"date "rocess #or the
,ebScan ActiveX co!"onent. ,ebScan allows the initiali(ing web "age to
s"eci#$ the location that the co!"onent will use to download and install
u"dates through the VSig1"date=athFT=V "ara!eter Cand "otentiall$ the
VSig1"date=ath%TT=V "ara!eterD. It downloads the V#ilelist.t&tV !ani#est
and ac'uires an$ u"date #iles it lists. There is no veri#ication "er#or!ed b$
,ebScan to assure the authenticit$ o# the in#or!ation in the #ile list or the
#iles the!selves.
Function Start1"loading C
B$7al strFile=ath As String ,
B$7al strFT=Address As String ,
B$7al strFT=1"load=ath As String
D As Long
over#low, hea" over#low, or so!e other !e!or$ !odi#ication issues.
Antivirus so#tware has a bad record on this #ront too. A 'uick search reveals that
S$!antec, Authentiu!, RA7 "roducts have been vulnerable to these "roble!s.
To e&"loit ActiveX;based vulnerabilities, attackers 8ust need to create a s"eciall$ cra#ted
%T<L #ile, host it on websites under their control, and then convince victi!s to visit it.
-nce victi!s with vulnerable ActiveX controls Cvulnerable so#twareD installed on their
co!"uters visit !alicious websites, their co!"uters are co!"ro!ised.
6.:
*ngine;related issues
The engine is the !ost co!"licated "art o# antivirus so#tware and there#ore !ost
vulnerabilities e&ist in it.
%owever, e&"loiting antivirus engine;based vulnerabilities is also the !ost co!"licated
and interesting "art because the$ can be e&"loited in !an$ wa$s. And actuall$, such
e&"loitation is li!ited onl$ b$ $our i!aginationH
Because the engine is res"onsible #or "arsing hundreds o# di##erent #ile #or!ats, itBs
ver$ hard #or it to !ake ever$thing correct. ThatBs wh$ !ost engine;based
vulnerabilities e&ist in #ile #or!at "arsing.
Basicall$, there are three kinds o# vulnerabilities/

<e!or$ corru"tion
This is the !ost dangerous "roble! o# engine "roble!s because it usuall$ results in
a #ull;s$ste! co!"ro!ise.
I# the code o# the engine was develo"ed without securit$ in !ind, it would "robabl$
create a good chance #or attackers to care#ull$ cra#t #iles Ce&ecutable, co!"ression
"ackage, audio, docu!ent, etcD to induce a !e!or$;corru"tion condition. ,hile
"arsing these #iles, stack;based over#lows, hea" over#lows, or other !e!or$ accessP
!odi#ication "roble!s would occur.
Al!ost all !ainstrea! antivirus "roducts have encountered this "roble! in the "ast
and !an$ o# the! have #aced it several ti!es over.
Ale& ,heeler 2:63 and n.runs 2:53 are both great contributors to !e!or$
corru"tion;based vulnerabilities o# antivirus so#tware engine.

.enial o# Service
There are basicall$ two kinds o# denial o# service/
A. =1 .oS "roble!
A s"eciall$ cra#ted #ile !a$ be able to get the antivirus engine to run into an in#inite
loo", thus !aking the =1 usage reach a ver$ high level, which is usuall$ 0MM "er
cent.
.o $ou still re!e!ber the in#a!ous TI= bo!bA 2:43
The #ollowing he& du!" CFigure :D is the header o# a %< #ile, while scanning this
%< #ile with N-.:9, the =1 usage will sta$ at 0MM "er cent.
Figure :/ .enial o# service =- #or N-.:9 CMda$D
B. .isk s"ace .oS "roble!
,hile "rocessing a s!all #ile Cless than 0)B #or instanceD, antivirus so#tware !a$
eat u" to 6>B disk s"ace. This "roble! usuall$ e&ists in the "rocess when the
antivirus engine is deco!"ressing #iles. This is because the antivirus engine usuall$
totall$ relies on the value read #ro! #iles to allocate the disk s"ace #or
corres"onding deco!"ressed #iles. And this value is "robabl$ !ani"ulated b$
attackers.
A vivid e&a!"le is the #ollowing ARQ #ile. ,hile scanning this #ile, N-.:9 will
create a #ile N-.9.t!" which is 6>b at/
/J.ocu!ents and SettingsJsowhatJLocal SettingsJTe!"JN-.9.t!"
%*X du!"/ Figure 6
Figure 6/ .enial o# service =- #or N-.:9 CMda$D
The severit$ o# both =1; and .isk;s"ace;based denial o# service !a$ be
considered to be low #or deskto" users. %owever, what i# the sa!e condition
a""ears on a !ail server with an antivirus engine scanning outgoing and inco!ing
e!ails Cattach!entsDA A !alicious e!ail will be able to leave the !ail server in a
ver$ unstable condition, or co!"letel$ out o# services.

.etection b$"ass
.etection b$"ass is a "roble! o# relativel$ low severit$. It is !ore i!"ortant #or
server;side antivirus so#tware than #or deskto" antivirus so#tware.
Such attacks usuall$ ha""en in the #ollowing situation/
ddd:9
Attackers will !ani"ulate a (i" #ile which contains a Tro8an, and send it as an
attach!ent o# an e!ail to victi!s.
A#ter the !ani"ulation, the antivirus engine o# the !ail server is unable to "arse this
(i" #ile and will "robabl$ identi#$ it as a legal #ile to let it "ass. %owever, when
victi!s get the e!ail, the (i" utilit$ C,inTi" #or instanceD would be able to "rocess
this (i" #ile and e&tract the Tro8an success#ull$.
o!bined with so!e social engineering techni'ues, the victi!s !a$ get
co!"ro!ised b$ e&ecuting this Tro8an.
The engine based vulnerabilities can be e&"loited through various wa$s, including, but
not li!ited to/

<ail server
Since !ost !ail servers have con#igured so!e antivirus scan engines to scan
outgoing and inco!ing e!ails, it creates a #antastic condition #or attackers who
have an e&"loit #or the corres"onding antivirus scan engine.
or"orate networks !a$ be ar!ed with #irewalls, I=SPI.S, antivirus and other
securit$ a""lications Cso#twarePhardwareD. *ven though there are onl$ two services
o"en to attackers, one is web server o# their website, and the other is the !ail server.
Attackers would be able to hack into the LAN b$ si!"l$ sending an e!ail Cwith a
!alicious attach!entD to the !ail server.
%ere is a "ossible "rocess/
a. <anuall$ search #or the "ossible e!ail addresses on >oogle, or use so!e e!ail
collection scri"ts such as e!ailcollectUv0.:."$ 2:N3
b. Send e!ails to collected addresses
c. A#ter e!ails reach !ail server, the$ will be scanned b$ antivirus engine
auto!aticall$. The scan engine will then be co!"ro!ised because o#
vulnerabilities those e!ails Cattach!entsD e&"loit, this will #urther result into a
co!"letel$ co!"ro!ise o# the !ail server.
So!e o# the !ail servers install an antivirus scan engine b$ de#ault, #or e&a!"le,
I<ail installs the Bitde#ender antivirus.
)erio !ail server #i&ed a F"ossible buffer o#erflow in Visnetic anti=#irus "lu!=inG in
the version 4.5.M. 2:?3
The advantages o# this kind o# attack are,
A. Attackers do not need to know an$ s"eci#ic details o# the internal LAN.
B. The reci"ients do not need to o"en the !alicious e!ails. The$ even donBt need
not receive the! b$ using the e!ail client.
Real world case/
Ti" #ile Ccontains
tro8anD
<ani"ulation A7 o# the <ail
server "assed it
,inTi" e&tract the
tro8an succs#ull$
ThereBs a real world incident re"orted recentl$ 2:O3, the attacker took advantage o#
the antivirus engine and co!"ro!ised the !ail server.
To su!!ari(e, Faas <. <athiasen, a ISS= #ro! .en!ark re"orted that the$
noticed so!e odd "attern e!erging #ro! their !ail servers, an i!"ortant a!ount o#
data le#t their network over the !ail server.
Their !ail server is a #ull$ "atch *&change 9MMN with antivirus so#tware installed.
%e is curious i# there are an$ (ero da$ e&"loit e&ists in the *&change 9MMN,
however, it turns out that/
FSomebody usin! aCs"oofedC email address send tis file to a "ublicly disclosed
email address and as soon as te scanner touced te file it tri!!ered$$$ I thought I
had watched a movieG.

*!ail Cclient sideD

I# attackers target individuals who have installed so!e vulnerable antivirus
so#tware, e!ail !ight be a good choice. %ere are the ste"s o# the attack/
A. Attackers send an e!ail, which takes advantage o# the antivirus engine
vulnerabilit$.
B. The victi!Bs co!"uter will be co!"ro!ised as soon as the e!ail reaches
hisPher deskto", i# the auto;"rotect o# antivirus so#tware is turned on.
. *ven i# the auto;"rotect is turned o##, there are still "ossibilities that the victi!
would !anuall$ scan the attach!ent, es"eciall$ when it looks reall$ sus"icious.
Such an attack would !ost "robabl$ be launched as a li!ited attack.
It is "rett$ si!ilar to "hishing attacks.

,eb
It is not onl$ "ossible to e&"loit ActiveX;based vulnerabilities over the ,eb, it is
"ossible to e&"loit antivirus engine vulnerabilities too.
To e&"loit the vulnerabilit$ o# antivirus engine over the ,eb, IFRA<* tag and
.,<F #ile e&tensions would be ver$ hel"#ul.
A t$"ical attack scenario !a$ be as #ollows/
A. Attackers rena!e the e&"loit Csa$ e&"loit.(i", which takes advantage o# a TI=
"arsing vulnerabilit$ o# the antivirusD to e&"loit.w!#
B. %old a web"age which contains
. onvince victi!s to visit this web"age.
.. ,hile victi!s are browsing web"ages, e&"loit.w!# would be downloaded onto
the victi!sB co!"uters auto!aticall$, without an$ user interaction.
*. I# the auto;"rotect o# the antivirus is on, the antivirus engine would "arse
e."loit$wmf auto!aticall$, and then "ossibl$ get co!"ro!ised i!!ediatel$.
F. I# the auto;"rotect is turned o##, there would be still so!e !ore chances #or
attackers. *&"loit.w!# is stored in the cache director$ o# the ,eb browser, and
when a scheduled s$ste! scan Cor !anual scanD is launched, the antivirus
engine !ight be shot.
Wi#ra!e src L e&"loit.w!#X

=9=PI<
*&"loiting vulnerabilities o# an antivirus engine through =9=PI< is also "ossible.
Files sent b$ #riends over I< would be scanned auto!aticall$ on receiving. Thus
the antivirus so#tware would be co!"ro!ised right a#ter the scanning.
6.6 <anage!ent
<ost antivirus so#tware has so!e !anage!ent co!"onents #or ad!inistrative "ur"oses.
These !anage!ent co!"onents usuall$ act as PS !ode. The server listens to so!e
T=PI= "ort and waits #or connections, and the client activel$ !akes outbound
connections to the server.

lientPServer !anage!ent
The clientPserver !anage!ent co!"onents are usuall$ in the "ro"rietar$ "rotocol,
which is develo"ed b$ the antivirus vendor and can onl$ be understood b$
the!selves.
A ver$ good real;world case is 7*;9MM4;94:M 26M3, S$!antec Antivirus
<anage!ent Re!ote Stack Bu##er -ver#low.
The re!ote !anage!ent inter#ace #or S$!antec Antivirus and S$!antec lient
Securit$ is t$"icall$ enabled and listens on T= "ort 9O4N b$ de#ault. B$ sending a
s"eciall$;cra#ted -<UF-R,AR.UL-> co!!and, attackers would be able to
trigger a t$"ical stack;based bu##er over#low and run arbitrar$ code under S+ST*<
"rivilege.
This vulnerabilit$ was later e&"loited b$ a variation o# the in#a!ous S"$bot wor!
C,:9.S"$bot.A+R, ,:9.S"$bot.A<T* 26M3D.

License !anage!ent
So!e antivirus so#tware includes a license !anage!ent co!"onent #or the license
ad!inistrative "ur"ose.
The A license so#tware is a #antastic e&a!"le. There were si& vulnerabilities
re"orted in it 9MM5 b$ i.e#ense Labs. 2603

,eb inter#ace
,eb inter#ace is another co!"onent #or ad!inistrative "ur"oses.
In this case, the vulnerabilities can either be !e!or$ corru"tion issues caused b$
i!"le!entation errors, or securit$ b$"ass issues caused b$ design errors.
For both o# the!, the S$!antec scan engine is a great re#erence, 7*;9MM5;9N5?
2693 #or the #irst one and 7*;9MM4;M9:M 26:3 #or the second.
CV%=2005=2&5/ Symantec Anti#irus Scan %n!ine administrati#e interface Inte!er
o#erflow 2693
Inte!er si!nedness error in te administrati#e interface for Symantec AntiVirus
Scan %n!ine <$0 and <$0 allows remote attac)ers to e.ecute arbitrary code #ia
crafted 3--P eaders wit ne!ati#e #alues, wic lead to a ea"=based buffer
o#erflow$
CV%=200:=0200 Symantec Scan %n!ine Autentication Fundamental 2esi!n %rror
D<0E
Symantec Scan %n!ine 5$0$0$2<, and "ossibly oter #ersions before 5$4$0$&, uses a
client=side cec) to #erify a "assword, wic allows remote attac)ers to !ain
administrator "ri#ile!es #ia a modified client tat sends certain 9ML re(uests$
*&"loiting ,eb;inter#ace based vulnerabilities is the sa!e as e&"loiting
vulnerabilities o# other ,eb servers CA"ache, IISD, because !ost o# the! are light
,eb servers develo"ed b$ antivirus vendors the!selves.
5.
-NL1SI-N
In this "a"er, we have e&a!ined the techni'ues o# #inding vulnerabilities in antivirus
so#tware as well as the e&"loitation techni'ues.
,e are not i!"l$ing that antivirus is useless. Nor are we suggesting a re"lace!ent
"roduct. ,e onl$ want to draw attention to the #act that the vulnerabilities o# antivirus
so#tware are being a real threat.
%ere are #ew words #or antivirus vendors and end users/
For 7endors
Antivirus so#tware "uts too !uch trust on in"ut #iles C#iles being scannedD. Antivirus
so#tware should be develo"ed and reviewed with the securit$ in !ind.

Follow the S.L CSecurit$ .evelo"!ent Li#ec$cleD

Audit $our own "roducts #irst.

Fu((ing is incredibl$ e##ective

Fu(( be#ore release. Fu(( and #i& bugs be#ore releasing the! to the "ublic

Fu(( a#ter release. As the #u((ing techni'ues i!"rove ver$ #ast.

Follow <icroso#t, <o(illa and others

Bulletin. =ublish a bulletin and ask users to u"date ASA=.

redit. >ive credit to researchers.

For *nd 1sers
As stated earlier, end users have been "utting too !uch #aith in antivirus solutions, and
have ignored the #act that antivirus so#tware itsel# can be co!"ro!ised.
=eo"le have scanned ever$thing Ca""lications, archives, docu!entationD sus"icious in
the "ast.
But now, itBs better to think twice be#ore doing so.
4.
F1T1R* ,-R)
The securit$ o# antivirus so#tware draws our attention to securit$ "roducts such as
#irewalls, I=S, I.S, and others.
Securit$ "roducts are su""osed to "rotect users, what i# the$ #ailA ,hat i# the$ 8ust
o"en a new door #or attackers in $our s$ste!A
Future work shall #ocus on this as"ect o# Rsecurit$B "roducts.
N.
A)N-,L*.><*NTS
The author is grate#ul to the #ollowing "eo"le #or their insight, #eedback, and technical
o"inions/ hi Thang, Beck$, San8a$ =endse, .erin <ellor, )hushboo Shah, LinLin
Thao, Neera8 Thakar, >ar$ )inghorn, Xin -u$ang, and Theng Ren.
?.
R*F*R*N*S
203 National 7ulnerabilit$ .atabase
htt"/PPnvd.nist.govPho!e.c#!
293 Secunia 9MMN Re"ort
htt"/PPsecunia.co!Pg#&PS*1NIAU9MMNURe"ort."d#
2:3 Internet Securit$ Threats ,ill A##ect 1.S. onsu!ersB %olida$ Sho""ing -nline
htt"/PPwww.bsac$bersa#et$.co!PnewsP9MM5;%olida$;-nline;Sho""ing.c#!
263 *&ecutable co!"ression
htt"/PPen.wiki"edia.orgPwikiP*&ecutableUco!"ression
253 .ata co!"ression
htt"/PPen.wiki"edia.orgPwikiP.ataUco!"ression
243 Sc.e&e
htt"/PPtechnet9.!icroso#t.co!P,indowsServerPenPlibrar$PMa45?eON;50d5;60MO;
b640;a6N6cNOOO46e0M::.!s"&
2N3 ioctli(er
htt"/PPcode.google.co!P"Pioctli(erP
2?3 )arto##el
htt"/PPkarto##el.reverse!ode.co!
2O3 A&<an ActiveX Fu((er
htt"/PPwww.!etas"loit.co!PusersPhd!PtoolsPa&!anP
20M3 -<Raider
htt"/PPlabs.ide#ense.co!Pso#twareP#u((ing."h"I!oreUco!raider
2003 -leview
htt"/PP!sdn9.!icroso#t.co!Pen;usPlibrar$P!s4O:N56C7S.?5D.as"&
2093 ,indows S$sinternals
htt"/PPtechnet.!icroso#t.co!Pen;usPs$sinternalsPde#ault.as"&
20:3 ,ireshark
htt"/PPwww.wireshark.orgP
2063 la!A7
htt"/PPwww.cla!av.netP
2053 %e&;ra$s
htt"/PPwww.he&;ra$s.co!
2043 Mwning Anti;7irus
htt"/PPwww.blackhat.co!P"resentationsPbh;usa;M5Pbh;us;M5;wheeler."d#
20N3 v&#u((
htt"/PP!$.o"era.co!PtavisoP
20?3 Antivirus CinDsecurit$
htt"/PPevents.ccc.dePca!"P9MMNPFahr"lanPattach!entsP0:96;
AntivirusInSecurit$SergioshadownAlvare(."d#
20O3 S"ike
htt"/PPwww.i!!unit$sec.co!Presources;#reeso#tware.sht!l
29M3 Sulle$
htt"/PPcode.google.co!P"Psulle$P
2903 ,eb#u((
htt"/PPwww.#u((ing.orgPw";contentP,ebFu((.(i"
2993 7*;9MM5;00MN
htt"/PPcve.!itre.orgPcgi;binPcvena!e.cgiAna!eL7*;9MM5;00MN
29:3 S$!antec Local =rivilege *scalation 7ulnerabilit$ *&"loit
htt"/PPwww.whitecell.orgPlist."h"AidL5M
2963 7*;9MMN;:4N:
htt"/PPcve.!itre.orgPcgi;binPcvena!e.cgiAna!eL9MMN;:4N:
2953 7*;9MMN;M?54
htt"/PPcve.!itre.orgPcgi;binPcvena!e.cgiAna!eL7*;9MMN;M?54
2943 7*;9MM4;6O9N
htt"/PPcve.!itre.orgPcgi;binPcvena!e.cgiAna!eL7*;9MM4;6O9N
29N3 7*;9MMN;:NNN
htt"/PPcve.!itre.orgPcgi;binPcvena!e.cgiAna!eL7*;9MMN;:NNN
29?3 7*;9MMN;45O5
htt"/PPcve.!itre.orgPcgi;binPcvena!e.cgiAna!eL7*;9MMN;45O5
29O3 7*;9MMN;:NNN
htt"/PPcve.!itre.orgPcgi;binPcvena!e.cgiAna!eL7*;9MM6;M90N
2:M3 7*;9MM4;:99:
htt"/PPcve.!itre.orgPcgi;binPcvena!e.cgiAna!eL7*;9MM4;:99:
2:03 7*;9MMN;:?MM
htt"/PPcve.!itre.orgPcgi;binPcvena!e.cgiAna!eL7*;9MMN;:?MM
2:93 7*;9MM4;:ON4
htt"/PPcve.!itre.orgPcgi;binPcvena!e.cgiAna!eL7*;9MM4;:ON4
2::3 7*;9MMN;0009
htt"/PPwww.(eroda$initiative.co!PadvisoriesPT.I;MN;M06.ht!l
2:63 Ale& ,heeler
htt"/PPsecunia.co!PsearchPAsearchLAle&Y,heelerYantivirusZwLM
2:53 n.runs
htt"/PPwww.nruns.co!P"arsing;engines;advisories."h"
2:43 Ti" bo!b
htt"/PPen.wiki"edia.orgPwikiPTi"Ubo!b
2:N3 e!ailcollectUv0.:."$
htt"/PPwww.darkcMde.co!P!iscPe!ailcollectUv0.:."$
2:?3 )erio <ail server 4.5.M release
htt"/PPwww.kerio.co!Pk!sUhistor$.ht!l
2:O3 =ossible <ail server co!"ro!iseA
htt"/PPwww.securit$#ocus.co!ParchivePN5P6??M:?P:MPMPthreaded
26M3 S$!antec Anti7irus Re!ote Stack Bu##er -ver#low 7ulnerabilit$
htt"/PPwww.securit$#ocus.co!PbidP0?0MNPre#erences
2603 A License So#tware <ulti"le Bu##er -ver#low 7ulnerabilities
htt"/PPsecunia.co!PadvisoriesP066:?P
2693 7*;9MM5;9N5?
htt"/PPcve.!itre.orgPcgi;binPcvena!e.cgiAna!eL7*;9MM5;9N5?
26:3 7*;9MM4;M9:M
htt"/PPcve.!itre.orgPcgi;binPcvena!e.cgiAna!eL7*;9MM4;M9:M