Hack.lu 2007: How Can Defense-in-depth Unleash Hell
30 Oct 2007 10:40 AM / Filed in: I.T.
A friend sent me the following URL which illustrates an "old" trick for bypassing AV detection:
http://blog.didierstevens.com/2007/10/23/a000n0000-0000o000l00d00-0i000e000-00t0r0000i0000c000k/
This reminds me that I wanted to give you a small account of The Death Of Defense In Depth? Revisiting AV Software, an excellent presentation performed by Thierry Zoller and Sergio Alvarez during the hack.lu 2007 security conference which I attended. Note that I'll be giving a full account of the conference during the SUR group meeting next december. The account will be co-presented by my colleague and friend Jérôme Léonard a.k.a. Mitch. I'll put the slides online after the meeting.
Thierry and Sergio have demonstrated how the Defense-in-depth principle is badly implemented to/by AV software. Generally, you tend to multiply AV software between the Wild Wild Internet and your desktop. So you have one AV on the mail gateway, another one at the mailbox server and yet another one on the desktop etc. Well, you get the "depth" part of the defense. However, Thierry and Sergio argued that this significantly increases your exposure to vulnerabilities because AV software is not developed following secure development guidelines and their attack surface is huge (think of how many file formats they need to parse). They showed how, by exploiting a parsing bug, they could bypass a tremendous number of different AV.
Another simple example demonstrated how by adding a string to a PE file (Hello Luxembourg in this case) bypasses the AV. In yet another example, Thierry simply changed the contents of the version field of a ZIP archive and this confused a truckload of AV. In the meantime, Winzip could still open the archive without breaking a sweat.
According to the speakers, one of the main problems of AV software is that they tend to consider what they cannot parse as being safe. It is rather a weird implementation of the Defense-in-depth principle. To their knowledge, only Kaspersky blocks what it cannot parse successfully.
As a result, Thierry discovered more than 800 ways for bypassing AV! And Sergio discovered 80 vulnerabilities out of which only 30 have been patched. At times, Sergio saw the vulnerability patched silently without giving him due credit for reporting it first...
They have also shown some funny responses they got from the AV vendors to their vulnerability reports. In one case, Thierry sent a malicious RAR archive that bypasses Symantec AV. Symantec responded by saying that the archive is not properly constructed ... If only they have opened it with WinRAR and not with their own parsing engine they would realize the problem!
Last but not least, Sergio showed a 0-day in eTrust exploiting a heap overflow. The same exploit worked on Windows XP, 2003 and ASLR-enabled Vista (According to Wikipedia, Microsoft Windows Vista has ASLR enabled by default, although only for executables which are specifically linked to be ASLR enabled so maybe eTrust is not linked to it)!
Thierry and Sergio nicely summed up their presentation by saying that "the more you protect yourself, the more you are vulnerable". Give some alternative thinking to this.
http://blog.didierstevens.com/2007/10/23/a000n0000-0000o000l00d00-0i000e000-00t0r0000i0000c000k/
This reminds me that I wanted to give you a small account of The Death Of Defense In Depth? Revisiting AV Software, an excellent presentation performed by Thierry Zoller and Sergio Alvarez during the hack.lu 2007 security conference which I attended. Note that I'll be giving a full account of the conference during the SUR group meeting next december. The account will be co-presented by my colleague and friend Jérôme Léonard a.k.a. Mitch. I'll put the slides online after the meeting.
Thierry and Sergio have demonstrated how the Defense-in-depth principle is badly implemented to/by AV software. Generally, you tend to multiply AV software between the Wild Wild Internet and your desktop. So you have one AV on the mail gateway, another one at the mailbox server and yet another one on the desktop etc. Well, you get the "depth" part of the defense. However, Thierry and Sergio argued that this significantly increases your exposure to vulnerabilities because AV software is not developed following secure development guidelines and their attack surface is huge (think of how many file formats they need to parse). They showed how, by exploiting a parsing bug, they could bypass a tremendous number of different AV.
Another simple example demonstrated how by adding a string to a PE file (Hello Luxembourg in this case) bypasses the AV. In yet another example, Thierry simply changed the contents of the version field of a ZIP archive and this confused a truckload of AV. In the meantime, Winzip could still open the archive without breaking a sweat.
According to the speakers, one of the main problems of AV software is that they tend to consider what they cannot parse as being safe. It is rather a weird implementation of the Defense-in-depth principle. To their knowledge, only Kaspersky blocks what it cannot parse successfully.
As a result, Thierry discovered more than 800 ways for bypassing AV! And Sergio discovered 80 vulnerabilities out of which only 30 have been patched. At times, Sergio saw the vulnerability patched silently without giving him due credit for reporting it first...
They have also shown some funny responses they got from the AV vendors to their vulnerability reports. In one case, Thierry sent a malicious RAR archive that bypasses Symantec AV. Symantec responded by saying that the archive is not properly constructed ... If only they have opened it with WinRAR and not with their own parsing engine they would realize the problem!
Last but not least, Sergio showed a 0-day in eTrust exploiting a heap overflow. The same exploit worked on Windows XP, 2003 and ASLR-enabled Vista (According to Wikipedia, Microsoft Windows Vista has ASLR enabled by default, although only for executables which are specifically linked to be ASLR enabled so maybe eTrust is not linked to it)!
Thierry and Sergio nicely summed up their presentation by saying that "the more you protect yourself, the more you are vulnerable". Give some alternative thinking to this.