Imagine getting a call from your company's IT department telling you your workstation has been compromised and you should stop what you're doing immediately. You're stumped: You went through the company's security training and you're sure you didn't open any suspicious email attachments or click on any bad links; you know that your company has a solid patching policy and the software on your computer is up to date; you're also not the type of employee who visits non-work-related websites while on the job. So, how did this happen?
A few days later, an unexpected answer comes down from the security firm that your company hired to investigate the incident: Hackers got in by exploiting a flaw in the corporate antivirus program installed on your computer, the same program that's supposed to protect it from attacks. And all it took was for attackers to send you an email message that you didn't even open.
This scenario might sound far-fetched, but it's not. According to vulnerability researchers who have analyzed antivirus programs in the past, such attacks are quite likely, and may already have occurred. Some of them have tried to sound the alarm about the ease of finding and exploiting critical flaws in endpoint antivirus products for years.
Since June, researchers have found and reported several dozen serious flaws in antivirus products from vendors such as Kaspersky Lab, ESET, Avast, AVG Technologies, Intel Security (formerly McAfee) and Malwarebytes. Many of those vulnerabilities would have allowed attackers to remotely execute malicious code on computers, to abuse the functionality of the antivirus products themselves, to gain higher privileges on compromised systems and even to defeat the anti-exploitation defenses of third-party applications.
Exploiting some of those vulnerabilities required no user interaction and could have allowed the creation of computer worms -- self-propagating malware programs. In many cases, attackers would have only needed to send specially crafted email messages to potential victims, to inject malicious code into legitimate websites visited by them, or to plug in USB drives with malformed files into their computers.
Attacks on the horizon
Evidence suggests that attacks against antivirus products, especially in corporate environments, are both possible and likely. Some researchers believe that such attacks have already occurred, even though antivirus vendors might not be aware of them because of the very small number of victims.
The intelligence agencies of various governments have long had an interest in antivirus flaws. News website The Intercept reported in June that the U.K. Government Communications Headquarters (GCHQ) filed requests in 2008 to renew a warrant that would have allowed the agency to reverse engineer antivirus products from Kaspersky Lab to find weaknesses. The U.S. National Security Agency also studied antivirus products to bypass their detection, according to secret files leaked by former NSA contractor Edward Snowden, the website said.
A cyberespionage group known as Careto or The Mask, perhaps state-sponsored, is known to have attempted to exploit a vulnerability in older versions of Kaspersky antivirus products in order to evade detection. The group compromised computers belonging to hundreds of government and private organizations from more than 30 countries before its activities were exposed in February 2014.
While these are mainly examples of using antivirus vulnerabilities to evade detection, there's also a demand for remote code execution exploits affecting antivirus products and these are being sold by specialized brokers on the largely unregulated exploit market.
Among the emails leaked last year from Italian surveillance firm Hacking Team there is a document with exploits offered for sale by an outfit called Vulnerabilities Brokerage International. The document lists various privilege escalation, information disclosure and detection bypassing exploits for multiple antivirus products, and also a remote code execution exploit for ESET NOD32 Antivirus with the status "sold."
This has been going on for over a decade, according to Gunter Ollmann, chief security officer at intrusion detection vendor Vectra and former chief technology officer at security research firm IOActive. There are companies that specialize in reverse-engineering popular desktop antivirus products from countries where their clients have an interest, he said via email. They also reverse-engineer existing malware so they can hijack already infected systems, he said.
According to Ollmann, a remotely exploitable vulnerability in the Chinese Qihoo 360 antivirus product is worth several tens of thousands of dollars to intelligence agencies from the U.S. and Europe.
"From a state-actor perspective, it would not be in their best interest to be detected doing this kind of thing, so targets are small and carefully controlled," Ollmann said.
If intelligence agencies from the U.S. and Europe are interested in such exploits, there's no reason to think that those from Russia, China and other cyber powers are not. In fact, Chinese and Russian cyberespionage groups have repeatedly proven their ability to find and develop exploits for previously unknown vulnerabilities in popular applications, so applying those same skills to antivirus products shouldn't be a problem.
Even some antivirus vendors agree that targeted attacks against antivirus products are likely, though they haven't seen any so far.
"In our predictions for 2016, we specifically mention that attacks on security researchers and security vendors could be a future trend in information security; however, we do not believe these will be widespread attacks," said Vyacheslav Zakorzhevsky, the head of anti-malware research at Kaspersky Lab, via email. "For example, security researchers may be attacked via compromised research tools, and since all software contains vulnerabilities, there is a possibility that security software could be impacted on a targeted and limited basis."
Antivirus vendor Bitdefender said in an emailed statement that targeted attacks against endpoint security programs "are definitely possible," but that they will likely be aimed at enterprise environments, not consumers.
Penetration testers have long been aware of the exploitation potential of antivirus products. A security researcher who works for a large technology company said that his team often tries to exploit vulnerabilities in antivirus management servers during penetration testing engagements because those servers have privileged control over endpoint systems and can be used for lateral movement inside corporate networks. He wished to remain anonymous because he didn't have approval from his employer to comment for this story.
Exploits for corporate antivirus management servers were listed in the portfolio of Vulnerabilities Brokerage International leaked from Hacking Team and can also be found in public exploit databases.
Antivirus vendors don't seem too concerned about the potential for widespread attacks against their consumer products. For the most part, researchers agree that such attacks are unlikely for now because typical cybercriminal gangs have other, more popular, targets to attack such as Flash Player, Java, Silverlight, Internet Explorer or Microsoft Office.
However, the creators of those widely used applications have increasingly added exploit mitigations to them in recent years, and as more people update to newer and better protected versions attackers might be forced to find new targets. Therefore, future attacks against antivirus products used by tens of millions or hundreds of millions of consumers can't be ruled out, especially if cybercriminals get their hands on previously unknown -- zero-day -- vulnerabilities, as they have done from time to time.
For now, though, organizations rather than consumers might face the greatest risk of attack through antivirus flaws, especially those operating in industries frequently targeted by cyberespionage groups.
Exploiting antivirus products is too easy
Antivirus products are created by humans, and humans make mistakes. It is unreasonable to expect such programs to be completely bug-free, but it's fair to expect them to have fewer flaws than other types of software and for those flaws to be harder to exploit.
It's also reasonable to expect companies that are part of the IT security industry to follow secure programming guidelines, to implement common anti-exploitation defenses in their products and to perform frequent code audits and vulnerability testing.
Unfortunately, these things seem to be rare in the antivirus world.
Antivirus programs need to be able to inspect a lot of data and file types from a variety of sources: the Web, email, the local file system, network shares, USB attached storage devices, etc. They also have a large number of components that implement various layers of protection: drivers for intercepting network traffic, plug-ins that integrate with browsers and email clients, graphical user interfaces, antivirus engines with their subsystems that perform signature-based, behavior-based and cloud-based scanning and more.
This is what security researchers call a very large attack surface, meaning there is a lot of potentially vulnerable code that attackers can reach in a variety of ways. Furthermore, when it comes to antivirus products, much of this code runs with the highest possible privilege, something that researchers argue should be avoided as much as possible.
Research shows that antivirus products provide "an easily accessible attack surface that dramatically increases exposure to targeted attacks," said Google security researcher Tavis Ormandy in a blog post back in September, in which he analyzed one of the many antivirus vulnerabilities he found in recent months. "For this reason, the vendors of security products have a responsibility to uphold the highest secure development standards possible to minimise the potential for harm caused by their software."
Since June, Ormandy has found and reported over 25 vulnerabilities in antivirus products from ESET, Kaspersky Lab, AVG and Avast. In the past he also found flaws in products from Sophos and Microsoft.
Many of the flaws found by Ormandy stemmed from file and data parsing operations, which have historically been a source of vulnerabilities in all types of applications.
"In future, we would like to see antivirus unpackers, emulators and parsers sandboxed, not run with SYSTEM privileges," Ormandy said. "The chromium sandbox is open source and used in multiple major products. Don’t wait for the network worm that targets your product, or for targeted attacks against your users, add sandboxing to your development roadmap today."
Ormandy is not the first to sound the alarm about the lack of security mitigations like sandboxing in antivirus products and the fact that too many of their components run with system privileges.
In 2014, a security researcher named Joxean Koret found remotely and locally exploitable flaws in 14 antivirus products and their engines. He made largely the same observations as Ormandy.
According to Koret, at the very least, the antivirus industry needs to adopt techniques like privilege separation and sandboxing, but more is needed to truly secure antivirus products.
Many such programs are vulnerable to man-in-the-middle attacks because they don't use SSL/TLS for communication and the components they download are often not signed. They don't implement any of the anti-exploitation measures that modern browsers have and they don't use emulation to scan executable files or use memory-safe languages, he said via email.
Even worse, evidence suggests that many antivirus products are not even properly audited for security flaws, Koret said. "For example, looking at the vulnerabilities discovered by Tavis Ormandy, it's absolutely clear that they never audited the software at all because such vulnerabilities would be detected by an auditor during the first assessment in, probably, one week."
To the extent possible, antivirus vendors should run their products with the least privilege, should sandbox sensitive functionality, and should ensure an overall solid secure code maturity, said Carsten Eiram, chief research officer at vulnerability intelligence firm Risk Based Security (RBS).
Since Jan. 1, 2010, some 1,773 vulnerabilities have been reported in security software and devices -- 372 in 2015 -- and the majority of them were exploitable through input manipulation, according to data from RBS.
"Security vendors should be held to higher secure coding standards," Eiram said. "It's embarrassing when basic fuzzing uncovers a slew of vulnerabilities in parsing functionality, which has been a known culprit for years. It's even more embarrassing when said parsing functionality is done with SYSTEM privileges."
For the most part antivirus vendors feel that process sandboxing is not applicable to antivirus products because it would hurt performance. Some claim that they are taking other steps, such as reducing privileges, performing routine security assessments, and developing other technologies that might have the same effect as sandboxing.