Imagine getting a call from your company's IT department telling you your workstation has been compromised and you should stop what you're doing immediately. You're stumped: You went through the company's security training and you're sure you didn't open any suspicious email attachments or click on any bad links; you know that your company has a solid patching policy and the software on your computer is up to date; you're also not the type of employee who visits non-work-related websites while on the job. So, how did this happen?
A few days later, an unexpected answer comes down from the security firm that your company hired to investigate the incident: Hackers got in by exploiting a flaw in the corporate antivirus program installed on your computer, the same program that's supposed to protect it from attacks. And all it took was for attackers to send you an email message that you didn't even open.
This scenario might sound far-fetched, but it's not. According to vulnerability researchers who have analyzed antivirus programs in the past, such attacks are quite likely, and may already have occurred. Some of them have tried to sound the alarm about the ease of finding and exploiting critical flaws in endpoint antivirus products for years.
Since June, researchers have found and reported several dozen serious flaws in antivirus products from vendors such as Kaspersky Lab, ESET, Avast, AVG Technologies, Intel Security (formerly McAfee) and Malwarebytes. Many of those vulnerabilities would have allowed attackers to remotely execute malicious code on computers, to abuse the functionality of the antivirus products themselves, to gain higher privileges on compromised systems and even to defeat the anti-exploitation defenses of third-party applications.
Exploiting some of those vulnerabilities required no user interaction and could have allowed the creation of computer worms -- self-propagating malware programs. In many cases, attackers would have only needed to send specially crafted email messages to potential victims, to inject malicious code into legitimate websites visited by them, or to plug in USB drives with malformed files into their computers.
Attacks on the horizon
Evidence suggests that attacks against antivirus products, especially in corporate environments, are both possible and likely. Some researchers believe that such attacks have already occurred, even though antivirus vendors might not be aware of them because of the very small number of victims.
The intelligence agencies of various governments have long had an interest in antivirus flaws. News website The Intercept reported in June that the U.K. Government Communications Headquarters (GCHQ) filed requests in 2008 to renew a warrant that would have allowed the agency to reverse engineer antivirus products from Kaspersky Lab to find weaknesses. The U.S. National Security Agency also studied antivirus products to bypass their detection, according to secret files leaked by former NSA contractor Edward Snowden, the website said.
A cyberespionage group known as Careto or The Mask, perhaps state-sponsored, is known to have attempted to exploit a vulnerability in older versions of Kaspersky antivirus products in order to evade detection. The group compromised computers belonging to hundreds of government and private organizations from more than 30 countries before its activities were exposed in February 2014.
While these are mainly examples of using antivirus vulnerabilities to evade detection, there's also a demand for remote code execution exploits affecting antivirus products and these are being sold by specialized brokers on the largely unregulated exploit market.
Among the emails leaked last year from Italian surveillance firm Hacking Team there is a document with exploits offered for sale by an outfit called Vulnerabilities Brokerage International. The document lists various privilege escalation, information disclosure and detection bypassing exploits for multiple antivirus products, and also a remote code execution exploit for ESET NOD32 Antivirus with the status "sold."
This has been going on for over a decade, according to Gunter Ollmann, chief security officer at intrusion detection vendor Vectra and former chief technology officer at security research firm IOActive. There are companies that specialize in reverse-engineering popular desktop antivirus products from countries where their clients have an interest, he said via email. They also reverse-engineer existing malware so they can hijack already infected systems, he said.
According to Ollmann, a remotely exploitable vulnerability in the Chinese Qihoo 360 antivirus product is worth several tens of thousands of dollars to intelligence agencies from the U.S. and Europe.
"From a state-actor perspective, it would not be in their best interest to be detected doing this kind of thing, so targets are small and carefully controlled," Ollmann said.
If intelligence agencies from the U.S. and Europe are interested in such exploits, there's no reason to think that those from Russia, China and other cyber powers are not. In fact, Chinese and Russian cyberespionage groups have repeatedly proven their ability to find and develop exploits for previously unknown vulnerabilities in popular applications, so applying those same skills to antivirus products shouldn't be a problem.
Even some antivirus vendors agree that targeted attacks against antivirus products are likely, though they haven't seen any so far.
"In our predictions for 2016, we specifically mention that attacks on security researchers and security vendors could be a future trend in information security; however, we do not believe these will be widespread attacks," said Vyacheslav Zakorzhevsky, the head of anti-malware research at Kaspersky Lab, via email. "For example, security researchers may be attacked via compromised research tools, and since all software contains vulnerabilities, there is a possibility that security software could be impacted on a targeted and limited basis."
Antivirus vendor Bitdefender said in an emailed statement that targeted attacks against endpoint security programs "are definitely possible," but that they will likely be aimed at enterprise environments, not consumers.
Penetration testers have long been aware of the exploitation potential of antivirus products. A security researcher who works for a large technology company said that his team often tries to exploit vulnerabilities in antivirus management servers during penetration testing engagements because those servers have privileged control over endpoint systems and can be used for lateral movement inside corporate networks. He wished to remain anonymous because he didn't have approval from his employer to comment for this story.
Exploits for corporate antivirus management servers were listed in the portfolio of Vulnerabilities Brokerage International leaked from Hacking Team and can also be found in public exploit databases.
Antivirus vendors don't seem too concerned about the potential for widespread attacks against their consumer products. For the most part, researchers agree that such attacks are unlikely for now because typical cybercriminal gangs have other, more popular, targets to attack such as Flash Player, Java, Silverlight, Internet Explorer or Microsoft Office.
However, the creators of those widely used applications have increasingly added exploit mitigations to them in recent years, and as more people update to newer and better protected versions attackers might be forced to find new targets. Therefore, future attacks against antivirus products used by tens of millions or hundreds of millions of consumers can't be ruled out, especially if cybercriminals get their hands on previously unknown -- zero-day -- vulnerabilities, as they have done from time to time.
For now, though, organizations rather than consumers might face the greatest risk of attack through antivirus flaws, especially those operating in industries frequently targeted by cyberespionage groups.
Exploiting antivirus products is too easy
Antivirus products are created by humans, and humans make mistakes. It is unreasonable to expect such programs to be completely bug-free, but it's fair to expect them to have fewer flaws than other types of software and for those flaws to be harder to exploit.
It's also reasonable to expect companies that are part of the IT security industry to follow secure programming guidelines, to implement common anti-exploitation defenses in their products and to perform frequent code audits and vulnerability testing.
Unfortunately, these things seem to be rare in the antivirus world.
Antivirus programs need to be able to inspect a lot of data and file types from a variety of sources: the Web, email, the local file system, network shares, USB attached storage devices, etc. They also have a large number of components that implement various layers of protection: drivers for intercepting network traffic, plug-ins that integrate with browsers and email clients, graphical user interfaces, antivirus engines with their subsystems that perform signature-based, behavior-based and cloud-based scanning and more.
This is what security researchers call a very large attack surface, meaning there is a lot of potentially vulnerable code that attackers can reach in a variety of ways. Furthermore, when it comes to antivirus products, much of this code runs with the highest possible privilege, something that researchers argue should be avoided as much as possible.
Research shows that antivirus products provide "an easily accessible attack surface that dramatically increases exposure to targeted attacks," said Google security researcher Tavis Ormandy in a blog post back in September, in which he analyzed one of the many antivirus vulnerabilities he found in recent months. "For this reason, the vendors of security products have a responsibility to uphold the highest secure development standards possible to minimise the potential for harm caused by their software."
Since June, Ormandy has found and reported over 25 vulnerabilities in antivirus products from ESET, Kaspersky Lab, AVG and Avast. In the past he also found flaws in products from Sophos and Microsoft.
Many of the flaws found by Ormandy stemmed from file and data parsing operations, which have historically been a source of vulnerabilities in all types of applications.
"In future, we would like to see antivirus unpackers, emulators and parsers sandboxed, not run with SYSTEM privileges," Ormandy said. "The chromium sandbox is open source and used in multiple major products. Don’t wait for the network worm that targets your product, or for targeted attacks against your users, add sandboxing to your development roadmap today."
Ormandy is not the first to sound the alarm about the lack of security mitigations like sandboxing in antivirus products and the fact that too many of their components run with system privileges.
In 2014, a security researcher named Joxean Koret found remotely and locally exploitable flaws in 14 antivirus products and their engines. He made largely the same observations as Ormandy.
According to Koret, at the very least, the antivirus industry needs to adopt techniques like privilege separation and sandboxing, but more is needed to truly secure antivirus products.
Many such programs are vulnerable to man-in-the-middle attacks because they don't use SSL/TLS for communication and the components they download are often not signed. They don't implement any of the anti-exploitation measures that modern browsers have and they don't use emulation to scan executable files or use memory-safe languages, he said via email.
Even worse, evidence suggests that many antivirus products are not even properly audited for security flaws, Koret said. "For example, looking at the vulnerabilities discovered by Tavis Ormandy, it's absolutely clear that they never audited the software at all because such vulnerabilities would be detected by an auditor during the first assessment in, probably, one week."
To the extent possible, antivirus vendors should run their products with the least privilege, should sandbox sensitive functionality, and should ensure an overall solid secure code maturity, said Carsten Eiram, chief research officer at vulnerability intelligence firm Risk Based Security (RBS).
Since Jan. 1, 2010, some 1,773 vulnerabilities have been reported in security software and devices -- 372 in 2015 -- and the majority of them were exploitable through input manipulation, according to data from RBS.
"Security vendors should be held to higher secure coding standards," Eiram said. "It's embarrassing when basic fuzzing uncovers a slew of vulnerabilities in parsing functionality, which has been a known culprit for years. It's even more embarrassing when said parsing functionality is done with SYSTEM privileges."
For the most part antivirus vendors feel that process sandboxing is not applicable to antivirus products because it would hurt performance. Some claim that they are taking other steps, such as reducing privileges, performing routine security assessments, and developing other technologies that might have the same effect as sandboxing.
Symantec is working to reduce the attack surface of its products and services. Its approach, the company said, is to operate its security components at the lowest privilege level possible to reduce the likelihood of a successful attack.
Effectively addressing vulnerabilities is more complicated than using just one technology, according to Kaspersky Lab. The company implements the technologies it believes will provide the best level of protection to customers. For example, it's using machine learning algorithms to leverage the large amount of security intelligence and knowledge that it acquires.
"Despite the perceived simplicity of the 'sandbox' approach, it has a number of serious drawbacks, affecting performance, efficiency and compatibility," said Kaspersky's Zakorzhevsky.
Intel Security/McAfee said that when it learns of a potential issue, it immediately investigates to determine its validity, nature and severity and to develop a fix.
No one is arguing that antivirus vendors are not fixing flaws fast enough when they are found. In fact, some of them have impressive response times and their products are configured to automatically update themselves by default. The problem is the number and type of flaws that exist in such products in the first place.
Symantec and Intel Security declined to address more specific questions about sandboxing, the likelihood of attacks against antivirus products, the effectiveness of such products in detecting targeted attacks, or other criticism raised by security researchers.
Antivirus vendor Bitdefender said that a sandbox similar to the one provided by Google wouldn't be a viable engineering solution for a security product. "An antimalware solution would have to intercept and sandbox thousands of system events a second, which would bring a dramatic performance impact to the system and which might be greater than what the operating system vendor tolerates."
The company claims that most of its products' components such as the antimalware engine and the Active Threat Control subsystem already run with the privileges of the logged-in user, and that it's using brokering processes to limit the number of components running with system privileges, even in the consumer products.
On the business side, the company developed a solution called Gravity Zone that allows administrators to run the scanning service on a different machine on the network instead of the endpoint and it also recently introduced HVMI (Hypervisor-based Memory Introspection) technology that completely isolates the antimalware solution by deploying it in a Type 1 hypervisor outside of the operating system.
"This kind of isolation separates the antimalware engines from rootkits or exploits running in the user environment," the company said.
Avast did not respond to repeated requests for comment, while Malwarebytes, AVG and ESET declined to comment for this story or failed to send any responses before publication despite being given ample time.
Risk vs reward
The large and easy to exploit attack surface introduced by antivirus products combined with the likelihood of targeted attacks, raises the question of whether it's even worth installing such programs in some enterprise environments.
Some researchers doubt the effectiveness of endpoint antivirus products when faced with sophisticated and carefully engineered malware programs like those used by cyberespionage groups. Their view is that there's little reward compared to the risk, especially for organizations from industries that are commonly targeted by such attackers.
"Antivirus products can only be used, from my viewpoint, as protection tools for rather small companies and home users," Koret said. Antivirus products cannot detect what is unknown, regardless of what they advertise, and evading antivirus detection is trivial and something that most malware developers test before releasing their malicious code, he said.
Ollmann, who has been a long-time critic of endpoint antivirus products, believes that the security protections increasingly built into operating systems will eventually render such programs obsolete.
In fact, even now, some antivirus vendors have to subvert built-in OS security mechanisms in order to get their products to work as they want, which further exposes those systems to compromise, he said.
An example of such subversion came recently, when Israeli data exfiltration prevention company enSilo reported a vulnerability in products from Intel Security, Kaspersky Lab and AVG that had the effect of disabling OS-based anti-exploitation defenses for other applications.
These antivirus products allocated a memory page with read, write and execute permissions to user-mode processes belonging to other applications like Adobe Reader and Web browsers, the enSilo researchers explained in a blog post. This could have helped attackers to defeat Windows exploit mitigations such as address space layout randomization (ASLR) and data execution prevention (DEP) for those third-party applications, making it much easier for attackers to exploit any vulnerabilities found in them.
Eiram wouldn't go so far as to say that antivirus products have no place anymore. He agrees that many users, both at home and within corporate environments, still need to be protected from their own actions, like downloading risky software or clicking on malicious links.
Endpoint antivirus programs help reduce such basic threats. But does that outweigh the risk of a possible attack against the antivirus product itself? It depends on how likely those threats are to occur and the overall security of the antivirus product installed, he said.
People should carefully consider what security software is fit for their environment and especially which features they really need enabled. Antivirus buyers should check the security track record of the vendors they choose and look at how fast they deal with vulnerabilities affecting their products, as well as the type and severity of those flaws, Eiram said.
"People shouldn't just blindly install security software because they think it makes them safer," he said. "That may not be the case."
"We can never underestimate the pace at which the sophistication of malware is being advanced," Kaspersky's Zakorzhevsky said. "At the same time we can’t agree with the argument that antivirus is ineffective. Before a comprehensive strategy can be developed to detect sophisticated threats and targeted attacks aiming at businesses, generic malware must already be filtered and blocked."
A multi-layered strategy that combines traditional antivirus software with next-generation protection tools, intelligence sharing, security services, training of IT professionals and routine security assessments applied to software, hardware and applications, is the only approach the reduces the risk of corporate and personal data being compromised, he said.
Bitdefender admits that there are cases when antivirus products miss malware samples, but considers them isolated incidents that account for under one percent of all threats.
"So this ultimately boils down to filtering the bulk of opportunistic attacks -- which are based on known vulnerabilities or variants of known malware -- and then complementing the antimalware solution with security awareness programs, for instance," the company said.
One technology that could either complement or replace antivirus programs entirely in high-risk environments is application whitelisting, which only allows pre-approved applications to run on a computer. The U.S. National Institute of Standards and Technology recently encouraged the use of such protection mechanisms, which are available in some operating systems by default, and even released a guide with recommended practices.
Network perimeter protection is also important in defending corporate environments both from outside and inside threats, like data exfiltration attempts. However, users should not assume that network-level security appliances don't have vulnerabilities. In fact, security researchers have found a large number of flaws in these products as well over the years, and exploits for them are also being sold on the unregulated exploit market.