Monday, January 11, 2016

On the Topic of Anti-Virus Software

Hey everyone - I spend some of my spare time reading articles about information security and browsing /r/netsec.  Lately in /r/netsec, there have been a few posts about issues with anti-virus software that weakens the security posture of the machine it is installed on.  Some of the comments on those posts say not to use any of these products at all.  Rather, the best preventative measure is "common sense."  Let's talk about it.


The Classic Cat and Mouse Game

Malware authors and anti-malware companies have been locked in an epic cat and mouse game for many years.   First, anti-malware products relied on signatures: key characteristics of the malware that could be detected, such as file names used, specific sequences of bytes in the files, that kind of thing.  Malware authors got smart to this and started packing, compressing, encoding, or encrypting their malware so that anti-virus could not key in on plain text indicators.  Anti-malware products adapted to this with features such as the ability to unpack, decompress, and decode.  They also started looking at the behavior of a potential threat in order to classify it.  For example, a popular persistence mechanism for malware was the Run registry key (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run).  If we had a packed program that was using a new packer that our anti-virus solution had not seen before, but it was making changes to this registry key, we might flag that as suspicious.

Malware adapted to this counter measure by blending in with the system a bit better and being more stealthy, including installing itself in not-so-traditional ways (by hooking the browser for example).  In addition, malware started using HTTPS / encryption to communicate.  Anti-virus software had to evolve to deal with this.

Introducing Potential Vulnerabilities

In order to detect potentially malicious traffic, anti-virus software has begun to inspect encrypted traffic.  It does not do this by brute-forcing the encryption keys, rather it inserts itself between you and the server you are trying to communicate with.  Essentially, it becomes the man in the middle of your communication.  The anti-virus software inserts itself by becoming a proxy for your traffic.

If your browser tries to go to https://www.google.com for example, the anti-virus software pretends it is https://www.google.com.   Because the anti-virus software installs a root certificate in your trusted certificate store, your computer believes it and does not pop up a warning.  The anti-virus software then inspects the traffic based on its rule sets, re-encrypts it, and sends it on the real Google.  Similarly, when the response comes back from the real Google, the anti-virus software decrypts it, inspects it, and re-encrypts it using its root certificate and sends it on to your browser.  In theory, the anti-virus software is looking for malware that is delivered via HTTPS and your browser.

You might be thinking that this is potentially dangerous.  What if there is some sort of security flaw in the anti-virus software that allows an attacker to take advantage of the trust you place in your anti-virus product?  Having a reasonably safe proxy that can perform this kind of inspection is not trivial, and there are a few things that anyone writing something like this must account for:
  • Generating the root certificates should be done per machine.  If the root certificate is the same across all installations of a product, that certificate could be used to generate derivative certificates.  These derivative certificates could be used by a malicious person to perform man in the middle attacks.  While it was not an anti-virus product, the eDellRoot certificate debacle in November 2015 exemplifies this issue.
  • The proxy must perform certificate validation on the certificates that the remote servers present.  If this is not done correctly, bad certificates may be accepted which puts your encrypted communication at risk.  For example, if a certificate is revoked, but the proxy does not update its revoked certificate list, that certificate would still be valid to the proxy.
Of course, the proxy itself needs to be sufficiently hardened against other forms of attack.  For example, if there is a vulnerability that allows arbitrary code execution in that proxy via malformed web traffic, your system now has another vulnerability you may have to mitigate (assuming you even know about it).

Finally, as with any other software or hardware that you trust with your information, you need to trust that author is not a malicious person himself.  You do not know if your anti-virus software is inspecting your traffic to sell your information to advertisers or is pushing your files to the cloud.  As we have talked about before, you have to trust someone though, or you might as well throw your computer out the window.

So, what now?

Many security professionals might say that you should not use anti-virus software at all and that "common sense" is better than any anti-virus product currently on the market.  The problem I have with that argument is that "common sense" is not universal.  Within the security community, we know not to click on links in e-mails, what malicious websites look like, and we have built an idea of what we deem "trustworthy."  This can lead to a sort of projection bias: "Because I would never click on a sketchy-looking link, no one else would either."  Unfortunately, to someone that is not intimately familiar with these concepts, the idea of clicking on a link in that legitimate-looking e-mail from a malicious person pretending to be their bank is not a concern.

While no anti-virus product is perfect, I think they are part of a layered defense strategy.  While user education is also a part of that strategy, there are times when even the best slip up, and it is a good idea to have a safety net compromised of a number of different measures.  For example, if I were setting up a Windows computer for someone, I would make sure it had the following security measures in place:
  • Anti-virus / anti-malware software that is configured to automatically update.  I am not going to endorse a certain vendor here because the right vendor for a given situation depends on a number of factors: budget, performance concerns, ease of use, desired features, et cetera.  I would likely disable the proxying feature we talked about above if the product ships with it.  While it could be good in theory, I think the benefits do not outweigh the risks.
  • Software like EMET to protect against memory exploits.  It is not infallible, but it helps against that type of attack.
  • Ad-blocking software to protect against so-called "malvertising."  I wrote about this a few weeks ago.  I think malicious ads will continue to be an issue in 2016, so an ad-blocker would be good to have.
  • Windows set to update automatically.  This is already default in Windows 10 Home.  While I might find it annoying for the computer to tell me when it is going to restart to install updates, I think the temptation to click update later every time and never update is worse.
  • Browser updates set up automatically.
  • A bit of education for the user.  None of the things I have talked about above will stop every attack, especially an attack from a user or organization with a lot of time and resources to be stealthy.  However, I hope that some of these measures cause the malware to misbehave in such a way that is obvious to the user so that he or she is aware something is up and take appropriate steps to neutralize the threat.  Fire is always good as a last resort:

 What are your thoughts on anti-virus software?  Do you run it?  Why or why not?

Thanks for reading!

No comments:

Post a Comment