The Antivirus Hacker’s Handbook

The Antivirus Hacker’s HandbookReviews
Author: Joxean Koret, Elias Bachaalany
Pub Date: 2015
ISBN: 978-1119028758
Pages: 384
Language: English
Format: PDF
Size: 10 Mb


Hack your antivirus software to stamp out future vulnerabilities The Antivirus Hacker’s Handbook guides you through the process of reverse engineering antivirus software. You explore how to detect and exploit vulnerabilities that can be leveraged to improve future software design, protect your network, and anticipate attacks that may sneak through your antivirus’ line of defense. You’ll begin building your knowledge by diving into the reverse engineering process, which details how to start from a finished antivirus software program and work your way back through its development using the functions and other key elements of the software. Next, you leverage your new knowledge about software development to evade, attack, and exploit antivirus software-all of which can help you strengthen your network and protect your data. While not all viruses are damaging, understanding how to better protect your computer against them can help you maintain the integrity of your network. * Discover how to reverse engineer your antivirus software * Explore methods of antivirus software evasion * Consider different ways to attack and exploit antivirus software * Understand the current state of the antivirus software market, and get recommendations for users and vendors who are leveraging this software The Antivirus Hacker’s Handbook is the essential reference for software reverse engineers, penetration testers, security researchers, exploit writers, antivirus vendors, and software engineers who want to understand how to leverage current antivirus software to improve future applications.


Antivirus Basics

Antivirus Software: Past and Present

The earliest AV products were simply called scanners because they were commandline scanners that tried to identify malicious patterns in executable programs. AV software has changed a lot since then. For example, many AV products no longer include command-line scanners. Most AV products now use graphical user interface (GUI) scanners that check every single f le that is created, modif ed, or accessed by the operating system or by user programs. They also install frewalls to detect malicious software that uses the network to infect computers, install browser add-ons to detect web-based exploits, isolate browsers for safe payment, create kernel drivers for AV self-protection or sandboxing, and so on.

Since the old days of Microsoft DOS and other antiquated operating systems, software products have evolved alongside the operating systems, as is natural. However, AV software has evolved at a remarkable rate since the old days because of the incredible amount of malware that has been created. During the 1990s, an AV company would receive only a handful of malware programs in the space of a week, and these were typically f le infectors (or viruses). Now, an AV company will receive thousands of unique malicious f les (unique considering their cryptographic hash, like MD5 or SHA-1) daily. This has forced the AV industry to focus on automatic detection and on creating heuristics for detection of as-yet-unknown malicious software by both dynamic and static means. Chapters 3 and 4 discuss how AV software works in more depth.

The rapid evolution of malware and anti-malware software products is driven by a very simple motivator: money. In the early days, virus creators (also called vxers) used to write a special kind of f le infector that focused on performing functions not previously done by others in order to gain recognition or just as a personal challenge. Today, malware development is a highly prof table business used to extort money from computer users, as well as steal their credentials for various online services such as eBay, Amazon, and Google Mail, as well as banks and payment platforms (PayPal, for example); the common goal is to make as much money as possible.

Some players in the malware industry can steal email credentials for your Yahoo or Gmail accounts and use them to send spam or malicious software to thousands of users in your name. They can also use your stolen credit card information to issue payments to other bank accounts controlled by them or to pay mules to move the stolen money from dirty bank accounts to clean ones, so their criminal activity  becomes harder to trace.

This chapter covered various topics pertaining to update services, such as how they generally work in modern antiviruses, which transport protocols are typically used, and the security shortcomings arising from incorrect and insecure implementations:

  • Update f les packaging—It is important to be able to update only the changed part and minimize the network traff c used. Catalog f les are typically used in update services to describe the f les to be updated, their hashes, and other metadata needed during the updating process.
  • Transport protocol—Using insecure channels such as HTTP opens the user to MITM attacks, among other things. However, using an encrypted update channel alone is not enough.
  • Update package integrity verif cation—It is possible to use an unencrypted channel but still validate the integrity of the update f les. However, the converse is incorrect: a secure update channel, for example, HTTPS, without proper f le integrity checks is pretty useless.
  • Insecure update service implementations are not a myth—An in-depth look at how a commercial AV update service works proves otherwise. As it turns out, the update service in question uses the unencrypted HTTP protocol and employs a catalog f le containing the list of f les to be updated along with their hashes. A good protection one would think, but its weakness was that the catalog f le itself is not validated, thus it is possible to serve a modif ed catalog f le with a list of f les that the attacker controls along with their correct hashes.

This chapter concluded with a discussion about how HTTPS interception methods used by popular antivirus products actually break HTTPS certif cate pinning and render the customers’ machines more unsafe.

This is the last chapter in the f rst part of this book, where all the important introductory and background material has been laid out. In the next part of this book, titled “Antivirus Software Evasion,” we start discussing how to evade the various parts of the antivirus software that were discussed during the f rst part of this book .