How hackers can break into your system through anti-virus?
Step 1: Hacker does remote identification of antivirus - Some company Inc is running an antivirus in its mail server. The antivirus checks for every incoming mail for possible virus infection. If the mail is clean, the antivirus passes it and the mail is then forwarded to recipient. Else the mail gets dropped or rejected. The first step of an attacker is to identify the antivirus running in the server. He accomplishes this by using multiple techniques like services identification, open ports and vulnerability assessment or by checking a bounced mail.
Step 2: Hacker sends a mail with malicious attachment - Once the target antivirus is identified in the server gateway, the attacker crafts a mail targeted to a user registered on that mail server. At this time, he also attaches an executable that contains the malicious payload specifically meant for that antivirus. Incase the attackers objective isn't to attack the mail server antivirus software directly and he only wants to evade its detection he can use several techniques like Multiple  filename  or  boundary  fields  in  Content-Type,  Content-Disposition, skipped file name,CR without LF, Exploitation of poisoned NULL byte, Exploitation of unsafe fgets() problem etc. These techniques are useful when the intention of the attack is to get the attachment by the client systems.
Step 3: Anti Virus Scans the malicious mail attachment - Once the malicious email mail is received by the mail server software, the vulnerable AV software will try to scan the malicious executable. This may result either in antivirus software crash or execution of arbitrary code which results in complete security bypass.
Step 4: Attacker crashes the Antivirus and/or breaks into the system: If the attack is directly meant for the antivirus in the server gateway, it leads in full compromise of the server or else it results in client system compromise when the attachments are executed. In certain cases direct compromise can happen else only the anti-virus gets crashed.
The rising popularity of antivirus software has lured the attackers to target the security software itself as the means to break into. Imagine this situation: you are running a secure system with anti-virus and other necessary software running on it. You assume that you are safe from the latest threats. But what if the anti-virus itself is vulnerable? It means that when a hacker exploits the vulnerability in your security software, he has complete access to your system! The detailed article that describes iViZ’s original security research on how the security software itself could be targeted by a hacker is at:

Views: 156

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform



CISO as an enabler

Started by Maheshkumar Vagadiya Jul 30. 0 Replies

Share the instances where you were able to convince the Executive management /board that CISO function is enabler rather then a hindrance.Thanks youMaheshContinue

Has Anyone Evaluated Digital Signature (like Docusign)?

Started by CISO Platform. Last reply by SACHIN BP SHETTY Apr 24. 1 Reply

(question posted on behalf of a CISO member)Has anyone evaluated digital signature (like Docusign), any specific risk/ security areas to be looked into while finalising a vendor? Any and all inputs will be very much appreciated.Continue

What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?

Started by CISO Platform. Last reply by ANAND SHRIMALI May 20. 4 Replies

(question posted on behalf of a CISO member)What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?Related Question: …Continue

[Please Suggest] Corona Virus: Security advisory for work from home

Started by CISO Platform. Last reply by Bhushan Deo Mar 20. 12 Replies

(question posted on behalf of a CISO member)Due to CORONA virus most of the organizations are allowing their employees to work form home.Has any one issued security advisory for work from home ?Continue

Tags: #COVID19

Follow us

Contact Us


Mobile: +91 99002 62585

InfoSec Media Private Limited,First Floor,# 48,Dr DV Gundappa Road, Basavanagudi,Bangalore,Karnataka - 560004

© 2020   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service