Anti-Virus… or Door for a hacker?

How hackers can break into your system through anti-virus?
Step 1: Hacker does remote identification of antivirus - Some company Inc is running an antivirus in its mail server. The antivirus checks for every incoming mail for possible virus infection. If the mail is clean, the antivirus passes it and the mail is then forwarded to recipient. Else the mail gets dropped or rejected. The first step of an attacker is to identify the antivirus running in the server. He accomplishes this by using multiple techniques like services identification, open ports and vulnerability assessment or by checking a bounced mail.
Step 2: Hacker sends a mail with malicious attachment - Once the target antivirus is identified in the server gateway, the attacker crafts a mail targeted to a user registered on that mail server. At this time, he also attaches an executable that contains the malicious payload specifically meant for that antivirus. Incase the attackers objective isn't to attack the mail server antivirus software directly and he only wants to evade its detection he can use several techniques like Multiple  filename  or  boundary  fields  in  Content-Type,  Content-Disposition, skipped file name,CR without LF, Exploitation of poisoned NULL byte, Exploitation of unsafe fgets() problem etc. These techniques are useful when the intention of the attack is to get the attachment by the client systems.
Step 3: Anti Virus Scans the malicious mail attachment - Once the malicious email mail is received by the mail server software, the vulnerable AV software will try to scan the malicious executable. This may result either in antivirus software crash or execution of arbitrary code which results in complete security bypass.
Step 4: Attacker crashes the Antivirus and/or breaks into the system: If the attack is directly meant for the antivirus in the server gateway, it leads in full compromise of the server or else it results in client system compromise when the attachments are executed. In certain cases direct compromise can happen else only the anti-virus gets crashed.
The rising popularity of antivirus software has lured the attackers to target the security software itself as the means to break into. Imagine this situation: you are running a secure system with anti-virus and other necessary software running on it. You assume that you are safe from the latest threats. But what if the anti-virus itself is vulnerable? It means that when a hacker exploits the vulnerability in your security software, he has complete access to your system! The detailed article that describes iViZ’s original security research on how the security software itself could be targeted by a hacker is at:
E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

RSAC Meetup Banner

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)