July 27, 2005 4:00 AM PDT

Antivirus insecurity at Black Hat confab

Experts are warning that the popularity of antivirus software could turn the defensive measure into a security risk.

The technology is commonly installed on PCs, servers, network gateways and mobile devices. As it becomes more widespread, the more attractive a target it becomes for cybercriminals, said researchers at Internet Security Systems.

"Antivirus could potentially be the weak point hackers might exploit to break into your network," said Neel Mehta, the team leader of X-Force Research at Internet Security Systems in Atlanta. "It is a key security mechanism, and it is important to have it. But at the same time, it could also be an attack vector."

News.context

What's new:
ISS researchers plan to outline flaws in antivirus products at Black Hat Briefings, saying the software's popularity is making it more attractive to hackers.

Bottom line:
The discussion is among the many topics up for discussion at the security conference and the DefCon event that follows it in Las Vegas this week.

More stories on security research

Mehta and fellow ISS researcher Alex Wheeler plan to outline vulnerabilities in antivirus products on stage at the Black Hat Briefings, which kicks off on Wednesday. The security conference draws hackers and security experts to Las Vegas every year. The event is followed by the DefCon, the security industry confab famous for its hacker activity, which starts Friday.

The ISS researchers will demonstrate hacking into systems using known and fixed flaws in antivirus products, not new security holes that have not been publicly disclosed yet, Mehta said. "We're going to show that it is a credible threat and demonstrate exploits," he said.

In the past year, ISS has discovered bugs in products from security software makers Symantec, McAfee, Trend Micro and F-Secure, he noted. Earlier this week, several flaws discovered by ISS were disclosed and fixed in Clam AntiVirus, a popular open-source virus scanner.

At the moment, the problem is just an emerging threat. Only isolated cases have been seen of malicious code writers using holes in antivirus software to attempt to break into computer systems, Mehta said. "There used to be no exploits for antivirus products, but we see some now," he said. "There is the potential for more."

Antivirus software is like low-hanging fruit to hackers, Yankee Group analysts wrote in a research paper released last month. As the pool of easily exploitable security bugs in Microsoft Windows dries up, attackers are looking to security software for holes to get into systems, the analysts said.

"As the core of the operating system gets more secure, hackers are diverting their attention to other targets," Mehta agreed.

Show time in Vegas
The lineup of papers and presentations at Black Hat this week bears out that trend. Few of the topics in the sessions deal with hacking attempts on Windows, Microsoft's dominant operating system, which has come under heavy attack from malicious code writers in the past.

Weaknesses in antivirus software is only one of the topics on the conference agenda. Researchers will also cover the use of USB keys to get into Windows PCs, intrusions into Oracle products and the security of Cisco Systems routers.

Experts from SPI Dynamics, which specializes in Web application security, plan to highlight problems with the drivers that make USB devices work on computers in a session titled "Plug and Root, the USB Key to the Kingdom." They will delve into how an attacker could gain access to an otherwise locked system via such security holes.

Oracle, which once called its products "unbreakable," will also see its security scrutinized. Alexander Kornbrust of Red Database Security will give a presentation on how to circumvent Oracle's database encryption, and Esteban Mart?nez Fayo, a researcher at security company Argeniss, is slated to show new ways to attack Oracle databases. Kornbrust, a German security researcher, earlier this month published details on a number of unpatched security flaws in Oracle software.

"As the core of the operating system gets more secure, hackers are diverting their attention to other targets."
--Neel Mehta, X-Force Research team leader, ISS

Cisco's routers are part of the core plumbing of the Internet, and Cisco's IOS, or Internetwork Operating System, runs on those routers. At Black Hat, ISS researcher Michael Lynn will probe IOS security for possible weaknesses. Large-scale router attacks could disrupt the performance of the Internet.

Black Hat attendees can also get some legal advice. Jennifer Granick, the executive director of the Stanford Law School Center for Internet and Society, plans to offer a practical and theoretical tutorial on legal issues related to computer security practices.

While Black Hat is more like a traditional trade show, DefCon is a celebration of hacker culture and security knowledge. It brings together experts from the hacker underground, security industry stars and geek groupies. Word on the street is that most hotels in Las Vegas refuse to host DefCon because of all the hacking mischief that takes place.

As the focus on cybercrime has increased, Black Hat and DefCon have also become a fixed item on the calendars of many law enforcement agents. A few years back, conference-goers would challenge each other to spot the "Fed." This year, some in the security industry say the task could be to spot the hacker.

10 comments

Join the conversation!
Add your comment
Where's the story ?
I was certain there was going to be a real story here, especially when I noticed Clamav noted. Alas, just another glob of pasted quotes and mis-information about 'future' expectations, and what might happen.

Good try.
Posted by (3 comments )
Reply Link Flag
Eliminate the virus vulnerability - do not accept it
Why is Anit-Virus accepted as a required add on? It was adopted and used to patch a basic weakness and vulnerability in the Windows System. This basic flaw should be fixed and eliminated, and users should not have to add anti-virus, anti-spam, etc.

Lets get to the root problem and fix it. We should not accept all the add-ons as necessity.

The question should be asked is whether the virus market was a self serving market. Was the virus threat created by the early pioneers to sell anti-virus software?

Consider the millions of dollars wasted in software cost, administrative time, and computer cycle time due to anti-virus programs. The user has been exploited. This is the real crime here.
Posted by (31 comments )
Reply Link Flag
Study your history
Virus writers and their methods were developed before Windows ever dominated the desktop. Suggesting that flaws in Windows are the source of viruii, hackers, and various anti-virus approaches is simply foolish. Every software system has flaws, and while not all anti-virus software is perfect, to a large degree it can help common users. If you consider it an unnecessary "ad on," then simply don't install it.
Posted by David Arbogast (1709 comments )
Link Flag
well duh
if microsoft doesn't have issues there is no reason for patches and to check for them, hence, no antivirus industry, bootleggs a-plenty, and noway for microsoft to control their product. not to mention you cant contribute to the DOD and think you able to fortiefy your software govt demands access, aka the several backdoors to your system, in case they have to monitor you. did you every wonder why if your product runs the world and only recently you go "hey we know our product inside and out lets aquire an partnership with a antivirul firm develope a secure add-on instead of tighten and testing the code? then try to offer it for free in order not to look a profit monster. no you cant find everything especially when six depts contribute and one dept gets to quilt it together. the diffrence isnt just in how pretty the pattern is, but how well its sewn together.
Posted by Luke_Cage (33 comments )
Link Flag
You mean eliminate the user...
The only way to eliminate the vulnerability is to eliminate the user. Unless you want to "unwire" your computer from any external access and this includes media (music, movies) and software (new single-player games).
Posted by zaznet (1138 comments )
Link Flag
Seen This Happen...
Years ago in another work place we had a simple DOS virus infect our anti-virus software used enterprise wide. The software was executed from the server, so once infected it was instantly spread on all machines when any user logged onto a workstation. Suffice it to say that the months old virus wasn't known by our week old virus definitions.

In the end our own defenses brought us down to our knees. Part of the problem was poor deployment of the anti virus software and the security used around it. Antivirus software needs a high level of access to the system, but you have to prevent the users from having a high level of access to that software or the ability to make changes to it.
Posted by zaznet (1138 comments )
Reply Link Flag
That was 9 years ago BTW! :)
Just wanted to let everyone know this occurance was about 9 years ago.
Posted by zaznet (1138 comments )
Link Flag
worlds biggest non-story...or is it?
Attacks on antivirus software have been around roughly as long as antivirus software. If there's a story here, it's that the 'threshold of pain' for exploiting microsoft OS monoculture has (supposedly) begun to exceed that of exploiting some other monoculture. So kudos for Microsoft for digging their way out of dead last in the low-hanging fruitz department.
Posted by (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.