Portal de Periódicos da CAPES

Antivirus security: naked during updates

2013; Wiley; Volume: 44; Issue: 10 Linguagem: Inglês

10.1002/spe.2197

1097-024X

Byungho Min, Vijay Varadharajan, Udaya Tupakula, Michael Hitchens,

Security and Verification in Computing

Software: Practice and ExperienceVolume 44, Issue 10 p. 1201-1222 Research Article Antivirus security: naked during updates Byungho Min, Byungho Min Information and Networked Systems Security Research, Faculty of Science, Macquarie University, Sydney, AustraliaSearch for more papers by this authorVijay Varadharajan, Corresponding Author Vijay Varadharajan Information and Networked Systems Security Research, Faculty of Science, Macquarie University, Sydney, Australia Correspondence to: Vijay Varadharajan, Information and Networked Systems Security Research, Faculty of Science, Macquarie University, Sydney, Australia. E-mail: vijay.varadharajan@mq.edu.auSearch for more papers by this authorUdaya Tupakula, Udaya Tupakula Information and Networked Systems Security Research, Faculty of Science, Macquarie University, Sydney, AustraliaSearch for more papers by this authorMichael Hitchens, Michael Hitchens Information and Networked Systems Security Research, Faculty of Science, Macquarie University, Sydney, AustraliaSearch for more papers by this author Byungho Min, Byungho Min Information and Networked Systems Security Research, Faculty of Science, Macquarie University, Sydney, AustraliaSearch for more papers by this authorVijay Varadharajan, Corresponding Author Vijay Varadharajan Information and Networked Systems Security Research, Faculty of Science, Macquarie University, Sydney, Australia Correspondence to: Vijay Varadharajan, Information and Networked Systems Security Research, Faculty of Science, Macquarie University, Sydney, Australia. E-mail: vijay.varadharajan@mq.edu.auSearch for more papers by this authorUdaya Tupakula, Udaya Tupakula Information and Networked Systems Security Research, Faculty of Science, Macquarie University, Sydney, AustraliaSearch for more papers by this authorMichael Hitchens, Michael Hitchens Information and Networked Systems Security Research, Faculty of Science, Macquarie University, Sydney, AustraliaSearch for more papers by this author First published: 22 April 2013 https://doi.org/10.1002/spe.2197Citations: 17Read the full textAboutPDF ToolsRequest permissionExport citationAdd to favoritesTrack citation ShareShare Give accessShare full text accessShare full-text accessPlease review our Terms and Conditions of Use and check box below to share full-text version of article.I have read and accept the Wiley Online Library Terms and Conditions of UseShareable LinkUse the link below to share a full-text version of this article with your friends and colleagues. Learn more.Copy URL Share a linkShare onFacebookTwitterLinked InRedditWechat SUMMARY The security of modern computer systems heavily depends on security tools, especially on antivirus software solutions. In the anti-malware research community, development of techniques for evading detection by antivirus software is an active research area. This has led to malware that can bypass or subvert antivirus software. The common strategies deployed include the use of obfuscated code and staged malware whose first instance (usually installer such as dropper and downloader) is not detected by the antivirus software. Increasingly, most of the modern malware are staged ones in order for them to be not detected by antivirus solutions at the early stage of intrusion. The installers then determine the method for further intrusion including antivirus bypassing techniques. Some malware target boot and/or shutdown time when antivirus software may be inactive so that they can perform their malicious activities. However, there can be another time frame where antivirus solutions may be inactive, namely, during the time of update. All antivirus software share a unique characteristic that they must be updated at a very high frequency to provide up-to-date protection of their system. In this paper, we suggest a novel attack vector that targets antivirus updates and show practical examples of how a system and antivirus software itself can be compromised during the update of antivirus software. Local privilege escalation using this vulnerability is also described. We have investigated this design vulnerability with several of the major antivirus software products such as Avira, AVG, McAfee, Microsoft, and Symantec and found that they are vulnerable to this new attack vector. The paper also discusses possible solutions that can be used to mitigate the attack in the existing versions of the antivirus software as well as in the future ones. Copyright © 2013 John Wiley & Sons, Ltd. Citing Literature Volume44, Issue10October 2014Pages 1201-1222 RelatedInformation