[HN Gopher] Attackers spread backdoor via eScan antivirus softwa...
___________________________________________________________________
Attackers spread backdoor via eScan antivirus software update
process
Author : skilled
Score : 41 points
Date : 2024-04-23 16:17 UTC (1 days ago)
(HTM) web link (decoded.avast.io)
(TXT) w3m dump (decoded.avast.io)
| jerbear4328 wrote:
| I'm interested to know how eScan, a security company, never
| noticed that they were using http to distribute executables to
| customer devices for so long.
| mistrial9 wrote:
| plenty of critical services use HTTP -- maybe exactly because
| they are critical.. think the scenarios through and that may
| make more sense..
| capitainenemo wrote:
| Common enough to use it.. linux distros frequently distribute
| updates over http (and ftp). But those are always signed.
| Something eScan did not do.
| febeling wrote:
| Can't you switch out the signatures inflight, too?
| beagle3 wrote:
| If it's based on asymmetric encryption, (e.g. RSA, DH
| etc) and the private key did not leak, then no.
| DaSHacka wrote:
| AFAIK, the worst you could do is serve the victim stale
| (valid) packages, and prevent them from seeing that there
| are new updates available.
|
| I maintain a (somewhat) popular mirror server at a
| university, and we actually ran into this issue with one
| of our mirrors. The Tier 1 we were using as an upstream
| for a distro closed up shop suddenly, leaving our mirror
| with stale packages for some time before users told us
| they never got any updates.
| capitainenemo wrote:
| I don't think that would work with most distros, since
| you're fetching an (also signed) update list and you'd
| get notified that the update failed due to a stale list,
| or that the expected updated package was missing on the
| mirror.
| jijijijij wrote:
| You could, but then the signature check would fail.
| Usually the public keys of developers or packagers are
| shipped with a linux distribution.
|
| However, you shouldn't blindly trust in this in "linux"
| either. The implementation varies between package
| managers. Eg. DNF in Fedora has signature checks _not_
| enabled for _local_ package installations, by default.
| There is no warning, nothing. If you want to infect new
| Fedora users, you MITM RPMFusion repo (codecs etc)
| installation, because that 's a package almost everyone
| installs locally and the official install instructions
| don't show how to import the relevant keys beforehand.
| Arch was also very late to the validation party.
| capitainenemo wrote:
| How is Arch vulnerable? While I don't have an Arch system
| handy, I do have a steam deck that I play around with (in
| an overlay), and I've certainly run into a lot of
| signature issues due to Valve making a hackish "pin" of
| the evergreen Arch with signatures in the Valve tree's
| snapshot being often out of date.
|
| Those signatures are also checked for local installs
| unless you explicitly disable them.
| jijijijij wrote:
| Pacman has signature checks by default, for over a decade
| now, I think, but they have been ridiculously late with
| universal usage of this feature, _relatively_ speaking.
| They were still barebacking their machines, when
| everybody trivially knew the internet was serious
| business and expected signature checks, therefor.
| febeling wrote:
| I realize now it was a stupid question, but the excellent
| refresher and ensueing discussion of edge cases was well
| worth the downvote someone felt compelled to leave, haha
| jamespo wrote:
| I'd hope these other critical services at least sign their
| packages
| cryptonector wrote:
| Yes. But IIRC there have been attacks on Debian package
| fetching anyways.
| seiferteric wrote:
| Somewhat ironically OCSP.
| cryptonector wrote:
| This has to do with circularity. If you are building a TLS
| library that needs to fetch OCSP Responses dynamically, you
| might not have an easy time using HTTPS to do it. Well,
| obviously you'd have to disable the use of OCSP for
| validating the OCSP Responder's TLS server certificate, but
| still you have a re-entrance requirement, and anyways the
| OCSP Responses are signed. (Or, well, you could use OCSP to
| validate an OCSP Responder's TLS certificate if you had
| code to detect a circular dependency, then stop and
| consider it validated. This would allow the use of OCSP for
| validating OCSP Responder TLS server certs where ultimately
| you could use HTTP for a non-privacy-sensitive certificate
| or where you could elide OCSP Responder TLS server cert
| validation but still use HTTPS to fetch OCSP Responses so
| as to provide confidentiality about the server names you're
| visiting.)
|
| The main reason to want to use HTTPS for fetching OCSP
| Responses has to do with privacy rather than security
| relative to active attacks.
|
| It's probably time to revisit this.
| lupusreal wrote:
| Seems like criminal negligence to me.
| hermannj314 wrote:
| If an Uber Eats driver poisons your food en route from
| McDonalds, then McDonalds is criminally negligent?
|
| I mean, I understand HTTPS is industry best practice but the
| criminals in this story are the actual criminals.
| NegativeLatency wrote:
| All analogies are flawed but this feels a bit more like the
| tamper proof labels on products, the antivirus company
| threw some chicken in a produce bag, and called it good.
|
| At this point a lot of antivirus software is just useless
| or actively harmful.
| yborg wrote:
| Avast actually had a trojan horse product whose main
| purpose was collecting browsing history for sale to data
| brokers ... that you paid a subscription fee for.
|
| https://www.ftc.gov/news-events/news/press-
| releases/2024/02/...
| lupusreal wrote:
| > _I understand HTTPS is industry best practice_
|
| Right. Unlike your McDonalds example, there is already an
| industry standard solution to this problem. The software
| ""engineers"" who neglected to implement it should be found
| criminally negligent for the harm they caused to their
| users. I know this is an unpopular suggestion on HN because
| code monkeys want all the glory of the "engineer" job title
| without any of the responsibility.
| robocat wrote:
| > The software ""engineers"" should be found criminally
| negligent
|
| Software goes across borders. Perhaps you also think
| negligent software "engineers" should be extradited or
| rendered across jurisdictions?
|
| Apart from the fact that Engineer does not have to imply
| either certified or licenced (the words you should be
| using if you know anything).
| radicaldreamer wrote:
| http or https doesn't matter (in fact, you shouldn't rely on it
| because the end user could be MITM'd already with a root
| certificate maliciously installed on their device).
|
| You should sign binaries and verify and consider the
| network/distribution method compromised by default.
| dixie_land wrote:
| If the user is MITM'd, what's preventing the attacker also
| replace the signature to verify against?
| kuhsaft wrote:
| The signature would use asymmetric encryption, so unless
| the attacker had access to the signing key, it would be
| impossible for the attacker to sign a modified version of
| the payload.
|
| EDIT: I see what you mean. radicaldreamer stated that a
| malicious root certificate is installed, but signature
| validation wont help there. But, it will help when
| downloading from mirrors or HTTP.
| pixl97 wrote:
| You verify against the signature that's in the current
| version. Now this may mean that you need to do stepped
| upgrades to versions that are cross signed to get new
| certificates. That or you have at least one https update
| method that gets a signing cert for the application.
| kuhsaft wrote:
| > the end user could be MITM'd already with a root
| certificate maliciously installed on their device
|
| If a malicious root certificate is installed, then the user's
| system is already compromised and signature validation won't
| help.
| TonyTrapp wrote:
| Not in the strict sense if it's state-mandated MITM (you
| are forced to install a specific root certificate to
| legally connect to the internet).
|
| But also in the other case, not all is lost: Not every
| malware can (or even tries to) defend itself against any
| antivirus software in existence. The machine might be
| compromised, but being able to retrieve the correct upadate
| for the hypothetically unaffected malware scanner can still
| give you the signal that your machine is infected and you
| should reinstall it.
| andmarios wrote:
| Some customers actually ask for it. The correct behavior is to
| have https as the default and have the user explicitly switch
| to http.
| jms703 wrote:
| Makes one wonder how poorly designed the software is. Like most
| antivirus software, it's probably not very good.
| microtherion wrote:
| In my entire career, I've yet to encounter a virus as deleterious
| in its effect than some of the antivirus software I've seen
| (Though, having had minimal Windows experience may contribute to
| this experience).
|
| I've spent literally hours explaining to my users that no, my
| software was not distributed with a virus; one popular anti virus
| program had a false positive flagging it as such.
| teeray wrote:
| I really love when "endpoint security tools" feel the need to
| examine every object file and debugging symbol a compiler
| emits. It really improved the build times /s
| radicaldreamer wrote:
| security theater
| wnevets wrote:
| If you're gonna use an antivirus just use Windows Defender. There
| really isn't a reason to use anything else these days.
| londons_explore wrote:
| Is Windows Defender really effective in 2024? You would think
| any virus designer would design their stuff in a way that the
| default antivirus built into the product they are attacking
| wouldn't be able to find it...
|
| And before you say "well duh, but signature updates", I will
| respond with the fact that nearly malware is designed to auto-
| update... And will obviously make sure that the windows
| defender signatures fail to auto-update...
| Rinzler89 wrote:
| _> Is Windows Defender really effective in 2024? _
|
| Relative to what?
|
| The question is: are the competitors more efective in 2024
| for the money you pay VS the built-in solution, while also
| using less resources to boot that Defender?
|
| That's the question people and bean-counters ask before
| pulling out their wallets.
| Voultapher wrote:
| It certainly ain't the question the IT department is asking
| in my experience.
| mleo wrote:
| Do you know what's better than one antivirus software? Two
| antivirus softwares. I would not want to calculate the
| extra cost of additional servers to handle loads from each
| server just wasting cpu running AV software.
| aetch wrote:
| You forgot the /s
| wnevets wrote:
| > Is Windows Defender really effective in 2024?
|
| relative to what?
|
| > You would think any virus designer would design their stuff
| in a way that the default antivirus built into the product
| they are attacking wouldn't be able to find it...
|
| Why can't that also be true for any antivirus? I would be
| shocked if that anyone who still makes viruses wouldn't check
| virus total first
| parl_match wrote:
| > Is Windows Defender really effective in 2024?
|
| Yes.
|
| > You would think any virus designer would design their stuff
| in a way that the default antivirus built into the product
| they are attacking wouldn't be able to find it...
|
| You would think that Microsoft would build mechanisms to
| prevent this. And they do. Avoiding detection is a key goal,
| to be fair.
|
| > And before you say "well duh, but signature updates", I
| will respond with the fact that nearly malware is designed to
| auto-update...
|
| That's actually very noisy, and an important part of modern
| malware is avoiding detection - internal and external. Auto-
| updaters are pretty easy to detect. Even large ISPs will look
| for auto-update traffic and alert their customers (or in some
| cases, disable their accounts temporarily!). And once
| detected, these companies are very well practiced in taking
| down the hosts of the updates.
|
| So that is a "fact" but it's not so black and white :)
|
| > And will obviously make sure that the windows defender
| signatures fail to auto-update...
|
| Sounds easy in theory, very hard in practice.
|
| On modern systems, requires kernel mode/system/specific
| elevated privileges. Using a kernel exploit is rare because
| they're hard to come by and very valuable - limits scope of
| who an attacker will bother wasting one on. UAC will complain
| that an unsigned binary is trying to elevate, and such
| functionality may even be disabled. In fleet machines, the
| user often cannot escalate their privileges in such a way
| that allows defender to be disabled.
|
| Anti-virus is still relevant and useful, although slowly
| fading into irrelevance - although there will always be a
| need by vendors to remove malicious software.
| MattPalmer1086 wrote:
| All sane virus designers test their creations against all the
| leading anti virus software.
|
| AV software will only detect known viruses for which a
| signature exists, or poorly coded/tested ones that are caught
| by AV heuristics.
| Yasuraka wrote:
| Windows Defender still flags every other non-trivial Go binary
|
| Even if it's just 50 lines that were compiled 2 seconds ago by
| you in the same folder.
|
| Then again, developing anything on Windows seems to be an up-
| hill battle from the get go
| wnevets wrote:
| > Windows Defender still flags every other non-trivial Go
| binary
|
| I believe that is an issue with using reputation based
| protection rather than an issue with antivirus heuristics,
| unsigned/unknown binaries get flagged.
| johncessna wrote:
| Did the editor reign in the original headline?
| fullspectrumdev wrote:
| This whole vector (serving malicious updates via MiTM) has been
| well known for the longest time, with even frameworks such as
| Evilgrade for exploiting them.
|
| Such an oversight from a "security" company is frankly
| unforgivable.
| soraminazuki wrote:
| Antivirus being not only inherently ineffective, but actively
| undermining the security of the system through negligence and
| poor practices. Often tampering with other software and negating
| actual security hardening measures along the way. Has anything
| changed this past decade or two?
|
| https://ia801200.us.archive.org/1/items/SyScanArchiveInfocon...
|
| https://robert.ocallahan.org/2017/01/disable-your-antivirus-...
| parl_match wrote:
| Anti Virus is a net good, although the entire OS industry
| understands that it is an outdated way of thinking about
| endpoint protection. You could say what you said about lots of
| software, including almost anything with a built in updating
| feature.
|
| That in mind, there's no reason to use anything but Windows
| defender on Windows (unless youre a high value target)
___________________________________________________________________
(page generated 2024-04-24 23:01 UTC)