12 October 2011

Using antivirus as entrance vector

Houses with their antivirus products promise a panacea to the risks to the security of our systems. However, antivirus, like any human endeavor, can suffer from errors that serve as vectors of attack for someone with enough knowledge to do so. An example is the following email, sent to the list of security incidents, focus on 13 February:
On the 4th of February I posted an message asking a few questions About a possible mail server compromise [1] I had a Few Good responses and lots of offers for help, Some Of These messages lead to the discovery Indirectly What Really Happened of. [...] Here is what we discovered we Correlated When all logs, traces, events and upstream data. That left the data the mailserver - Were mails - wait ... The Way They are not supposed to leave, what left our WHERE mailserver gigabytes of mails, no time to Go Through Each of Them .. But we supposed Nearly all of our stored emails we Were commitments. Since we use qmail and exchange as well as corporate mx mail this server How Could Have Happened? Düring analysis of the event log, we saw Several event entries Indicating the AV scanner crashed multiple times DURING Several hours Before the first huge batch of traffic left the mail server. Nothing spectacular you Might Say, This Happens from time to time, though Rarely. This lead us to the notion to use the Simply Anti-Virus scanner to rescan the complete in box of all accounts, and Then it hit us, Suddenly There Were Being Initiated Requests outbound. What tried to These Initiate Requests? The Anti-Virus scans scanner.We reran the Several times at one particular file and the scanner started acting weirdly. What we discovered an exploit WAS Against the AV scanner That Was When It triggered scanned the attachment to this particular email ... The Threat That Was not we Anticipated.
 [...]
We had allowed the Anti-Virus scanner to get the updates from the Allowing Internet access to the internet it of course ... This Was the way the data got out. I am not sure That It Would Have help if the Would Have Been Pushed updates Internally, After all the exchange That sends email server somehow get out to the internet, I guess the way to get out Would Have Been a bit harder just for the attacker.
[...]
Obviously, such incidents are omitted by advertising houses antivirus developers but it is essential to have them in mind when making a proper risk assessment. In general, any antiviral product is free from faults, but some suffer more than others: