"Hackers abused an antivirus service for five years in order to infect end users with malware. The attack worked because the service delivered updates over HTTP, a protocol vulnerable to attacks that corrupt or tamper with data as it travels over the Internet."
No encryption, no validation, no signatures, five years undetected.
You might think this is an exceptionally bad vendor, but this is par for the course.
In their "Apple Silicon" version of their operating system, Apple has prohibited kernel extensions, including kernel extensions that are used by Antivirus.
Instead there are now "System Extensions" (/LIbrary/SystemExtensions) that come in various flavors, one of them file scanning and open interception.
Conceptually this is an important step forward, as it forces "security" vendors to implement proper segregation of duties in their software, and encourages also to embrace a permission-minimal implementation of their service.
Of course, none of the vendors did go this path without being strongarmed by Apple. They insisted on staying true to their outdated, 1990ies-born architecture, taking none of the things we learned in 20 years to heart.
@larsmb@isotopp The antivirus industry has always been pretty corrupt. They had this whole model of selling fear. So far as I know the only "sort of" live Palm OS virus in the wild was one created as a demo by an antivirus company. When I was doing desktop around 2000, we didn't have a single case of malware on handheld devices, primarily Palms, but we did have a couple of uses whose hotsync backups were corrupted by Windows desktop antivirus software getting a false positive on Phage.
@isotopp Jup, IME AV solutions are often of worse security than most other software.
However, in many company networks sometimes visibility of intrusions matters more than one additional vulnerable piece of software, because there's already so much shit going on.
Which means that XDR or any AV+monitoring stuff can actually be useful to the security operations team. While kinda compromising security, but it's not a big deal because there are even simpler ways to intrude. 🙈
@isotopp Definitely not reliable! AVs are now mostly sounding alarms when a user downloads, say, a malicious file from a warez site. Like, very well-known, mass infection, script kiddy style malware. Nothing that actually targets a company.
Basically, the companies accept the risk that if someone wants to pwn them, they're done for anyway :~
That was written bei @joxean and is not only teaching you how to reverse things, but it also a splendid deconstruction of current (well, back then) AV software from a wide variety of vendors.
It highlights very nicely that the stuff in the thread starter is in no way specific to that one vendor, and also that it is not something that can be repaired with a simple patch. These things are architecturally broken.
Add comment