Attackers will move from attacking web applications to attacking security products directly.
Speaking to IT Security Guru, WhiteHat Security CEO and CTO Jeremiah Grossman predicted that attackers will shift to the security products themselves, and asked what more attractive target could there be than exploiting anti-virus? “It has kernel access to the system, and who is to say that anti-virus is any more secure? Just that the bad guys have chosen to ignore them for the time being,” he said.
“Specifically they will go after the intrusion detection systems, or the spam email gateways – anything that’smeant to parse or interpret malicious data. Every time the bad guys put a new virus out there, there is a new signature and it is added to the list and over time that list gets bigger and bigger, and the bad guys just create a new virus that evades that list. They are consistent and the good guys are always chasing and the model is not sustainable. It cannot work and will fail.”
Jeffrey Carr, CEO of Taia Global, told IT Security Guru that this is an interesting theory, and he could not disagree. “I don’t have any insight into how vulnerable anti-virus systems are, but it’s probably just a matter of time before they’re exploited,” he said. “If anti-virus companies haven’t performed any penetration tests against their own products, they should – just like any other software or hardware company.”
Sean Sullivan, security advisor at F-Secure, said: “That’s long been a concern. From the presentations I’ve seen at anti-virus vendor conferences and workshops, it’s being factored into development. Whether it’s enough to stay ahead of the curve – time tells. But at least thus far, security software appears to be evolving at a competitive pace.”
Sullivan also told IT Security Guru that Jeremiah’s threat scenario is one of a dedicated attacker, and defence is always a challenge in such cases, and the anti-virus industry’s focus is divided by the need to protect mass numbers of consumers from commoditised crimeware. “Targeted attacks against corporations can only be defended against by multiple layers of security, of which anti-virus is only one part,” he said.
David Harley, senior research fellow at ESET, said that speculation about attackers targeting security software – usually anti-virus – go back at least to the 1990s, and often from vendors of alternative technologies. He highlighted hype in the 1990s about ‘piggybacking’, a term one vendor used to speculate about a range of hypothetical attacks that were expected to bring about the demise of anti-virus by exploiting it as an infection vector.
“Actually, it’s woefully inaccurate to say that ‘the bad guys’ ignore anti-virus: there is always interest in reverse engineering high-profile packages for vulnerabilities, indicators of current and novel detection techniques and so on,” he said. “Oddly enough, the security industry is aware of that and has its own ways of making it harder to extrapolate such information. After all, it has a great deal of experience of inspecting malicious code using sophisticated anti-forensic techniques.”