Softw. Pract. Exper.

2013

DOI: 10.1002/spe.2197

|View full text |Cite

|

Sign up to set email alerts

|

Antivirus security: naked during updates

¹

,

Vijay Varadharajan

²

,

³

et al.

Abstract: SUMMARYThe security of modern computer systems heavily depends on security tools, especially on antivirus software solutions. In the anti‐malware research community, development of techniques for evading detection by antivirus software is an active research area. This has led to malware that can bypass or subvert antivirus software. The common strategies deployed include the use of obfuscated code and staged malware whose first instance (usually installer such as dropper and downloader) is not detected by the … Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...

Avira1

A File-based Attack Techniques1

Self-protection Of Anti-virus1

) Anti-virus (Avg's Case)1

Citation Types

Supporting

0

Mentioning

19

Contrasting

0

Year Published

2014

2014

2021

2021

Publication Types

Select...

Article3

Other2

Book2

Relationship

Self Cite3

Independent4

Authors

Journals

Cited by 23 publications

(20 citation statements)

References 17 publications

Supporting

0

Mentioning

19

Contrasting

0

Order By: Relevance

“…Byungho et al have discovered that a core component of Avira can be paused during an update, which leads to a total compromise of Avira; full details can be found in their work [22]. To summarise, Avira's Real-Time Protection service is restarted on some updates.…”

Section: Aviramentioning

confidence: 96%

“…For example, a service and a couple of drivers are in charge of selfprotection in Avira AntiVirus 2013 product line [22]. RealTime Protection service is crucial in Avira's self-protection mechanism, because it provides real-time protection not only to the system (such as on-access detection of malware), but also to itself (self-protection such as prevention of unauthorised alteration on Avira's processes, files, and registry keys).…”

Section: Self-protection Of Anti-virusmentioning

confidence: 99%

See 1 more Smart Citation

Design, implementation and evaluation of a novel anti-virus parasitic malware

¹

,

²

2015

Proceedings of the 30th Annual ACM Symposium on Applied Computing

Self Cite

View full text Add to dashboard Cite

In this paper, we propose an advanced malware, anti-virus parasitic malware (AV-Parmware). It attacks protected components of anti-virus software by their exploiting security weaknesses, and compromises the target systems by being a parasite on the anti-virus. We have investigated 18 antivirus solutions from seven major anti-virus software vendors and have discovered that 12 products from four vendors (AVG, Avira, McAfee, and Symantec) have certain security weaknesses that can be utilised in the proposed malware 1 . There are several advantages to being an anti-virus parasitic malware, including longevity (anti-virus runs while its system is up), improved stealthy behaviour, highest privileges and capability to bypass security measures such as Egress filtering. We have implemented our proposed parasitic malware, and have shown that all these advantages are achieved in practice.

“…Byungho et al have discovered that a core component of Avira can be paused during an update, which leads to a total compromise of Avira; full details can be found in their work [22]. To summarise, Avira's Real-Time Protection service is restarted on some updates.…”

Section: Aviramentioning

confidence: 96%

“…For example, a service and a couple of drivers are in charge of selfprotection in Avira AntiVirus 2013 product line [22]. RealTime Protection service is crucial in Avira's self-protection mechanism, because it provides real-time protection not only to the system (such as on-access detection of malware), but also to itself (self-protection such as prevention of unauthorised alteration on Avira's processes, files, and registry keys).…”

Section: Self-protection Of Anti-virusmentioning

confidence: 99%

Design, implementation and evaluation of a novel anti-virus parasitic malware

¹

,

²

2015

Proceedings of the 30th Annual ACM Symposium on Applied Computing

Self Cite

View full text Add to dashboard Cite

In this paper, we propose an advanced malware, anti-virus parasitic malware (AV-Parmware). It attacks protected components of anti-virus software by their exploiting security weaknesses, and compromises the target systems by being a parasite on the anti-virus. We have investigated 18 antivirus solutions from seven major anti-virus software vendors and have discovered that 12 products from four vendors (AVG, Avira, McAfee, and Symantec) have certain security weaknesses that can be utilised in the proposed malware 1 . There are several advantages to being an anti-virus parasitic malware, including longevity (anti-virus runs while its system is up), improved stealthy behaviour, highest privileges and capability to bypass security measures such as Egress filtering. We have implemented our proposed parasitic malware, and have shown that all these advantages are achieved in practice.

“…Chari et al discussed unsafe component resolution on Unix, and proposed a mechanism to prevent such unsafe resolutions by detecting modifications to path names by untrusted users on the system [25]. Min et al showed that replacing protected software component of anti-virus solutions is possible [21]. They explored major anti-virus vendors such as Symantec, McAfee, AVG, and Avira, and successfully compromised antivirus solutions during their update.…”

Section: A File-based Attack Techniquesmentioning

confidence: 99%

“…Similarly, new files cannot be added to the AVG folder. Therefore, it is much harder to replace or modify AVG's files [21].…”

Section: ) Anti-virus (Avg's Case)mentioning

confidence: 99%

Design and Analysis of a New Feature-Distributed Malware

¹

,

²

2014

2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications

Self Cite

View full text Add to dashboard Cite

In this paper, we propose a new advanced malware that distributes its features to multiple software components in order to bypass various security policies such as application whitelisting and security tools like anti-virus. A tool that automatically generates such malware has been developed, and malware instances generated by this tool have been evaluated, showing the risks of the proposed malware.The new threat proposed in this paper is particularly important in modern computing platforms since they have progressed to more secure environments with various defensive techniques such as application-based permission and application whitelisting. In addition, anti-virus solutions are improving their detection techniques, especially based on behavioural properties. Our offensive technique is designed to overcome these hurdles so that appropriate defensive mitigations can be explored before the adversary develops such offensive technique as they always have done.

“…Self‐protection feature is usually implemented with one or more kernel‐mode drivers and Windows services. For example, a service and a couple of drivers are in charge of self‐protection in AVIRA ANTIVIRUS 2013 (Avira, Tettnang, Germany) product line . Real‐Time Protection service is crucial in Avira's self‐protection mechanism, because it provides real‐time protection not only to the system (such as on‐access detection of malware) but also to itself (self‐protection such as prevention of unauthorised alteration on Avira's processes, files, and registry keys).…”

Section: Introductionmentioning

confidence: 99%

A novel malware for subversion of self-protection in anti-virus

¹

,

²

2015

Softw. Pract. Exper.

Self Cite

View full text Add to dashboard Cite

SUMMARYMajor anti-virus solutions have introduced a feature known as 'self-protection' so that malware (and even users) cannot modify or disable the core functionality of their products. In this paper, we have investigated 12 anti-virus products from four vendors (AVG, Avira, McAfee and Symantec) and have discovered that they have certain security weaknesses that can be exploited by malware. We have then designed a novel malware, which makes use of the weaknesses in anti-virus software and embeds itself to become a part of the vulnerable anti-virus solution. It subverts the self-protection features of several anti-virus software solutions. This malware integrated anti-virus enjoys several advantages such as longevity (anti-virus is active while the system is running), improved stealthy behaviour, highest privilege and capability to bypass security measures. Then we propose an effective defence against such malware. We have also implemented the defensive measure and evaluated its effectiveness. Finally, we show how the proposed defence can be applied to the current versions of vulnerable anti-virus solutions without requiring signficant modifications.

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

hi@scite.ai

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

Product

Browser Extension Assistant by scite Citation Statement Search Reference Check Visualizations Dashboards Explore Journals Explore Organizations Explore Funders Embedding Badge Embedding Citation Search Pricing

Resources

Blog Help & FAQ Accessibility Statement API Terms For Universities & Governments For Researchers For Publishers For Corporate, Pharma & Enterprise Author Marketing Become an Affiliate Get an organization trial or quote scite Data & Services

About

News & Press Careers Read our Paper Coverage

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Copyright © 2024 scite LLC. All rights reserved.

Made with 💙 for researchers

Part of the Research Solutions Family.