Skip to content

Antivirus assisted attacks

Christian Wressnegger, Kevin Freeman , Fabian Yamaguchi, and Konrad Rieck from TU Braunschweig and University of Göttingen have been experimenting with “Antivirus assisted attacks” (PDF). What is that?

They have been searching for signatures of malware in common Antivirus software that consists of printable characters only. Using these byte sequences, the following becomes possible:

As a consequence, an attacker may finish each iteration over a list of guessed passwords with a set of malicious markers, i.e., specially crafted login names that correspond to anti-virus signatures. If the attacked host is running a virus scanner configured to delete or quarantine viruses, any file containing such a malicious marker is deleted or at least moved to a different location. This not only makes manual investigation of the attack hard but may also inhibit the functionality of tools analyzing log files to stop password guessing, such as fail2ban.

Similar approaches are “making mbox files unavailable by poisoning them with printable malware signatures”, or “using malware signatures as cookie names”.

Published inHackerterrorcybercyber

7 Comments

  1. Dirk

    Man könnte sich das auch im Browser als User-Agent setzen, und damit einige Log-Analysen außer Kraft setzen. Eine interessante Idee.

  2. X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

    • kris kris

      I once was wondering why my work computer was so much slower than my home computer, both being Macs and having a similar disk and CPU config. Using EICAR I was able to find directories that are being scanned by the Antivirus software and others that are excepted.

      So unpacking a node.js application with some 7000 files took 3 seconds on my home box, but 27 seconds on the work box, 18 seconds on the work box outside of the reaches of the Antivirus, and actually 6 seconds outside of the reaches of the endpoint security system. For 4 seconds, I also had to uninstll the Juniper VPN, too, and the endpoint security system that comes with it.

      • 施特凡

        Are you forced to run those?

      • Markus

        At work we have the effect, that compiling code in a linux VM is much faster than doing the same on its windows host. Guess why…

        • 施特凡

          That’s normal, because Windows sucks at file system performance.

  3. Rudolf Polzer

    startkeylogger

Leave a Reply

Your email address will not be published. Required fields are marked *