Your browser is obsolete!

The page may not load correctly.

Anti-virus fallacies

Антивирусная неправда

Other issues in this category (39)
  • add to favourites
    Add to Bookmarks

Big headline, little news

Read: 16399 Comments: 2 Rating: 8

Thursday, July 6, 2017

And here are a few more thoughts from us about news articles with panic-stricken headlines. This one, for example, claims that no anti-virus can detect a certain malware species.

"Neither anti-viruses nor firewalls can detect or block it. This enables the malware to freely harvest data on infected hosts".

https://habrahabr.ru/company/it-grad/blog/330572

Sadly, this text was intended for IT professionals, and no one pointed out that the statement wasn't quite accurate. Let's see what’s wrong here.

Recently Anti-virus Times readers discussed how attackers can exploit Intel AMT (Intel Active Management Technology). In the corresponding issue we indicated that Intel’s technology hypothetically provides great opportunities for criminals, but luckily despite having unclosed vulnerabilities, Intel AMT hadn’t yet been exploited by them.

Less than two months passed and:

Hackers are using Intel AMT to transfer messages between infected PCs

Microsoft warned users that Intel AMT can be abused by attackers.

http://www.securitylab.ru/news/486607.php

users that Intel AMT can be abused by attackers?

Intel Management Engine (ME) incorporates Intel Serial-over-LAN (or AMT SOL). Intel ME is part of an Intel chipset and runs its own operating system on an embedded processor independently from the CPU, the operating system, and the installed security software including the anti-virus. While an anti-virus operates with files alongside drivers, Intel ME exists on the hardware level. Moreover, Intel ME can be used by an administrator (as well as by attackers) even when the computer (and the CPU) are shut down, but the PC remains accessible over the network.

The embedded Intel ME processor provides out-of-band (OOB) remote administration capabilities such as remote power cycling and keyboard, video, and mouse control (KVM).

SOL can also facilitate communication over a local network even if no connectivity is available on a host.

http://www.securitylab.ru/news/486607.php

And a few words about the malware itself:

According to Microsoft, the Platinum group, which has been operating actively in the South Asian and South Eastern Asian regions for several years, is behind the malware that uses SOL. The cyberespionage group first came into the spotlight in 2009, and since then it has carried out a large number of attacks. In the last year Platinum was said to have installed malware onto targeted hosts by abusing hotpatching—a Microsoft technology that enables updates to be applied without having to restart a system.

https://habrahabr.ru/company/it-grad/blog/330572

Let's sum things up. There is malware that can be installed on ordinary operating systems but uses a specific protocol to communicate over a network.

Indeed, an anti-virus doesn't parse or analyse the AMT SOL protocol. But that’s not really necessary because the protocol is not used to infect a system—it’s only used to help previously installed malware communicate. And this means that to eliminate this threat, one merely needs to prevent malware from getting installed on computers. Restrict user permissions, install an anti-virus…

And one more thing.

To carry out an attack, intruders first need to get administrators to divulge their account information.

http://www.securitylab.ru/news/486607.php

#technologies #vulnerability #anti-virus_scan #security_updates #password

The Anti-virus Times recommends

  1. Blindly believing the media is bad for your health.
  2. To be able to do something in a system, a malicious file first needs to be launched. To prevent that, install updates, use strong passwords (and don't make them available to others), use an anti-virus, and restrict user permissions.

[Twitter]

Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.

Comments