Your browser is obsolete!

The page may not load correctly.

Anti-virus fallacies

Антивирусная неправда

Other issues in this category (36)
  • add to favourites
    Add to Bookmarks

Cloudy in places, with occasional Trojans expected

Read: 905 Comments: 7 Rating: 8

People often curse weathermen for their inaccurate forecasts. And what about those who make predictions about anti-viruses?

The long-awaited Windows Vista promises more than just a beautiful new slick interface.

The long-awaited Windows Vista promises more than just a beautiful new slick interface.

Recently in an interview, Jim Allchin, the Platform Products and Services Group co-president at Microsoft, was asked how much more secure Windows Vista will be compared with Windows XP SP2. In response, he said that Vista will incorporate key security features that can't be added to Windows XP SP2. The first of those is Address Space Layout Randomization (ASLR). Thanks to ASLR, critical system data will always be written into different memory areas whenever the operating system boots up. Because system code always appears at a random location, mounting an attack will be more difficult.

According to Allchin, ASLR will make any machine running Windows Vista slightly different from the rest. That's why even if a malware program managed to access one computer, and the worm attempts to infect another computer, its chances of being successful are very low.

The news post is dated by November 13, 2006. Eleven years have passed, and support for Windows Vista and its successor was discontinued a while ago, but malware still feels at home. How did this happen?

Let's see how ASLR works. If malware is supposed to inject code into processes, this technology makes developing exploits much more expensive because to compromise a process, a malware writer needs to use predictable memory addresses that will be relevant at the moment of penetration—ASLR makes finding those addresses more difficult. This technology does not pertain to Windows only. It is also used in Linux and macOS.

So what's the catch then? Essentially, there are two. First ASLR doesn't exist on its own. For it to work, the protected applications must be built to support this technology so that they can be loaded using a new address after every restart.



Although the screenshots above display the same USER32.DLL routines, they have different memory addresses (760F and 75DA). This is possible because USER32.DLL is a kernel library, and the kernel supports ASLR.

And this permits a somewhat non-trivial attack to occur.

Let's assume your operating system supports ASLR. Perhaps, it’s Windows Vista, and you found a flaw in the media player—it uses several libraries, such as MP3.DLL, to operate.

One of the effective strategies for circumventing ASLR includes using a hard-coded address of a known library (process) that doesn't support ASLR.

One can use a direct approach, injecting exploit code into a process until they get lucky.

Under Windows Vista and Windows Server 2008, DLL and executable code can be loaded into any of 256 locations. This means that an attacker has one chance out of 256 to acquire the address they need.

We can also move one level lower.

In mid-October 2016, information security researchers from California University Riverside and the State University of New York at Binghamton published a paper describing how an Intel CPU flaw can be exploited to circumvent ASLR and mount a successful attack. The researchers discovered a branch predictor defect in Haswell CPUs which enabled their application to determine where program code will be stored in the memory.

If you want to feel like a hacker, do some ASLR research.

You can use the SysInternals utility to see how ASLR works. You can download it from To use it, start Process Explorer and make sure the Show Lower Pane option is enabled.

After that select explorer.exe in the upper window, and note the ntdll.dll address in the base column of the lower window. If you can't see the Base column, go to View → Select Columns, and in the DLL tab add the Base column.

Remember or write down the base address, and restart the system. Under Windows XP, the ntdll.dll's base address will remain the same after the restart (Windows XP doesn't support ASLR). Under Vista, the base address will change after the restart (because Vista does support this security feature).


In Figure 4 you can see the Process Explorer interface and the ntdll.dll base address. Table 2 приведены базовые адреса библиотек ntdll.dll и user32.dll, зафиксированные при запуске Process Explorer в системах XP SP2 и Vista.

#security_updates #vulnerability #Trojan #technologies

Dr.Web recommends

Eleven years have passed, and Trojans are still infecting computers. There exist sophisticated Trojans that can sneak into a system’s every nook and cranny. But very simple encryption ransomware programs, such as WannaCry, work just as well. Click on a link, launch an application, and an entire Honda plant is brought to a halt!

Encryption ransomware penetrated a computer network used to control Honda production lines in Japan and other countries. Criminals demanded a ransom to restore the data, and a Honda plant was brought to a halt in Sayama, Japan.

On Tuesday, it was operational again. No further details are available.

An inexpensive solution compromised a state-of-the-art operating system stuffed with all sorts of security mechanisms designed to thwart sophisticated attacks.

We won't be making any predictions. If security updates remain uninstalled and user permissions to launch applications aren't restricted, anti-viruses will survive more than one upcoming OS generation.

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.


Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.