Your browser is obsolete!

The page may not load correctly.

Anti-virus fallacies

Антивирусная неправда

Other issues in this category (34)
  • add to favourites
    Add to Bookmarks

About the competence of anti-viruses

Read: 1103 Comments: 3 Rating: 8

Let's talk more about attacks that circumvent anti-virus protection, something we hear about quite often in the news.

A new malware program can infect a machine using a microphone and a speaker.

Security researchers Michael Hanspach and Michael Goetz conducted an experiment using five computers they connected into a covert acoustical mesh network using built-in microphones and speakers. Data was transmitted from one machine to another until it reached a computer that was connected to an external network. According to gizmag.com, they were able to transmit data over a distance of about 20 meters at a frequency of 20 kHz and at a speed of up to 20 bit/s.

In the future, it will be possible to use special acoustic band filters to protect against attacks of this kind.

But where’s the infection here? If data is being transmitted, it means that malware is already on the computer. And if the user allowed the malware to start despite receiving a warning from their anti-virus, why is the anti-virus responsible?

Conclusion. This attack has nothing to do with evading the detection of anti-viruses and can't result in a system getting infected.

FM radio signals can be used to penetrate machines remotely

At MALCON 2014, which was held in Puerto Rico, Israeli security researchers demonstrated how air-gapped desktops and laptops can be compromised using a mobile phone placed in their vicinity. The attack was mounted using AirHopper technology designed by Mordechai Guri and Yuval Elovici from the Cyber Security Labs at Ben Gurion University in Israel.

AirHopper utilises neither Bluetooth nor Wi-Fi, nor any other modern wireless communication technologies. This enables attackers to steal data using FM radio waves. Unfortunately, or maybe actually luckily, all details concerning AirHopper technology are still being kept secret. However, according to information on the university's website, the researchers have been exploring issues involving non-standard ways of using FM receivers, which are present in most modern mobile phones and smartphones, for quite some time. Using a receiver and an application that processes the signals received by the receiver, it’s possible to intercept key strokes by capturing radio emissions from a display or a video adapter of an air-gapped machine.

http://thehackernews.com/2014/10/airhopper-hacking-into-isolated.html

Malware can steal data by intercepting heat

Security researchers discovered another loophole that uses a simpler form of radiation: heat. Dubbed BitWhisper by Mordechai Guri and Yuval Elovici at Ben Gurion University in Israel, the program targets computers that aren't connected to the Internet. By using malicious software that can connect to a computer’s thermal sensors, BitWhisper can pass information back and forth between two machines.

For example, an increase in one computer’s temperature by one degree during a certain period of time will be interpreted by the adjacent host as a binary "1". A drop in the temperature to the original value will be interpreted as "0".

Put together, those bits of information can constitute an instruction to be executed or a short string of data such as a password. Naturally, certain conditions must be met for an attack to be successful. The space between the two computers must be 40 centimetres or less (close enough to detect temperature fluctuations). One of the machines must be connected to the Internet, and both of them must be infected by specifically designed malware. Transmitting data this way can take a lot of time—up to several hours.

https://www.engnews.ru/news/vredonosnoe_po__sposobnoe_ukrast_dannye_s_kompyuterov_pri_pomoschi_tepla.html

So where is the hacking here? This technique only intercepts radio waves and reads heat patterns. These were methods we were warned about during our security classes back in the Soviet Union, when viruses and anti-viruses didn't yet exist.

Conclusion. This attack has nothing to do with evading detection by anti-viruses and can't result in a system getting infected.

Mordechai Guri believes that by changing the cooler speed, one can gain access to data stored in the system. A Fansmitter attack can be mounted if an air-gapped computer doesn't have speakers and has no way to receive information over audio channels.

To succeed, a perpetrator needs to install special malware onto the targeted machine. The malware is then used to alter the fan’s rotation speed and thus change the frequency of the sound it produces. The changes are used to encode data which can subsequently be transmitted to a remote microphone in a nearby mobile phone.

https://geektimes.ru/company/ua-hosting/blog/277838/

In this case attackers first need to find a way to deploy the malware on an air-gapped computer.

Conclusion. This attack has nothing to do with evading detection by anti-viruses and can't result in a system getting infected.

These techniques have one thing in common: attackers transmit or intercept certain data. They may need to install malware to do this. Let’s assume that malware has indeed been deployed. Should an anti-virus monitor data transmissions?

Currently, malware usually infects systems over email and web traffic rather than by exploiting vulnerabilities. To prevent malware from launching, an anti-virus monitors HTTP (World Wide Web) and SMTP/POP3/IMAP4 (email) traffic as well as messenger communications (this list is incomplete; it only contains the most frequently used ways of communicating over a network).

Traffic needs to be scanned because not all the data received is in the form of files which are later checked by a file monitor. For example, some Trojans and viruses do not exist as files. We’ve written many times about tasks performed by various anti-virus modules, so we won't repeat ourselves here.

However, malicious programs can use protocols other than those listed above. For example:

Attackers can use Intel AMT to transmit messages between infected PCs. Neither anti-viruses nor firewalls can detect or block them. This enables perpetrators to easily harvest data from infected hosts.

https://habrahabr.ru/company/it-grad/blog/330572

http://www.securitylab.ru/news/486607.php

And this is true. Malicious programs use lots of communication protocols. The aforementioned AMT, SOL, and Tor… Many options exist. However, it is not an anti-virus's job to control transmissions over those protocols because they facilitate communication rather than penetration by some malware program. Nothing will be using them to get inside.

Can an anti-virus intercept the data? In theory, it can. But there is no use doing it. Because even if an anti-virus can recognise and intercept all known protocols used by Trojans and other malware to communicate, it’s easy to devise a new one. That's why computers need to be kept free of malware—and that's exactly what an anti-virus does. If no malicious file gets into a system, no incidents involving infected machines communicating with attackers (as described above) will occur.

By the way, applications that monitor suspicious activities do exist, e.g., SIEM (Security Information and Event Management) solutions. But they are useless on home PCs. Why? Just imagine a TV series housewife’s reaction to seeing a message like "ghgjhghjg.exe uses AMT SOL to reach xx.xx.xx.xx. Select the appropriate action".

#myth #hacking #anti-virus

Dr.Web recommends

Don't trust everything the media says, and don't panic even if they claim your anti-virus is no good. Read news stories thoroughly, finish your coffee, and update Dr.Web.

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.

[Twitter]

Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.

Comments