Other issues in this category (38)
We beg to differ
Thursday, May 16, 2019
Oh, how authors of news posts love the phrase “the anti-virus was incapable of detecting xyz”, a phrase that more often than not conceals their complete ignorance of how anti-viruses work. Even worse, such publications always make reference to the opinions of "security experts"!
A team of academics from the University of Colorado Boulder (UCB) showed that speculative execution (the routines used by the well-known Meltdown and Spectre vulnerabilities, which effect almost all contemporary processors) could be used not just to steal data but also to serve as a secret place to hide malicious commands.
The technique, which they named ExSpectre, implies the creation of benign application binaries that victims install on their systems, thinking they are safe, and which, indeed, appear to be safe when scanned with security software apps. But in reality, these binaries can be configured (after receiving an external trigger—either user/network input or another app running on the system) to launch well-orchestrated, speculative execution threads that manipulate the benign app into executing malicious operations.
In other examples, researchers say they also used the ExSpectre technique to decrypt encrypted memory and even manipulate apps to open a local reverse shell to an attacker-controlled location and allow it to run commands on the victim machine.
Further, because of the way it works, ExSpectre-class malware is currently undetectable, according to the UCB researchers. "This technique defeats existing static and dynamic analysis, making it especially difficult for malware analysts to determine what a binary will do," the researchers said. Stopping attacks with malware coded to use the ExSpectre technique isn't possible at the moment, researchers said, at least at the software level.
The news text indicates that another modern CPU feature can be used to run an arbitrary execution thread. Everybody agrees that this can be dangerous. And we do believe that users won't be able to identify a dormant threat in a seemingly harmless application—users are usually quick to open malicious links in emails and install any program an attacker puts in front of them. But is it true that anti-viruses can't detect this kind of malware?
To answer this question, we need to understand how anti-viruses work. Roughly speaking, an anti-virus uses three detection techniques: signature-based scanning, behaviour analysis, and reputation analysis. Each of these methods has its own advantages as well as its drawbacks.
Any chunk of data associated with an application can serve as its signature. Because of that, with a signature at its disposal, an anti-virus can detect any software, including the aforementioned program.
Reputation analysis involves software usage statistics across a huge number of machines. If a certain application has a bad reputation (e.g., problems arise in systems after its installation) or no reputation information is available for the software (because it's a brand-new program), the anti-virus won't allow it to start.
And finally, there is also behavioural analysis. An anti-virus examines an application's behaviour. And, yes, an anti-virus may really fail to respond to a certain action. Why? Just because that action hasn't yet been regarded as malicious.
The Anti-virus Times recommends
High-quality anti-viruses can detect any malware. The only reason why an anti-virus may fail is because no such attack has ever been mounted before. If attacks occur, detection reports are sure to follow.