Researchers Describe Antivirus FlawsVulnerabilities Could Have Enabled Malware Installation
Vulnerabilities in some antivirus software could have enabled attackers to install malware and deactivate anti-ransomware protection to take over software controls, according to researchers at the University of Luxembourg, who worked in collaboration with Royal Holloway, University of London.
A report on the discovery, Cut-and-Mouse and Ghost Control: Exploiting Antivirus Software with Synthesized Inputs, was first published by the Association for Computing Machinery.
Antivirus software could have been disabled in one of two ways, the researchers say. In one method, a "ghost control" could simulate mouse events. In the other method, attackers could circumvent anti-ransomware protections by controlling whitelisted applications, such as Notepad or Paint, and sending them keyboard events - such as “copy-and-paste” to a file - to perform malicious operations on behalf of the malware.
"We prove that the anti-ransomware protection feature of antiviruses can be bypassed if we use Notepad as a 'puppet' to rewrite the content of protected files as a ransomware would do," the researchers say. "Playing with the words, and recalling the cat-and-mouse game, we call this class of attacks "cut-and-mouse."
The researchers say they tested these two attacks on 29 antivirus applications and found that 14 were vulnerable to a "ghost control" attack while all 29 were vulnerable to the "cut-and-mouse" technique. They say they also discovered "some weaknesses in additional protection mechanisms of antiviruses, such as sandboxing and CAPTCHA verification. We have engaged with the affected antivirus companies, and we reported the disclosure communication with them and their responses."
The researchers say they discovered the vulnerabilities a year ago and informed the potentially affected software providers and offered their assistance to resolve any security issues before they were exploited by attackers.
The researchers say that out of the 14 vendors contacted, some immediately released a fix to mitigate the vulnerability, while others acknowledged the issue and promised to remove the root cause of the weakness.
“Antivirus software providers always offer high levels of security, and they are an essential element in the everyday struggle against criminals," says professor Gabriele Lenzini, the chief scientist at the Interdisciplinary Center for Security, Reliability and Trust at the University of Luxembourg. "But they are competing with criminals who now have more and more resources, power and dedication. This is why the role of academic research in vulnerability discovery, if conducted ethically and with a high standard of professional conduct, can support security companies to be one step ahead of the criminals."
As a demonstration, the researchers played the role of malware developers and anticipated two novel moves for the malware to demonstrate weaknesses in the antivirus software and show how to improve defenses.
"The first one consists in simulating mouse events to control AVs, namely, to send them mouse 'clicks' to deactivate their protection. We prove that many AVs can be disabled in this way, and we call this class of attacks 'ghost control,'" the researchers note. "The second one consists in controlling whitelisted applications, such as Notepad, by sending them keyboard events (such as 'copy-and-paste') to perform malicious operations on behalf of the malware."
The researchers also tried to encrypt or remove a file’s content to determine whether antivirus software's real-time scanning protection feature could be turned off by malware that simulates mouse and keyboard events. They say they proved that these vulnerabilities existed for many antivirus programs.
The researchers found that the vulnerabilities exist in the extension in which certain security mechanisms are supposed to operate and in the way in which the interaction between the operating system and the antivirus defenses is believed to work.
"The vulnerabilities we discuss in this article are therefore not implementation flaws," the researchers note.