Vulnerabilities I.
07.04.2009.
Beyond the human factor, computer malware is capable of exploiting the vulnerability of computer systems. Our current test examined to what extent protection systems are able to identify malware exploiting various security holes.
Computer systems are known to be vulnerable. But what is this vulnerability? If our immune system is weakened, we are much more sensitive to all kinds of external impacts. At such times, we can fall ill much more easily. This also applies to computers.
If a software element of our computer – primarily owing to programming problem(s) – contains inappropriate encoding, the computer falls prey to attacks more easily. These problems mean security holes, i.e. vulnerability. An attacker can exploit such vulnerability if it can use the vulnerability to execute its own code. The principle behind this is due to the Neumann principle of computers: according to the Neumann principle, the data and programs of a computer are not separated. A byte string representing data can be interpreted as an executable program that can be executed by the processor.
Buffer overflow
Most security holes are due to programming errors related to buffer overflow. The problem of buffer overflow was first recognised in C language in the seventies. Its first appearance in malware cannot be associated with a Microsoft operation system either, but with UNIX. In 1988 the Morris worm used a buffer overflow in a Unix program called finger to spread its own code. In spite of its long history, buffer overflow is still a significant computer security problem.
Microsoft defined buffer overflow attacks as follows:
“Buffer overflow attack is an attack in which the malicious user exploits an uncontrolled buffer to overwrite the program code with its own data. If the new executable code overwrites the program code, it results in changing the operation of the program in a way dictated by the attacker. If it is overwritten with other data as well, the infected program will probably crash.”
A successful attack necessitates the following:
- An identified buffer overflow vulnerability is necessary.
- The buffer size must be known.
- The attacker must be able to control the incoming data.
- The return addresses must be replaced (control flow corruption).
- Its own code must be inserted (code injection).
The following small sample program can be used to try the result of using a program with uncontrolled buffer area...
int main()
{
function();
printf("A\n");
printf("B\n");
printf("C\n");
printf("D\n");
printf("E\n");
printf("F\n");
return 0;
}
void function()
{
int buffer[1];
buffer[2] += 0x18;
}
The 0x18 value in the code can be C translator-dependent. This can be changed depending on how many bytes are needed by the printf instruction in the main () function in the translated code.
Security holes in malware
Numerous malicious codes exploit the opportunities provided by security holes and vulnerabilities in order to spread. Vulnerabilities can basically be attached to a program. This can be a program managing the operating system or an application, too. In both cases, the attacker can, on the one hand, attack the computer on a network connection or service, or it can use a file to do so. In the latter case virtually off-line communication takes place between the attacker and the attacked computer: the attacker has to send the attacked file to the target computer. In such cases the problem of buffer overflow is often mistakenly ascribed to the file type although in most cases it is not the format but the program processing it that causes the problem.
Examination of the recognition of security holes
In its current test Checkvir test laboratory has dealt with malware exploiting security holes. It was examined to what extent protection systems knew the most widely spread malicious codes exploiting vulnerabilities. The malware used in the test was examined in the following groups: files executable with Windows; HTML and Javascript malware exploiting the vulnerability of a browser; WMA and MP3 files; SWF files; PDF documents. The last few groups deserve special attention since the malware belonging to these groups does basically not store executable codes but only data. The first step of the examination was carrying out an on-demand check to find out whether the search algorithm launched by the user identifies the malicious code. In the following part of the test on-access protection was checked.
Examination of vulnerability during on-demand tests
Click on the picture for details!
Tested products and versions
| Product | Developer | Version |
|---|---|---|
| AVG Internet Security | AVG | 8.5.285 |
| ESET Smart Security | ESET Software | 4.0.314.0 |
| McAfee VirusScan Enterprise | McAfee | 8.7i |
| Panda Internet Security 2009 | Panda Software | 14.00.00 |
| Sunbelt VIPRE Antivirus + Antispyware | Sunbelt Software | 3.2.2019.2 |
| Trend Micro Internet Security 2009 | Trend Micro | 17.1.1171 |
Results
| Type | AVG | ESET | McAfee | Panda | Sunbelt | Trend Micro |
|---|---|---|---|---|---|---|
| Windows executable (296) | 293 | 296 | 287 | 293 | 266 | 18 |
| JavaScript, HTML (65) | 43 | 65 | 55 | 39 | 6 | 39 |
| WMA, MP3 (18) | 17 | 13 | 9 | 8 | 0 | 12 |
| SWF (30) | 26 | 27 | 15 | 13 | 0 | 18 |
| PDF (23) | 22 | 23 | 12 | 4 | 9 | 6 |
| Total (432) | 401 | 424 | 378 | 357 | 281 | 93 |
Tested files
- Tested files
- vuln1_files_js_html.txt - md5 hash list of tested .js and .html files
- vuln1_files_pdf.txt - md5 hash list of tested .pdf files
- vuln1_files_swf.txt - md5 hash list of tested .swf files
- vuln1_files_wma_mp3.txt - md5 hash list of tested .wma and .mp3 files
- vuln1_files_win_exec.txt - md5 hash list of tested Windows executable files
Log files
- AVG Internet security
- vuln1_avg.txt - log file of AVG
- ESET Smart Security
- vuln1_eset.txt - log file of ESET
- McAfee VirusScan Enterprise
- vuln1_mcafee.txt - log file of McAfee
- Panda Internet Security 2009
- vuln1_panda.txt - log file of Panda
- Sunbelt VIPRE Antivirus + Antispyware
- vuln1_sunbelt.txt - log file of Subelt
- Trend Micro Internet Security 2009
- vuln1_trendmicro.txt - log file of Trend Micro
Test environment
All tests were carried out in the following environment:
| Hardware | Intel Pentium 4 CPU 1.7 GHz |
|---|---|
| ABIT BD7 II | |
| 512 MB RAM | |
| 80 GB Maxtor HDD | |
| Software | Microsoft Windows XP Professional v2002 SP3 |