Denial of Service
"A DoS is an attack launched against software or against a machine running some software, with the aim of making the targeted software or machine unavailable."
Local Denial-of-Service Attacks
A local denial of service is a DoS attack that can be launched only from the same machine on which the targeted antivirus software is installed. There are common types of DoS Attacks.
- Compression Bombs
A simple, well-known, and widely available local denial-of-service attack against antivirus software is the compression bomb, also referred to as a zip bomb or the “zip of death.”
Creating a Simple Compression Bomb
In this section, you create a simple compression bomb using common standard Unix and Linux tools. First you need to create a big zero-filled file with the command dd:
dd if=/dev/zero bs=1024M count=1 > file
After creating this “dummy” file, you need to compress it. You can use any compression tool and format, such as GZip or BZip2. The following command creates a max 2GB dummy file and then directly compresses it with BZip2, resulting in a 1522-byte-long compressed file:
dd if=/dev/zero bs=2048M count=1 | bzip2 -9 > file.bz2
You can quickly check the resulting size by using the wc tool:
$ LANG=C dd if=/dev/zero bs=2048M count=1 | bzip2 -9 | wc -c 0+1 records in
0+1 records out
2147479552 bytes (2.1 GB) copied, 15.619 s, 137 MB/s
1522
This is a really simple compression bomb attack.
==================================
Bugs in File Format Parsers
File format parser bugs can also be used locally to prevent an antivirus scanner from detecting malware. A non-trivial example of this is when the malware drops a malformed file that is known to trigger the bug in the antivirus file parser and cause it to die or become stuck (for example, an infinite loop).
Here is another easier example of how to implement a file format bug. Imagine you have two files with the following path structure:
base_dir\file-causing-parsing-bug.bin base_dir\sub-folder\real-malware.exe
Attacks against Kernel Drivers
Other typical examples of local DoS attacks against antivirus products are those focused on kernel driver vulnerabilities. Most antivirus products for Windows deploy kernel drivers that can be used to protect the antivirus program from being killed, to prevent a debugger from attaching to their services, to install a file system filter driver for real-time file scanning, or to install an NDIS mini-filter to analyze the network traffic.
These tricks are a useful way, for example, to reboot the machine after performing some action without asking the user for confirmation or requiring high-level privileges. They can also be used in a multistage exploit. A hypothetical, yet possible, scenario follows:
1. An attacker abuses a vulnerability that allows one of the following: a file to be copied to a user’s Startup directory, a bug that allows a driver to be installed, or a bug that allows a library to be copied in a location that will later be picked up and loaded in the address space of high-privileged processes after rebooting.
2. The attacker then uses a kernel driver bug to force the machine to reboot so that the changes take effect.
Local DoS vulnerabilities in antivirus kernel drivers are very prolific; a few vulnerabilities appear each year, affecting a wide range of antivirus products from the most popular to the less known.
Remote Denial-of-Service Attacks
Remote DoS vulnerabilities can also be discovered in antivirus products, as in any other software with a remote surface that is exposed. A remote denial of service is a DoS attack that can be launched remotely, targeting the antivirus software installed in the victim’s computer. There are many possible remote DoS attack vectors, with the following being the most common:
- Compression bombs, as in the case of local denial of services Bugs in fi le format parsers, as in the case of local denial of services
- Bugs in network protocol parsers.
- Attacks against antivirus network services that listen to network interfaces other than the loopback network interface (localhost IP address, 127.0.0.1)
0 comments:
Post a Comment