One of the reasons I blog is to record concrete events so I can more easily reference the exact details in the future. In
Black Hat USA 2007 Round Up Part 2 I said:
Modern countermeasures applied to reduce vulnerability and/or exposure in many cases increase both vulnerability and exposure. This is certainly the case with so many agents (see Matasano is Right About Agents.)
Sometimes these vulnerabilities are present in the agent itself, such that the agent can be directly attacked. In other cases (like the one I cite today), the agent appears to re-introduce a vulnerability
that the underlying system fixed years ago. From
Haxdoors of the Kaspersky Antivirus 6/7:
Kaspesky [sic] and System Service Descriptor Table
Very long time is known that this is the weakest part of this antivirus. The weakest, because it contains number of elementary bugs.
Another example of poorly coded so-called Proactive Defense. On Windows XP Kaspersky AV adds additional services in SSDT table...
And now surprise. Any of this unknown SSDT entries can be EXPLOITED and can crash system into the BSOD even from Guest account with MINIMAL PRIVILEGES. We coded simple program. Its generates invalid system calls with invalid parameters for these unknown SSDT entries. The code is very simple but efficient. Using the same on clean Windows will lead to nothing, because Windows handles such situation in the right manner. (emphasis added)
Please excuse the English; the speaker is Russian. (How is your Russian?)
In other words, normal Windows without Kaspersky is immune. Windows plus Kaspersky (supposedly equalling "defense in depth") is vulnerable.
Please remember this whenever you write (horror) or read a policy that
requires anti-virus on all systems, regardless of the cost-benefit equation.Copyright 2003-2007 Richard Bejtlich
09-11-2007, 07:26 PM
Linear Mode
Similar Threads