Last week’s CIA leaks from WikiLeaks revealed that most antivirus programs may have been bypassed at one point or another by the CIA. We’ve asked the antivirus companies about their opinions on the leaks and what they intend to do next.
According to WikiLeaks’ leaked documents, most popular antivirus tools have been bypassed and exploited by the CIA. This fact alone isn’t as surprising as one may initially think, because it’s actually quite common for sophisticated attackers to be able to bypass most popular antivirus programs. That’s how they deliver their malware in the first place.
The real problem may come from the fact that antivirus programs in general aren’t as secure as you might expect them to be. Also, because of their deep hooks into the operating system or browsers, they can sometimes make users even more vulnerable to attacks (at least of the more sophisticated type).
Although 21 antivirus and security solutions vendors were included in a WikiLeaks document describing bypasses against them, WikiLeaks left information about the attacks on only three antivirus vendors: F-Secure, Avira, and AVG (recently purchased by Avast, another antivirus vendor). The organization said it didn’t want to expose information that might endanger actual CIA operations, which may be why the information on most of the others was redacted.
F-Secure
The CIA had the following comment on F-Secure’s antivirus software, implying that F-Secure isn’t all that secure, and that it can be bypassed easily:
"In OSB's experience, F-Secure has generally been a lower tier product that causes us minimal difficulty. The only annoyance we have observed is that F-Secure has an apparent entropy-based heuristic that flags Trojaned applications or other binaries containing encrypted/compressed payloads. Two defeats are known to exist: On involves using RAR file string tables in the resource section, the other involves cloning a RAR file manifest file – the manifest technique also works against Avira's entropy-based heuristics."
"The leaks detail a large amount evasions for basically all the end-point security products.
I think it's a fair game. CIA has targets they are trying to get to, and some of those are protected by products like these. CIA wouldn't be doing their job if they wouldn't be developing techniques like these.
We don't consider this to be a vulnerability as such, as they are not crashing us or exploiting us. Anti-virus products are never perfect; some attacks will always succeed. A superpower intelligence agency with massive budgets can definitely do that.
I much prefer them doing it like this, instead of trying to twist our arm to let them through."
Avira
The CIA doesn’t seem to have a great opinion about Avira either, calling it "easy to evade":
"Avira has historically been a popular product among CT targets, but is typically easy to evade. Similar to F-Secure, Avira has an apparent entropy-based heuristic that flags binaries containing encrypted/compressed payloads, but there are two known defeats."
Avira released a statement to Tom’s Hardware in which it said that the issue was minor and was fixed a few hours after WikiLeaks released the CIA “Vault 7” documents.
AVG (Avast)
In the leaked document, the CIA seemed to say that AVG does catch the agency’s payload, but only well after its execution–and of course by then, it’s too late. That means the CIA could have chained together multiple exploits to disable the antivirus software before it could react.
"AVG catches a payload dropped to disk and launched via link file well after execution (process hollowing)."
AVG denied their anti-virus is vulnerable at all. FISHY!
Comodo
Comodo said that version 10 of the Comodo firewall was released earlier this year, and it shouldn’t be vulnerable to such attacks anymore. That will remain to be seen.
http://archive.is/YvdTC
http://www.tomshardware.com/news/antivi ... 33893.html
