Reverse Engineered Antivirus Detects Classified Documents

The Hundred-Acre Wood is Safe: CylancePROTECT’s® Non-Reliance on AV Signatures Keeps Pooh and His Friends Safe, Even When Marked Top-Secret

A recent, most-excellent post over at the Objective-See blog (seriously, go and read it) details how the author, Patrick Wardle, dissects and manipulates the antivirus (AV) signature mechanism present in the macOS version of a traditional, signature-based antivirus software suite to achieve arbitrary false-positive detection.

The flavoring of his post, of course, is the ongoing fracas surrounding the product’s alleged potential for misbehavior in identifying and exfiltrating sensitive government documents on a computer protected by the product – a claim the suite’s developers deny vehemently.

Wardle elects not to comment on it – as do I – choosing instead to ask and answer the question, “Can an AV product be induced to: (1) arbitrarily and incorrectly identify a file as desired by an adversary, and, if (1) then (2) exfiltrate the files identified?”

tl;dr 1) yep, 2) probably

As detailed in the blog, Wardle reversed the AV product’s scanning engine’s behavior, which enabled him – and presumably any other sufficiently skilled attacker – to modify (he writes ‘extend’) the way in which the product identified malicious files when scanning. Once understood, Wardle utilizes a method for writing bytes into remote processes to patch what the AV engine is looking for.

That is to say, Wardle’s success is possible because of the product’s usage of AV signatures. These are what he modifies in memory so that the AV engine detects his “top-secret” file. In fact, he specifically avoids modifying the antivirus engine itself.

By altering the content in memory of a single signature, Wardle poisons the way the signature informs the AV engine about what it should be looking for to a set of constraints he chooses: the string “TS/SCI”, (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Scott Marcks. Read the original post at: Cylance Blog