From Malware Signatures to Anti-Virus Assisted Attacks
This addresses a security vulnerability in anti-virus software that could lead to data breaches, representing a novel attack vector rather than an incremental improvement.
The paper tackles the problem of anti-virus signatures being exploited for attacks by presenting a novel method to automatically derive signatures from commercial anti-virus software and demonstrating how these can be used to attack data with the scanner's aid, as shown with four products.
Although anti-virus software has significantly evolved over the last decade, classic signature matching based on byte patterns is still a prevalent concept for identifying security threats. Anti-virus signatures are a simple and fast detection mechanism that can complement more sophisticated analysis strategies. However, if signatures are not designed with care, they can turn from a defensive mechanism into an instrument of attack. In this paper, we present a novel method for automatically deriving signatures from anti-virus software and demonstrate how the extracted signatures can be used to attack sensible data with the aid of the virus scanner itself. We study the practicability of our approach using four commercial products and exemplarily discuss a novel attack vector made possible by insufficiently designed signatures. Our research indicates that there is an urgent need to improve pattern-based signatures if used in anti-virus software and to pursue alternative detection approaches in such products.