Today's tip isn't a tip, but rather a voicing of concerns that a student recently conveyed to me that I was unable to answer to my satisfaction. Here are the issues:
- What mechanisms are in place to prevent the automated downloading of virus scanner updates from being hijacked?
- If a system's DNS is spoofed or poisoned, can a fake virus definition or engine update be submitted to a virus scanner?
- Are there viruses intelligent enough to watch for virus definition updates and alter/edit the update before it is installed into the scanner?
I think these are all excellent questions that help us to focus on areas of malicious code operation that are not typically examined in the mainstream discussions of viruses, infections and security.
Session hijacking is a difficult proposition, but not an impossible one. With sufficient time and motivation, the communications sessions employed by most virus scanners to update themselves can be taken over. If this is accomplished, just about anything could be pushed into the virus tool under the guise of a virus definition list or an engine update. A fake virus list or a Trojan horse engine update could have catastrophic results.
If DNS is spoofed or poisoned, it may be possible to redirect the update session to a faked site that provides spurious updates. Once again, if this can occur, then just about anything can be pushed down to the client.
Virus writers are becoming more intelligent and cunning. Is it possible to write a virus that watches for definition list updates and can actively remove details about itself from the update before the virus scanner is able to import the list? Is this already occurring?
After voicing these concerns, it seems obvious that virus scanner vendors could have considered these problems and included means to prevent them from being exploited. Simple session verifications, checked session IDs, file checksums, CRC checks and even a modest dose of encryption, could actively prevent all of these issues from becoming a reality.
I just wonder whether antivirus software vendors have actually thought of these issues and really addressed them, or if they are waiting for the problem to arise in the wild before acting on them.
Until I discover definitive answers for these issues, there are several steps you can take to help prevent these possible vulnerabilities from becoming real problems on your systems.
First, keep watch over the update mechanisms of your antivirus software. Check to see that the published dates, byte length and even the number of listed viruses of the update installed into your software matches the details posted on the vendor's Web site.
Second, choose to perform updates manually. Most antivirus software vendors offer the ability to download a separate file to install and distribute updates on your network manually rather than requiring you to employ their automated download service. If you are concerned about virus updates, download the update manually and verify that the file you downloaded matches the expected date/time and size parameters.
Third, protect your DNS system. Don't allow unregulated updates to DNS to occur from the Internet. Your internal DNS system should be separate and distinct from the public Internet DNS system. Be sure to select a trusted upstream DNS provider (such as your ISP). When in doubt about the resolution provided by DNS, check it against Whois records at Network Solutions.
About the author
James Michael Stewart is a researcher and writer for Lanwrights, Inc.
This was first published in October 2002