Sophail: Applied attacks against Sophos Antivirus

[deepzero]

Abstract

By design, antivirus products introduce a vast attack surface to a hostile environment. The vendors of these

products have a responsibility to uphold the highest secure development standards possible to minimise the potential

for harm caused by their software. This second paper in a series on Sophos internals applies the results previously

presented in [2] to assess the increased threat Sophos customers face. This paper is intended for a technical audience,

and describes the process a sophisticated attacker would take when targeting Sophos users.

Warning

Active Sophos users should refrain from testing the examples described in this paper on production systems.

Disk I/O on Sophos installations is intercepted by a minifilter that requires a userspace process to permit the operation.

Interfering with the userspace process will cause I/O to fail systemwide, panic your machine and cause irretrievable data

loss.

https://lock.cmpxchg8b.com/sophailv2.pdf

That`s some nice stuff, right there. :S

[kao]

Ironically, I saw Sophos blogpost about the same subject today: http://nakedsecurity...ormandy-sophos/

For each vulnerability they had the same comment:

Sophos has seen no evidence of any of these vulnerabilities being exploited in the wild.

Reading the same sentence seven times was hilarious..

[rendari]

Jesus, this is a pretty damning document.

[Teddy Rogers]

I have just read this paper and apart from it being damning it is quite shocking to read about some of the basic errors being made. No wonder "they were clearly ill-equipped to handle the output of one co-operative security researcher working in his spare time", after being shown all this evidence I wouldn't be surprised to find out some of the Sophos team losing their jobs over it.

Surely they had some form of internal and external code and security auditing?

Ted.