{"id":116,"date":"2008-02-08T14:04:59","date_gmt":"2008-02-08T22:04:59","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/2008\/02\/08\/anti-virus-vendor-hacked\/"},"modified":"2008-02-09T22:12:02","modified_gmt":"2008-02-10T06:12:02","slug":"anti-virus-vendor-hacked","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2008\/02\/08\/anti-virus-vendor-hacked\/","title":{"rendered":"Anti-Virus Vendor Hacked"},"content":{"rendered":"

I just read an article<\/a> about an Indian security company AvSoft whose website got hacked and distributed malicious code rather than their own when users tried to download software. The attack used was iFrame injection on the vulnerable site. From what I’ve read about iFrame injections, hex code (with real meaning when translated to javascript) is somehow uploaded onto the site. Then when users try to click on some link or button, what they are really clicking on is an “invisible frame” over that link\/button which redirects them to some other site or attempts to install malicious software.<\/p>\n

<\/p>\n

Since security reviews are required to talk about products or classes of products, I will talk about downloadable anti-virus software and the companies that provide it.<\/p>\n

Assets and Security Goals:<\/p>\n

    \n
  1. Asset 1: vendor reputation. As related to the case in question, being hacked is particularly damaging to the reputation of a security-oriented company for obvious reasons.<\/li>\n
  2. Asset 2: working links. It is particularly difficult to make money from one’s website if the links redirect away from the site and the ability to download\/purchase one’s software.<\/li>\n
  3. Security Goal 1: maintain site integrity and do not harm users’ computers.<\/li>\n
  4. Security Goal 2: prevent the site from distributing unauthorized information or linking to unintended sites.<\/li>\n<\/ol>\n

    Potential Adversaries and Threats:<\/p>\n

      \n
    1. Rival anti-virus companies may try to degrade the reputation and facilities of competitors through misinformation, hacking the website which is the public face of the company, or distributing hacks for the rival software so that it no longer performs the intended function. Clearly the latter two methods would need to be covert.<\/li>\n
    2. Malicious hackers may want to distribute their software to a wider audience – thus targeting any download site. That an anti-virus site was targeted, however, suggests that there may have been some element of looking for a challenge.<\/li>\n<\/ol>\n

      Potential Weaknesses:<\/p>\n

        \n
      1. Malicious admins or accidental coding mistakes in the PHP written specifically for the site may result in bugs that can be exploited.<\/li>\n
      2. Denial of service is a risk with any website.<\/li>\n
      3. Unpatched software often contains exploitable vulnerabilities.<\/li>\n<\/ol>\n

        Potential Defenses:<\/p>\n

          \n
        1. Keep all servers running the newest patched versions of software.<\/li>\n
        2. Keep multiple redundant servers to prevent DoS attacks (however this is not always reasonable from a financial perspective)<\/li>\n
        3. Run bug-checking tools on all code.<\/li>\n<\/ol>\n

          Risks\/Conclusion:<\/p>\n

          Anti-virus companies are held to a higher standard than most web-service companies, when it comes to security. Although the vendor may not be offering any product at all related to web-security, it is still important to keep a good public image in all areas of security. Furthermore, distributing harmful software gets sites blacklisted by google and other search engines – resulting in tags like “this site may harm your computer” or becoming unlisted completely – resulting in lower traffic and earnings. Security companies, and websites in general must constantly verify the integrity of their systems and perform tests simulating the end-user experience to verify that their systems are operational.<\/p>\n","protected":false},"excerpt":{"rendered":"

          I just read an article about an Indian security company AvSoft whose website got hacked and distributed malicious code rather than their own when users tried to download software. The attack used was iFrame injection on the vulnerable site. From … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":45,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-116","post","type-post","status-publish","format-standard","hentry","category-security-reviews"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/116","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/45"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=116"}],"version-history":[{"count":0,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/116\/revisions"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=116"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=116"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=116"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}