Lucijan Caric Qubis
Tomo Sombolac Qubis
download slides (PDF)
Have you ever considered the possibility of your trusty desktop anti-virus being bombarded with thousands or even tens of thousands viral files? Probably not – since it looks logically correct to believe that an anti-virus program on the desktop computer would withstand such a fury. Also, who and why would perform such malicious action and is it doable in the first place?
Believe it or not such a method of attack could be used against desktop anti-virus products. Our tests concluded that a number of well-known anti-virus products would allow between several to several hundred infections when bombarded with the stream of 10,000 virus files, although in some cases several hundred files stream was enough to cause an infection.
We repeated the tests over some span of time and discovered that some products improved, allowing fewer viral files to be injected to the target computer, and some worsened suffering more infection than before.
In at least one case the product rolled-over and died, and in another case parts of the products were bombed down and remained inactive.
A further point of our interest was that we tested products on Windows XP Professional and used XP designed products whenever possible. This may show that there is some sort of interoperability problem with anti-virus products and the operating system which would allow such type of attack to be performed or that anti-virus products are not prepared for this operating system lege artis.
When performing our tests we tried to avoid situations when the anti-virus program was upgrading, since it is known that during certain levels of upgrade anti-virus products tend to temporarily shut down their proactive scanning engines (service restart, for example). During such operation it would be considerably easier to inject viral files to the target computer.
On the brighter side, some anti-virus product passed this test with flying colours, showing that proper product design techniques could be applied.
Since we think that we discovered a gap in prime line of anti-virus defense which has some potential to be utilized (or re-invented) by virus writers and our discovery was independently confirmed our intention is to perform more tests, covering as many anti-virus products as possible in a better testing environment.