back to article Researchers claim Windows Defender can be fooled into deleting databases

Researchers at US/Israeli infosec outfit SafeBreach last Friday discussed flaws in Microsoft and Kaspersky security products that can potentially allow the remote deletion of files. And, they asserted, the hole could remain exploitable – even after both vendors claim to have patched the problem. Speaking at the Black Hat Asia …

  1. Yorick Hunt Silver badge
    Thumb Down

    If the attackers have the ability to add new users to a database, they already have the ability to destroy it themselves - this isn't an exploit.

    1. katrinab Silver badge
      Alert

      I can add a new user to lots of databases by registering as a customer of the company, placing an order, etc. That is normal behaviour.

      1. Casca Silver badge

        Thats not a user. Thats just data in the database.

        1. Tom Chiverton 1 Silver badge

          I think you are confusing RDMS users, with entries in the database table called "users" e.g. a Bobby Tables attack.

          1. Yorick Hunt Silver badge
            Pint

            Beers for Casca and Tom Chiverton 1; let's just hope the other respondents never try their hand as DBAs!

          2. FrogsAndChips Silver badge

            Although in good practice this table should be named "customers" or "students" (for Bobby Tables) or whatever relevant name rather than "users".

            1. katrinab Silver badge
              Meh

              I guess so, but that won't help with this specific problem.

          3. Robert Carnegie Silver badge

            This is a case where the anti-virus software deletes any file containing the name of Bobby Tables. So by creating an account in the name of Bobby Tables, or E. I. Carr, you will cause the database of user accounts to be deleted. In fact I hope The Register isn't using that sofUSER NOT FOUND :-)

        2. ChipsforBreakfast

          And data in the database is exactly what's needed to trigger this attack. From an admittedly brief review of the slides all that appears to be required to trigger the exploit is to somehow get the 'evil signature' into almost any field in almost any table of the target database. Defender then sees that as malicious and in classic hammer vs walnut style nukes the entire database.

          Same holds true for log files, so it's quite possible for someone to exploit it to nuke the DB via a web page then nuke the web server logs in almost exactly the same way to cover their tracks.

          No pre-existing access required. No DB or system access required. Just fill in a webform and let the fun begin.

          Of course, the question of 'who the hell actually scans database files in real time anyway' has to be asked and will most likely limit the usefulness of this as an attack vector - yet another reason (as if one was needed) to exempt databases from real-time scanning.

          More worrying to me is the apparent level of risk being introduced by ever more powerful 'security' software that, if compromised, can wreak absolute havoc - we may be approaching a situation where the cure is more dangerous than the disease!

          1. David Hicklin Bronze badge

            > Of course, the question of 'who the hell actually scans database files in real time anyway'

            All third-party AV programs had to have exclusions for scanning DB files otherwise this could happen by random chance, not to mention locking the file for the duration of the scan

          2. Grogan Silver badge

            Binary databases are prone to false positives anyway, if they are going to be scanned, it shouldn't be at the "file" level, but by higher level software that actually understands the database, or more practically, scan streams or generated files after the db software. That's more a job for real time protection. For example you don't scan email databases at a low level, you can try to scan incoming data but ultimately scan attachments after they are decoded.

            Databases will contain "random" patterns (they aren't those signatures at all, they just match part of a sequence of bytes) that can trigger antivirus detection. It may not even be real data, but garbage in rows marked as deleted (removed during consolidation etc.)

  2. Anonymous Coward
    Anonymous Coward

    Sophos

    Many years ago a client using Sophos hadn't configured exclusions correctly on their Exchange server. By sheer bad luck something in the Exchange database had a signature match with an ancient virus, so Sophos promptly deleted the database.

  3. ldo

    Auto-Immune Diseases

    Ever since the first computer “viruses” and “worms”, the parallels with actual biological phenomena, initially seen by many as just spurious analogies, have only grown more eerily accurate. Now we see that equipping computers with immune systems can be just as much a double-edged sword as our own bodies’ defences against pathogens: liable to attack that which they are supposed to be protecting.

    Biological evolution is blind, undirected and unplanned, but human intelligence need not be. Instead of merely recapping existing biological processes, we should be able to go beyond them.

    1. Grogan Silver badge

      Re: Auto-Immune Diseases

      Heh, yeah, I've often thought the same about the biological parallels.

      Some pathogens DO the equivalent of a DOS attack on your immune system. For example, some bacteria and viruses code proteins that behave like "superantigens" that can cause your immune system to respond to anything but the pathogen.

      Like most things in nature, biological evolution is driven by "entropy", a word I'm using conveniently to describe the effects ultimately caused by the underlying back ends of subatomic particle physics that allow such chemistry to occur. They are only starting to understand that underlying mechanism that seems to make order from chaos. The similarity to computer viruses and replicating malware is mostly incidental, but it could become even more biology-like when there is AI driven malware (probably coming soon if I had to guess lol)

  4. david 12 Silver badge

    However...

    Anybody doing signature scans on their database container already has a problem.

    1. yetanotheraoc Silver badge

      Re: However...

      True, but anybody not doing signature scans on their database container has a different problem.

  5. werdsmith Silver badge

    The AV scan has authority to remove files that are in use and therefore locked by the OS, as removing a DB file without first taking down the service that locks it would mean some aggressive activity. Then I would expect the dodgy file to be quarantined rather than blackholed. Backups at the ready.

    But for performance reasons database files are often omitted from scans.

  6. Mike 137 Silver badge

    "The attack relies on the fact that [AV vendors] use byte signatures [...] to detect malware"

    Using byte signatures? How utterly primitive! Yet another reason why we should no longer trust passive anti-malware tools. The only reasonably safe approach today is dynamic testing in a sandboxed proxy.

    However, some malware has for a long time been able to detect whether it's running native or in a VM, so it's time this was addressed by better design of said proxies. In order to protect adequately, the tools used by the defence must be better than those used by the aggressor, but sadly the opposite is still frequently the case.

  7. yetanotheraoc Silver badge

    Sanitizing this input will drive you insane

    Databases are not solely the issue here. They are just one large class of files at the intersection of (modifiable by user) x (scannable by defender). You wouldn't want a read-only general-purpose computer, and anywhere you don't scan becomes the next target, so this is one of those officially hard problems.

    How does this whitelist work, and is there more than one? The Windows Registry must be safe from deletion, and the virus definition files themselves. How does something get added to the whitelist? I don't suppose the whitelist itself could be deleted by this kind of attack, but perhaps the malware could add itself to the whitelist, or get the user to do it, or just look for something already on the whitelist to infect. Fun times.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like