Book review AV hacker handbook

1. Preliminaries: I requested the book for review from one of the authors. I have interacted at technical security conferences with, am cordially acquainted with both authors and I respect and like them both.
2.  
3. TL/DR takeaway of this technical handbook for the impatient reader:
4.  
5. 1) Anti-virus (AV) software can be subverted just like any other software. Implemented security measures—if they exist at all— are much more primitive than the security measures implemented in Office suites or browsers, such as Microsoft Office or Google Chrome.
6.  
7. 2) This results in a dramatic increase in attack surface with vulnerabilities both at local and remote levels.
8.  
9. 3) Hence, AV can and often does make computers and networks less secure.
10.  
11. Joxean and Elias posit that a lot of AV is never security audited (“That’s right: never.”) and corroborate this and other claims throughout the book. Dense at times and aimed at security researchers comfortable with standard reversing tools and python/C++, the authors intersperse easy reading with several case studies and code exploration of real life (unnamed) AV.
12.  
13. What they demonstrate is actually quite depressing and alarming: Vast majority of AV (one or two unnamed exceptions) lack rudimentary security controls, such as those implemented in modern-ish web browsers and document readers. These includes but are not limited to
14.  
15. • Privilege separation 

16. • Sandboxing 

17. • Emulation 

18. • Default trust deny of other components

19. • Anti-exploitation measures inside their own products
20. • SSL/TLS based updates
21. • Effective use of ASLR
22. • Effective and proper use of ACLs
23.  
24. The cumulative effect is a giant OR function of weakest links for the savvy reverser. Joxean reverse engineered and managed to subvert 14+ AV products (windows, *nix) in about 1-2 years time and their reversing findings make for entertaining yet grating read:
25.  
26. There is for instance the tale of the local privilege exploit by the sad Panda AV design decision to make their folder world writeable, enabling users will ill intent to overwrite the main services and executing a malicious application with SYSTEM privileges; or Panda shield disabling / backdooring w secret UID that proved to be unnecessary in the end. Also startling: Most AV do not sign database files.
27.  
28. For less RE inclined readers many practical, self-contained tricks like section size adjustments against ClamAV and compression bombs against Kaspersky AV will manage to keep interest high. I learned for instance that Chinese Kingsoft’s Liebao browser (among other things) installed a browser extension to take screenshots of your desktop. Caveat emptor.
29.  
30. What makes the books especially enjoyable for those longer in the game are the little tidbits and historical anecdotes woven into the text, which repays careful reading. I must not be the only one whose nostalgia is evoked by the anti-emulation check opening c:\con device (which works from Windows 95 to Windows 8.1 but not emulators), or the description of Symantec’s debugger-interdicted GSM VM which forced developers to invent their own debugging techniques, or when discussing old code in AV engines they identify AV vulnerabilities affecting detections for the metamorphic innovation Zmist/Mistfall.
31.  
32. Many tools and other works are referenced in the text, but most inexplicably w/o URLs such as Joxean’s own Diaphora (I found something new and useful in the open source SAGE-like egas from the MoTool suite). There are a couple of typos and editing snafus (Wiley eds: it’s Waleed Assar, name is correct in URL not in text; double text on p.71). In my opinion, some illustrations, highlighting of important info and a glossary would have enhanced the book.
33.  
34. Addendum as rejoinder to previous commenters: The content is very current (at least April 2015, may be as current as July 2015); as can be gleaned from TLS inspection, Kaspersky’s MiTM and FREAK attack exposure possibility text. The reason why ‘old’ vulnerabilities are shown is likely twofold: 1) as illustrative device to present general AV product audit mechanism for the evergreen design and implementation mistakes and 2) to quote p.294
35.  
36. “Often, the security researchers are under the threat of being sued if they publish details about the vulnerabilities, even when they’re already fixed. This happened many times to me and to other researchers.”
37.  
38. This type of adversarial attitude is in stark contrast to the positive community acknowledgements sprinkled throughout the book (eg Ange Albertini, The Grugq, Nguyen Anh Quynh and many others). Worth emulating, properly :) .