A recent, most-excellent post over at the Objective-See blog (seriously, go and read it) details how the author, Patrick Wardle, dissects and manipulates the antivirus (AV) signature mechanism present in the macOS version of a traditional, signature-based antivirus software suite to achieve arbitrary false-positive detection.
The flavoring of his post, of course, is the ongoing fracas surrounding the product’s alleged potential for misbehavior in identifying and exfiltrating sensitive government documents on a computer protected by the product – a claim the suite’s developers deny vehemently.
Wardle elects not to comment on it – as do I – choosing instead to ask and answer the question, “Can an AV product be induced to: (1) arbitrarily and incorrectly identify a file as desired by an adversary, and, if (1) then (2) exfiltrate the files identified?”
tl;dr 1) yep, 2) probably
As detailed in the blog, Wardle reversed the AV product’s scanning engine’s behavior, which enabled him – and presumably any other sufficiently skilled attacker – to modify (he writes ‘extend’) the way in which the product identified malicious files when scanning. Once understood, Wardle utilizes a method for writing bytes into remote processes to patch what the AV engine is looking for.
That is to say, Wardle’s success is possible because of the product’s usage of AV signatures. These are what he modifies in memory so that the AV engine detects his “top-secret” file. In fact, he specifically avoids modifying the antivirus engine itself.
By altering the content in memory of a single signature, Wardle poisons the way the signature informs the AV engine about what it should be looking for to a set of constraints he chooses: the string “TS/SCI”, which is seen as a marker on US-governmental top secret documents.
And while any document scanned by the AV engine can be flagged falsely as malicious using the method Wardle employs, he makes his point first by slapping “TS/SCI” at the top of Winnie the Pooh, by Alan Milne.
Wardle’s blog post illustrates a weakness in the very concept of the antivirus signature. Never mind the fact that no amount of attempted signature sophistication can outpace the rate at which the collective soup of all malware expands: if the signatures are plastic to a malicious actor while in use, then the product cannot be trusted to render correct verdicts about files it scans.
This may sound like a vulnerability related to the antivirus product Wardle tested specifically, but it’s more generalizable than that. Any instance of signature manipulation for any product which utilizes them can lead to results at least similar to Wardle’s demonstration.
What’s There to Be Done, Then?
CylancePROTECT utilizes a mathematical understanding of malware, generated by extensively-trained machine learning models. It doesn’t need signature files to help it decide whether a file is malicious or not; this capability is built in to the very core of the product.
No AV product is a silver bullet, of course. However, at least in the case of top-secret stuffed bears, CylancePROTECT has little to fear from Wardle’s technique.