Anti-Virus Vendor Hacked

By imv at 2:04 pm on February 8, 2008 | 3 Comments

I just read an article about an Indian security company AvSoft whose website got hacked and distributed malicious code rather than their own when users tried to download software. The attack used was iFrame injection on the vulnerable site. From what I’ve read about iFrame injections, hex code (with real meaning when translated to javascript) is somehow uploaded onto the site. Then when users try to click on some link or button, what they are really clicking on is an “invisible frame” over that link/button which redirects them to some other site or attempts to install malicious software.

Since security reviews are required to talk about products or classes of products, I will talk about downloadable anti-virus software and the companies that provide it.

Assets and Security Goals:

  1. Asset 1: vendor reputation. As related to the case in question, being hacked is particularly damaging to the reputation of a security-oriented company for obvious reasons.
  2. Asset 2: working links. It is particularly difficult to make money from one’s website if the links redirect away from the site and the ability to download/purchase one’s software.
  3. Security Goal 1: maintain site integrity and do not harm users’ computers.
  4. Security Goal 2: prevent the site from distributing unauthorized information or linking to unintended sites.

Potential Adversaries and Threats:

  1. Rival anti-virus companies may try to degrade the reputation and facilities of competitors through misinformation, hacking the website which is the public face of the company, or distributing hacks for the rival software so that it no longer performs the intended function. Clearly the latter two methods would need to be covert.
  2. Malicious hackers may want to distribute their software to a wider audience – thus targeting any download site. That an anti-virus site was targeted, however, suggests that there may have been some element of looking for a challenge.

Potential Weaknesses:

  1. Malicious admins or accidental coding mistakes in the PHP written specifically for the site may result in bugs that can be exploited.
  2. Denial of service is a risk with any website.
  3. Unpatched software often contains exploitable vulnerabilities.

Potential Defenses:

  1. Keep all servers running the newest patched versions of software.
  2. Keep multiple redundant servers to prevent DoS attacks (however this is not always reasonable from a financial perspective)
  3. Run bug-checking tools on all code.

Risks/Conclusion:

Anti-virus companies are held to a higher standard than most web-service companies, when it comes to security. Although the vendor may not be offering any product at all related to web-security, it is still important to keep a good public image in all areas of security. Furthermore, distributing harmful software gets sites blacklisted by google and other search engines – resulting in tags like “this site may harm your computer” or becoming unlisted completely – resulting in lower traffic and earnings. Security companies, and websites in general must constantly verify the integrity of their systems and perform tests simulating the end-user experience to verify that their systems are operational.

Filed under: Security Reviews3 Comments »

3 Comments

  • 1
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Robert

    February 9, 2008 @ 4:53 pm

    The article leads me to believe that that site was compromised due to poorly written php code. It is critically important when writing web applications that code be reviewed for security requirements as well as functionality and specifications. Most companies do not review code from a security perspective and issues like this arise.

    The impact of this compromise is especially damaging to this company because end users rely on virus and security companies for their own security. If the ‘experts’ can’t get it right, who can?

  • 2
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Restaurant Pos

    February 23, 2008 @ 12:54 pm

    Talk about security issues, we are a software development company based in the UK and specialise writing software in VB.net, we recently had a company come to us for a hospitality system and wanted to connect our software to there web environment for hotel reservation bookings, before we set about evaluating what was required we decided to test there site and found it was very insecure, we were able to crash the database using sql injection. Our first test we entered single quotes into a data field and submitted the form, this caused a server error and from there things went from bad to worse, needless to say the website had been outsourced and developed through a company based in Asia who have since gone out of business.

  • 3
    Get your own gravatar for comments by visiting gravatar.com

    Comment by diademed

    February 24, 2008 @ 9:38 pm

    Another important aspect of the security practice is recovery. As we saw recently demonstrated with Amazon’s S3 service, even services that specialize in “5 9’s” (99.999%) of service / uptime can be successfully attacked. Having the agility to counter an attack (or even an accident) and bring your services back online can be invaluable — much more so than preventing 99.9% of all attacks, but being down for 3 days when an attack actually gets through.

RSS feed for comments on this post