Researchers at the University of Luxembourg, in collaboration with Royal Holloway University of London, have found a significant security weakness in popular software applications.
The flaw would have impacted the world’s leading antivirus software systems and their customers, hadn’t the researchers dutifully and ethically disclosed their findings and helped antivirus companies check and fix the issue, before going public.
The discovery—now a published article issued by the Association for Computing Machinery titled “Cut-and-Mouse and Ghost Control: Exploiting Antivirus Software with Synthesised Inputs”—relates to the battlefield between antivirus software developers and malware attackers. Engaged in extremely competitive tit-for-tat battle where future attacks have to be anticipated, it may happen that certain old assumptions, such as “A friend is friend and never a foe”, are never questioned. This, in cybersecurity, is a weakness.
Dr. Ziya Alper Genç and Prof. Gabriele Lenzini, researchers at the Interdisciplinary Centre for Security, Reliability and Trust (SnT), together with Dr. Daniele Sgandurra, at the time of the discovery a researcher at the Royal Holloway University of London and now Technical Director of the Big Data Threat Analysis Team at Huawei Munich Research Center, have found such a security vulnerability.
It all started when the team questioned whether current defense mechanisms trusted by-default all actions coming from a user’s mouse and from a text editor like Notepad. But mouse actions can be simulated, and Notepad can be controlled as a puppet. With the first, they questioned, we could switch off all defenses; we could instruct the second to work as a ransomware. Testing this hypothesis on their computers against 29 leading antivirus (AV) systems, they found that 14 of them could be potentially fooled.
Ziya Alper Genç and Gabriele Lenzini
After discovering the vulnerability over a year ago, Genç, Lenzini, and Sgandurra informed the potentially affected software providers, and offered their assistance to resolve the security issue if confirmed and still present. They remained available to all impacted companies throughout their responsible disclosure process, and continued to look for the possible solutions that can be deployed to resolve the security flaw. Out of the 14 vendors contacted, some have immediately released a fix to mitigate the vulnerability, while others acknowledged the issue and had promised to be removing the root cause of the weakness.
“Antivirus software providers always offer high levels of security, and they are essential element in the everyday struggle against criminals. But they are competing with criminals which have now more and more resources, power, and dedication. This is why the role of academic research in vulnerability discovery, if conducted ethically and with high standard of professional conduct, can support security companies to be one step ahead of the criminals”, says Prof. Lenzini.
Genç, Lenzini, and Sgandurra’s research approaches cybersecurity from a comprehensive framework, considering the design of systems, the legal basis they use, and crucially, the human element. Considering the perspective of fields beyond computer science allows to identify previously overlooked elements that impact the security and performance of a system.
“The University and the SnT have always prioritised the importance of interdisciplinary research,” informs Prof. Lenzini. “This latest discovery emphasises the success of this approach, as the vulnerability was discovered because of truly out-of-the-box thinking for the field of cybersecurity.”
“The business of security suffers a known curse: that if security works nothing bad happens. So, it is often easy to forget that security defenses must be always on. This is why is important that us researchers remain capable to take nothing for granted, because when security fails it may be too late.” said Dr. Genç. “This research also makes it clear that approaching cybersecurity from a holistic perspective is valuable. In addition, our disclosure and engagement with the impacted companies demonstrates how scientists can tackle these topics with the highest ethical standards.”
Reference: Ziya Alper Genç, Gabriele Lenzini, and Daniele Sgandurra.
2021. Cut-and-Mouse and Ghost Control: Exploiting Antivirus Software with Synthesised Inputs. Digit. Threat.: Res. Pract.2, 1, Article 4 (February 2021), 23 pages. https://doi.org/10.1145/3431286)