The technology is commonly installed on PCs, servers, network gateways and mobile devices. As it becomes more widespread, the more attractive a target it becomes for cybercriminals, said researchers at Internet Security Systems (ISS).
"Antivirus could potentially be the weak point hackers might exploit to break into your network," said Neel Mehta, the team leader of X-Force Research at Internet Security Systems in Atlanta. "It is a key security mechanism, and it is important to have it. But at the same time, it could also be an attack vector."
Mehta and fellow ISS researcher Alex Wheeler plan to outline vulnerabilities in antivirus products on stage at the Black Hat Briefings, which kicks off on Wednesday. The security conference draws hackers and security experts to Las Vegas every year. The event is followed by the DefCon, the security industry confab famous for its hacker activity, which starts on Friday.
The ISS researchers will demonstrate hacking into systems using known and fixed flaws in antivirus products, not new security holes that have not been publicly disclosed yet, Mehta said. "We're going to show that it is a credible threat and demonstrate exploits," he said.
In the past year, ISS has discovered bugs in products from security software makers Symantec, McAfee, Trend Micro and F-Secure, he noted. Earlier this week, several flaws discovered by ISS were disclosed and fixed in Clam AntiVirus, a popular open-source virus scanner.
At the moment, the problem is just an emerging threat. Only isolated cases have been seen of malicious code writers using holes in antivirus software to attempt to break into computer systems, Mehta said. "There used to be no exploits for antivirus products, but we see some now," he said. "There is the potential for more."
Antivirus software is like low-hanging fruit to hackers, Yankee Group analysts wrote in a research paper released last month. As the pool of easily exploitable security bugs in Microsoft Windows dries up, attackers are looking to security software for holes to get into systems, the analysts said.
"As the core of the operating system gets more secure, hackers are diverting their attention to other targets," Mehta agreed.
Show time in Vegas
The lineup of papers and presentations at Black Hat this week bears out that trend. Few of the topics in the sessions deal with hacking attempts on Windows, Microsoft's dominant operating system, which has come under heavy attack from malicious code writers in the past.
Weaknesses in antivirus software is only one of the topics on the conference agenda. Researchers will also cover the use of USB keys to get into Windows PCs, intrusions into Oracle products and the security of Cisco Systems routers.
Experts from SPI Dynamics, which specialises in Web application security, plan to highlight problems with the drivers that make USB devices work on computers in a session titled "Plug and Root, the USB Key to the Kingdom." They will delve into how an attacker could gain access to an otherwise locked system via such security holes.
Oracle, which once called its products "unbreakable," will also see its security scrutinised. Alexander Kornbrust of Red Database Security will give a presentation on how to circumvent Oracle's database encryption, and Esteban MartÃnez Fayo, a researcher at security company Argeniss, is slated to show new ways to attack Oracle databases. Kornbrust, a German security researcher, earlier this month published details on a number of unpatched security flaws in Oracle software.
Cisco's routers are part of the core plumbing of the Internet, and Cisco's IOS, or Internetwork Operating System, runs on those routers. At Black Hat, ISS researcher Michael Lynn will probe IOS security for possible weaknesses. Large-scale router attacks could disrupt the performance of the Internet.
Black Hat attendees can also get some legal advice. Jennifer Granick, the executive director of the Stanford Law School Centre for Internet and Society, plans to offer a practical and theoretical tutorial on legal issues related to computer security practices.
While Black Hat is more like a traditional trade show, DefCon is a celebration of hacker culture and security knowledge. It brings together experts from the hacker underground, security industry stars and geek groupies. Word on the street is that most hotels in Las Vegas refuse to host DefCon because of all the hacking mischief that takes place.
As the focus on cybercrime has increased, Black Hat and DefCon have also become a fixed item on the calendars of many law enforcement agents. A few years back, conference-goers would challenge each other to spot the "Fed." This year, some in the security industry say the task could be to spot the hacker.
