What Integgroll highlights in this part is some stimuli for antivirus vendors to enhance their products, including bypass research and pentesting overall.However, there is this other group of people (see right-hand image), the other definition of Luddite – in fact, the number 1 definition whenever you google for it – and that would be “A member of bands of English workers who destroyed machinery, especially in cotton and woolen mills, that they believed was threatening their jobs”. And the Luddites, basically, along with a couple of other riot incidents, hindered the labor movement. They made a lot of people look like they weren’t organized. They made a lot of people that actually were there and caring about what was going on and trying to make a difference, look like idiots who nobody cared about.
Because when you come in and you have this group of people that looks like they’ve got their ducks in a row, but you have three people somewhere else who are burning shit down. If they’re burning things down, this other group, if they’re associated with them at all, they all look bad, and everyone actually is the problem then, and no one is going to deal with them. And so, this Luddite kind of act of smashing looms was a problem. It really, like I said, hindered the Labor Movement.And while I was talking to a previous coworker about this, and this is my exact point here, he gave me this quote: “The only way to make antivirus vendors know their product is a joke is to embarrass them.”
Now, I’m not putting his name up there on purpose, because I think this is actually a really core quote to attribute to someone, because I think it’s really short-sided. It sounds very much of the Luddite way in that the only way we’re going to make this work is to shut them down as much and as often as possible and make none of this work for them. And by doing that then they will listen to us, which is not the case, that’s not how it’s going to work. It’s not how it’s worked, obviously, because if that was the case, the first time anybody had an antivirus bypassed, they would have already listened to us. They would have already been: “Oh, we need to work on that”, rather than just updating signatures and dealing with it.Another part of this big problem here is – I’ll explain it in a second. I worked at Staples for a while, and Staples sells laptops. Staples has this grading system (see right-hand image), where they go based on the number of loyalty programs that you sell and the number of protection plans that you sell for laptops, as well as the number of accessories that you sell with laptops. And by accessories, that includes the protection plan, so that’s really cool if you can get that, that’s a bonus accessory. It also includes things like mice, it includes things like Microsoft Office, the backup discs that come with it, and, conveniently enough, antivirus.
Now, when you’re in a store at Staples, the biggest metric for wanting to sell these things and making sure that every single person walks away with it is the amount of time your boss will spend yelling at you, and otherwise if you do not. So, to reduce that time it usually ends up that you’re increasing the amount of time that you’re wasting on your customers to actually get these products into their hands. So you have a bunch of people that are working at places like Staples and Best Buy and all these other organizations that are purposely handing antivirus out to people.And so, antivirus companies are still making sales, and much like this guy (see left-hand image), the embarrassment that you’re causing them does not matter. They don’t care – they’re still in the race, they’re still making money, and they’re still going to keep running, because they don’t have to change. So, obviously, where I’m really going with this, what I’m actually talking about at this point is kind of what’s going on. This right here is a list of the features that come with Symantec Endpoint Protection right now. I’m hitting on them right now because that’s the one that I had the biggest problem with, really.
But if you notice at the bottom, I mean, they’ve got stuff for Mac and Linux – that’s kind of cool. They have stuff for virtualization features. But the thing at the very bottom is the thing that interests me. They have a centralized and granular policy management system.
What that means is that they have a server sitting there somewhere, or some sort of service, that is controlling all of the stuff in the background. It actually sits there and reports on things. It actually talks to the stuff, it updates the virus signatures, all that kind of stuff. And it’s really helpful for your client and for your customer, and really for security as a whole – I won’t say otherwise, because antivirus is not a bad thing. It’s annoying for me, but it’s not a bad thing overall. It could be better, but that’s something we need to work on.What’s going on here is I have a solution program for this (see right-hand image). One of them is we need to work with antivirus vendors to set up a system of bypass bounty, basically. As you find a way to get Meterpreter running on a system in whatever antivirus, at that point you should be able to go to that antivirus vendor, say: “This is the method that I’m using, this is how I’m bypassing it”, and whenever they realize that it works and whatnot, they throw money in your direction.
Now, this works great, as long as they continue to keep this faith and we do the same thing, so we don’t have problems like Facebook not paying their researchers because they’ve misfollowed something and somebody didn’t listen to them. And so we actually had to go as a community and pay this person.
Another thing that we have to do in this is set up a system where penetration testing isn’t actually stopped. Because if we do end up sending constant antivirus bypasses to AV vendors, what’s going to end up happening is they’re going to apply them and apply them, and then we won’t be able to do penetration testing; or we won’t be able to do it as effectively as we should be able to do it.
And the third thing is that we need to continue to do our bypass research through the bounty processes, so we need to actually go and continue to do this stuff, continue to research it and work with them to make their product better, and in turn to end up making security better.
The second step looks a little funny; it’s kind of like the Underwear Gnomes here. But I have a few ideas for how to make that second step work. And one of them is kind of like centralized alert and approve. What ends up happening is during a penetration test they’ve got someone who sits there and waits for the alerts and clicks OK whenever they actually happen. It’s not ideal, and if they actually said: “That’s the system that they’re allowed to do things on with Meterpreter or whatever”, it’s not the ideal solution, but it is a solution that could work.
Another thing that we could do is actually do straight-out application white-listing. So I hand them my payload and they plug it into their centralized server and anytime it sees that payload, it says: “Ok, we’re not going to execute anything on it; we’re going to let it go.” Also not ideal; a lot of the reason for that is that I don’t want them to have that payload, because it may still be that they have other things in place that they’re going to hate on. And it also informs probably more people in the organization that I’m doing a penetration test for, than they really need to know what’s going on – another slight problem.
Read previous: Stop Fighting Anti-Virus 2: Pursuit of Better Protection