Weaponized Antivirus: When Good Software Does Bad Things

The Black Hat conference drew well over 7,000 attendees this summer, and 25,000 attended the RSA Conference in the spring. Attendance of the 8th International Conference on Malicious and Unwanted Software, by contrast, is measured in dozens, not thousands. It's aimed at bringing forward the latest scholarly research in security, in an atmosphere that allows direct and candid interaction between all attendees. This year's conference (Malware 2013 for short) launched with a keynote by Dennis Batchelder, director of Microsoft Malware Protection Center, pointing out the hard problems that face the antimalware industry.
During the presentation, I asked Mr. Batchelder if he had any thoughts on why Microsoft Security Essentials scores at or near the bottom in many independent tests, low enough that many of the labs now treat it just as a baseline to compare with other products. In the photo at the top of this article he's miming how the Microsoft antivirus team members do not feel about that question.
Batchelder explained that's how Microsoft wants it. It's fine for the security vendors to demonstrate what value they can add over what's built in. He also noted that Microsoft's data shows just 21 percent of Windows users unprotected, thanks to MSE and Windows Defender, down from over 40 percent. And of course any time Microsoft can raise that baseline, third-party vendors will necessarily have to match or exceed it.
The Bad Guys Aren't Running Away
Batchelder pointed out significant challenges in three major areas: problems for the industry as a whole, problems of scale, and problems for testing. Out of this fascinating talk, one point that really struck me was his description of the way crime syndicates can trick antivirus tools into doing dirty work for them.
Batchelder explained that the standard antivirus model assumes that the bad guys are running away and hiding. "We try to find them in better and better ways," he said. "The local client or the cloud says 'block it!' or we detect a threat and try remediation." But they're not running away anymore; they're attacking.
Antivirus vendors share samples and use telemetry from their installed base and reputation analysis to detect threats. Lately, though, this model doesn't always work. "What if you can't trust that data," asked Batchelder. "What if the bad guys are attacking your systems directly?"
He reported that Microsoft has detected "crafted files targeting our systems, crafted files that look like some other vendor's detection." Once one vendor picks it up as a known threat, they pass it along to others, which artificially escalates the value of the crafted file. "They find a hole, craft a sample, and cause problems. They can inject telemetry to falsify prevalence and age, too," noted Batchelder. 
Can't We All Just Work Together?
So, why would a crime syndicate bother feeding false information to antivirus companies? The purpose is to introduce a weak antivirus signature, one that will also match a valid file needed by a target operating system. If the attack is successful, one or more antivirus vendors will quarantine the innocent file on victim PCs, possibly disabling their host operating system.
This type of attack is insidious. By slipping fake detections into the datastream shared by antivirus vendors, the criminals can damage systems that they've never laid eyes (or hands) on. As a side benefit, doing so may slow sharing of samples between vendors. If you can't assume a detection passed by another vendor is valid, you'll have to spend time re-checking it with your own researchers.
Big, New Problem
Batchelder reports that they're getting about 10,000 of these "poisoned" files per month through sample sharing. About a tenth of one percent of their own telemetry (from users of Microsoft's antivirus products) consists of such files, and that's a lot.
This one's new to me, but it's not surprising. Malware crime syndicates have tons of resources, and they can devote some of those resources to subverting detection by their enemies. I'll be quizzing other vendors about this type of "weaponized antivirus" as I get the opportunity.