Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Hackers use anti-virus exclusion lists to better target victims

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

December 7, 2016

It looks like hackers and advanced malware writers are using anti-virus exclusion lists to better target their victims, internet security specialists are asserting us.

On almost any given day, antivirus software vendors generally use exclusion lists to explain the files and directories that their products should ignore to avoid false positives and ensure an application's proper operations for their users.

Those lists are very common in the industry. For example, Citrix published one last week while it doesn't take much Googling to find more. There's also another one from SolarWinds, and a few more from VMware, Microsoft, SAP, Veritas and even Sage.

When Citrix's list emerged, we pondered the list's possible use as a handy guide to the process names and directory locations hackers could target to take down users.

An independent malware researcher (name whitheld) says that some advanced malware writers are exploiting these published exclusions to produce malware targeted to particular businesses.

"There are malware writers using whitelisted exclusion files, mostly APT (advanced persistent threat) and targeted infection groups rather than public malware operators," he added.

"APT attackers are better funded and generally conduct more research before they launch attacks. They will typically insert their malware into the antivirus file exclusion categories, or in rarer cases force the antivirus configuration to exclude their specific malware files," he asserted.

He also noted that the file exclusions are necessary to mitigate the annoying false positives caused by most antivirus platforms, adding that many businesses are impacted by the erroneous flags, making them a real nuisance at times.

But exclusions are a band aid fix and do not address core malware diagnosis problems, and this what people need to be on the real lookout for.

Another well-respected security researcher also requesting anonymity says he has not seen malware targeting exclusion lists but imagines it would be useful to advanced attackers.

He says the Locky ransomware actors, who tend to compromise businesses over individuals, could use a vendor's recommended antivirus exclusion list to target users.

"Obviously, it would be interesting for attackers if they could already know their victim is indeed using Citrix," he says. "Or known to be using any other exclusion-list-using vendor," he added.

"The exclusion paths could be a nice place to store malware payloads before execution," he commented.

He notes that various organizations should have multi-layered defenses and not rely solely on antivirus software per se.

And as you might expect, others have gone further in recent days, with respected hackers from Google's Project Zero and Chrome's Security department calling antivirus little more than a bucket of attack vectors and labelling it the chief impediment to shipping a secure browser.

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.


Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer