n.runs - aps-AV - e-mail security solution protecting your company from known and unkown attacks. Zero Day protection

Thanks for your interest in aps-AV!

Hello, my name is Andreas Bruns, CEO of the n.runs AG. On these pages we gathered all relevant information for you, please do not hesitate to contact us or our PR Agency should you have further questions.

Quick Access

Important Documents concerning aps-AV:
Download: aps-AV Battle card
Download: aps-AV Flyer (for Management)

Press-Kit (on a separate page)
   Illustrations / Logos / Images
   Questions from the Press
   Publications / Press Echo
   About n.runs AG
   Please contact Ulrike Peter for more information

Contact
Stefan Tewes
Tel: +49 (0) 6171/699-0
Fax: +49 (0) 6171/699-199
E-Mail : stefan.tewes@nruns.com

PR-Contact
Sprengel & Partner GmbH
Ulrike Peter
Tel.: +49 (0)26 61-91 26 0-0
Fax: +49 (0)26 61-91 26 0-29
E-Mail: press@nruns.com

Question - Index
    What is aps-AV ?
    Where do these new attacks come from ?
    Why are the consequences so huge ?
    How many vulnerabilities have been published ?
    Doesn't the amount of vulnerabilities decrease over time ?
    What damage can be caused ?
    How does such an attack look like ?
    Are there documented incidents ?
    How does aps-AV protect enterprises ? (Tech)
    About n.runs

n.runs aps-AV - Next Generation AV Security
aps-AV is a flexible and scalable high-security solution that has the ability to offer scanning and protection through the use of an unlimited number of AV engines. The result is a higher level of protection combined with potential savings and the protection of resources.[ Read more here ]

n.runs aps-AV® (Application Protection System Anti-Virus) is part of the n.runs aps product line. aps-AV offers comprehensive protection by implementing the Defense-In-Depth-Principle in a high-secure 3-Tier architecture. aps-AV does not only offer multi-engine protection and the possibility of centralization but encloses the AV engines within an sealed environment. Furthermore aps-AV optimizes the performance of the servers and simplifies the administration of multiple AV engines and resources

Even today classical malware attacks spread via email can still be considered a resource and cost-intensive threat to companies. In addition to these classical malware attacks, a new kind of attack targeting the AV solutions themselves has emerged.

These new attacks may have the following impacts:

Wherever data is examined by AV software exploit code can be triggered. This can result an attacker could possibly be able to read complete email exchange and to execute further attacks in internal network segments. This may happen even when AV scanning and email server are separated from each other.
A denial-of-service attack against the AV solution (i.e. in the event of an attack that is not cleanly executed) This could mean the outage of the complete email infrastructure.
Viruses and other malware can be delivered to the end user by completely bypassing the protection of the AV solution.

Where do these new attacks come from ?
The parsing engine is an essential component of every AV engine. In order to make binary data interpretable and comprehensible, they are split into blocks and structures. This process is known as “parsing“. Through false assumptions during parsing, conditions occur which allow program code to be infiltrated and executed. The SANS Institute included AV software as one of its Top-20 security risks .

Why are the consequences so huge?
One of the reasons can be seen in the attempt to protect all business relevant servers and clients of the company through software that is run with the highest privileges. Many times several AV engines are being used which drastically increases the attack surface and increases the chances for a successful attack.

How many Vulnerabilities have been published ?
n.runs found over 800 vulnerabilities, some have been fixed, most of them however still exist. Why ? It can take up to two years until Product patches to be published by the AV vendor. One reason for this latency is that AV Engines are used in multiple products by different vendors and the engineering effort is big. What follows are in dependant statistics about AV vulnerabilities :

schwachstellen
AV-Vulnerabilities Q1/2008 - Source : University of Michigan
Picture can be reproduced if the source is quoted

av schwachstellen
Impact of 227 AV-Vulnerabilities - Source : Secunia
(29% Code execution, 27% Denial-of-Service)
Picture may not be reproduced, Secunia.

Source of 227 AV-Schwachsellen - Source : Secunia
Out of 227 published Vulnerabilities 62% can be exploited remotely
Picture may not be reproduced, Secunia.

Patch-Level of 27 AV-vulnerabilities -Sourcee : Secunia
9% without Patch
Picture may not be reproduced, Secunia.

Doesn't the amount of vulnerabilities decrease over time ?
Independent statistics proof that the amount of vulnerabilities is not decreasing but increasing with time. Why is this so ? Anti-Virus Software is a moving target, the amount of functions and amount of formats are continuously increasing, which implies a higher probability of a vulnerability that sneaks in the code. Kaspersky for example understood 2000 Formats in 2006, in 2007 it were 3000. That's an enormous increase of thousand formats a year.

Between 2002 and 2005

50 Advisories

11% Code execution

21% DoS

Between 2005 and 2007

170 Advisories (+340%)

35% Code execution (+318%)

30% DoS (+142%)

av stats

What kind of damage can be caused ?

External Costs: claim for indemnification, higher interest rates for loans/ credits (Basel II, Solvency II) and penalties
Internal costs: loss of intellectual property (75% of business information is being exchanged via email), labor costs during system and operating standstill after an outage, loss of sales through a lack of operational ability, the overloading of IT administration and Helpdesk resources
Indirect consequences in case of non-observance (§ 91 AktG, § 93 AktG, § 276 Abs. 2 HGB, risk of liability or imprisonment in case of incorrect or non-existing accounting) resulting from incorrect data handling, data loss or manipulation through AV attacks: compromise of the existence of companies, loss of credibility and reliability, loss of image and market shares

What does such an attack look like ?
An external attacker can carry out various manipulations on those internal systems on which the AV-software is run. Since parsing as a mechanism of detection is indispensable to detect malware, n.runs sees only one possible solution: Embed the existing Anti-Virus products with their high detection rates in an highly secure architecture. This prevents successful attacks against the existing E-mail and AV-infrastructure.

This was the goal when n.runs developed aps-AV, known so far under the codename ‘ParsingSafe’. By including the established AV-software vendors as technology partners, n.runs guarantees a high detection rate while reducing the attack surface and increasing the overall security.

angriff anti virus
Simplified attack scenario - AV Vulnerabilities exploited to enter a company Network
Picture may be reproduced, nruns

1. The Attacker sends an E-mail with an attachment exploiting a vulnerability in AV B
2. AV A does not detect any malware and lets the email pass
3. AV B parses the mail and the exploitable bug is triggered, the attackers code of choice is executed
4. The payload specified by the attacker connects back to the attacker
5. The attacker gets an interactive command-shell on the Mail Server

Are there documented incidences ?
At the Blackhat 2008 EU XUE presented a publicly documented incident, in his presentation and white paper Attacking Anti-virus software (Page 16).

After Faas M. Mathiasen discovered a strange network stream exiting their E-mail-server, he posted a few questions to the incidents list and came to the following conclusion a few days later :

This lead us to the idea to simply use the Anti-Virus scanner to re scan the complete in box of all accounts, and then it hit us, suddenly there were outbound requests being initiated. What tried to initiate these requests ? The Anti-Virus scanner. [...] What we discovered was an exploit against the AV scanner that was triggered when it scanned the attachment to this particular email... that was not the threat we anticipated. Somebody using a "spoofed" email address send this file to a publicly disclosed email address and as soon as the scanner touched the file it triggered... I thought I had watched a movie.

Another documented attack was presented at the Blackhat DC Federal 2008 by Sinan Eren, VP of Research: An "Information Operation" attack. He explained why the target application they choose was not a Web server or a client application but AV software.
AV Software on an MTA gives access to sensible data and knowledge and is interesting because it allows for a systematic, undetected, long lasting access to the compromised systems. (Read more)

How the attack was carried out :

The Anti-Virus product was attacked through the companies mail server (MTA)
The Anti-Virus software was exploited to get access to all the e-mails that cross the MTA
E-mails were intercepted and analyzed in order to understand the target
Trojans were injected into E-mails - (Trust relationships between Sender and Receiver were exploited)
The compromised End-Host was used to exploit "DNS-MSRPC" on the Domain Controller.
The password database was extracted from the Domain Controller and was used to compromise internal workstations, the search for the target documents begins.
A special segmented network ("Air gap ") discovered by means of analyzing data from various compromised sources.
A USB-Stick that was plugged into the compromised PC, was (remotely) modified to include the Open-source-Program "USB Dumper". This stick served the purpose to transport data between the different networks, the stick automatically copied data from the target network to the Stick once connected to the target PC.
This data and commands were send over a complex covert HTTP Covert Channel.

What does centralization mean ?
Centralization in the context of aps-AV means that data is not checked locally but centrally in a protected aps-AV environment. Centralization and Localization can coexist as shown on the illustration on the right.

Advantages of AV centralization ?
Centralization can lower AV license fees and preserve personnel resources as the installation and management of several AV products increases the administrative overhead. Furthermore aps-AV is able to receive other data, besides email, and can therefore be connected to SAN, file servers, web servers and many others, furthermore aps-AV does not have a single point of failure.

How does aps-AV protect AV engines ?

Technical details about aps-AV
The set up of the aps-AV solution (previously known under the code name of “ParsingSafe“) follows the design paradigms of a BSL-4 virus laboratory, whereby control, shielding and destruction mechanisms are recreated. This architecture ensures a safe, easy and flexible integration into existing infrastructures. Since the potentially harmful data is neither parsed nor inspected or interpreted in any other way before it reaches the fire walled analytic environment, even successful parsing-related attacks on adjacent systems and networks will have no impact on it.

In order to build up an environment similar to a “class4” virus laboratory, the architecture is divided up into three tiers, i.e. the front end, the distribution and the execution tier. These three protection zones are separated by firewalls as shown in fig. 2. The different systems can only communicate across these security layers by means of a special multi path protocol developed in accordance with the security requirements of the architecture.

Abb. 2 : aps-AV 3-Tier Architektur
Picture may be reproduced, nruns

Security through "No-Parsing"
aps-AV stands out for its secure architecture, which achieves a simple and flexible integration into existing infrastructures. Potentially harmful data are not processed, inspected and/or interpreted before they are shunted to a secure area for analysis. For this reason, even successful parsing-specific attacks will have no effect on neighboring systems and networks.In order to protect aps-AV itself from attacks, it has been completely written in highly secure managed code (C#), thereby reducing its attack surface to an absolute minimum.

In this process aps-AV will neither examine the data for known virus signatures nor submit it to any parsing operations. Only after the data has entered the execution environment, which next to running on a high security operating system does not provide any network interfaces, the AV-engines start their work and check the e-mail attachments for malicious code. If any abnormality is detected, the whole environment will be completely deleted, including the operating system, and the incident will be marked as an attack on the respective AV-product.

Then, the distribution engine will either give the go-ahead or else induce the blocking of the e-mail. Moreover, the incident will be centrally logged and reported. In order to protect the aps-AV itself from attacks, it has been completely written in highly secure managed code ( C#) , thereby reducing its attack surface to an absolute minimum.

In addition all processes within the 3-tier architecture are mutually authenticated. The communication between the three core components is protected by signatures and a special multi path protocol. During implementation no unsafe code was produced, nor have unsafe methods or libraries (p/Invoke) been used.

aps-av key features
Picture may be reproduced, nruns

[ More information about aps-AV ]

About n.runs
n.runs AG is a vendor-independent consulting company specialising in the areas of: IT Infrastructure, IT Security and IT Business Consulting. In 2007, n.runs expanded its core business area, which until then had been project based consulting, to include the development of specialised security solutions. Application Protection System – Anti Virus (aps-AV) is the first high security solution that n.runs is bringing to the market.