A cyberespionage group known as Careto or The Mask, perhaps state-sponsored, is known to have attempted to exploit a vulnerability in older versions of Kaspersky antivirus products in order to evade detection. The group compromised computers belonging to hundreds of government and private organizations from more than 30 countries before its activities were exposed in February 2014.
While these are mainly examples of using antivirus vulnerabilities to evade detection, there's also a demand for remote code execution exploits affecting antivirus products and these are being sold by specialized brokers on the largely unregulated exploit market.
Among the emails leaked last year from Italian surveillance firm Hacking Team there is a document with exploits offered for sale by an outfit called Vulnerabilities Brokerage International. The document lists various privilege escalation, information disclosure and detection bypassing exploits for multiple antivirus products, and also a remote code execution exploit for ESET NOD32 Antivirus with the status "sold."
This has been going on for over a decade, according to Gunter Ollmann, chief security officer at intrusion detection vendor Vectra and former chief technology officer at security research firm IOActive. There are companies that specialize in reverse-engineering popular desktop antivirus products from countries where their clients have an interest, he said via email. They also reverse-engineer existing malware so they can hijack already infected systems, he said.
According to Ollmann, a remotely exploitable vulnerability in the Chinese Qihoo 360 antivirus product is worth several tens of thousands of dollars to intelligence agencies from the U.S. and Europe.
"From a state-actor perspective, it would not be in their best interest to be detected doing this kind of thing, so targets are small and carefully controlled," Ollmann said.
If intelligence agencies from the U.S. and Europe are interested in such exploits, there's no reason to think that those from Russia, China and other cyber powers are not. In fact, Chinese and Russian cyberespionage groups have repeatedly proven their ability to find and develop exploits for previously unknown vulnerabilities in popular applications, so applying those same skills to antivirus products shouldn't be a problem.
Even some antivirus vendors agree that targeted attacks against antivirus products are likely, though they haven't seen any so far.
"In our predictions for 2016, we specifically mention that attacks on security researchers and security vendors could be a future trend in information security; however, we do not believe these will be widespread attacks," said Vyacheslav Zakorzhevsky, the head of anti-malware research at Kaspersky Lab, via email. "For example, security researchers may be attacked via compromised research tools, and since all software contains vulnerabilities, there is a possibility that security software could be impacted on a targeted and limited basis."
Sign up for CIO Asia eNewsletters.