From a user point of view any AV increases the security of his system since it’s a defense mechanism able to detect and to block most of the known viruses affecting Internet. But let think the other way around, what is an AV from a ROP expert ? Since every AV is at least one running processes within loaded libraries and imported functions it is an additional component where to look for Gadgets. During the past days I’ve been installing some of the most used AV (trial commercial versions only) and I investigated the distribution of the Gadgets that such AVs introduce into a running Windows XP system.
The above picture (click on it to make it bigger) shows the gadgets distribution ordered by gadget’s length. The smallest gadget found is composed by one operation (RETN) while the biggest one is composed by 15 operations. The analyzed AVs (Avast, AVG, Avira, kaspersky, ThreatFire and TrendMicro), as shown in picture, share the same distribution even if in different quantity. The picture also shows how similar the analyzed AVs are from the attacker (ROP expert) point of view. The attacker assuming the AV presence might ignore what kind of AV is (except for TrendMcro which provides lot of help to the attacker, letting he to choose between a wide amount of gadgets). These are only few preliminary results of what I really found. I’ll be back with more details on that in next few months (I have to analyze tons of data and to figure out similarities and differences ).