Last-minute paper: Working together to defeat attacks against AV automation
Hong Jia Microsoft
Dennis Batchelder Microsoft
download slides (PDF)
On 7 March, something in our automated systems went horribly wrong, and we issued three incorrect detections:
- A Brother MFC-9460CDN printer installer, incorrectly detected as TrojanDropper:Win32/Startpage.B
- An EPSON portal service, incorrectly detected as Rogue:Win32/Fakerean
- A utility tool (file scout), incorrectly detected as Trojan:Win32/Bewymids.A
Hundreds of thousands of our customers were affected. Within eight hours, we corrected the FPs, released fixes, and launched a post-mortem to understand why our automated system
Simple answer: our automated systems had been attacked. One day before, our systems were poisoned with hundreds of crafted clean files containing fragments of our (and other
AV vendor) detection patterns. Our automated systems were tricked into detecting clean files, and our customers suffered.
We kept digging, and we found evidence of several other attacks against our and other AV vendors' automation. We'd like to share with the AV industry both what we've learned, as well as our recommendations on
working together to limit the damage from these attacks.
VB2013 takes place 2-4 October 2013 in Berlin, Germany.
The full programme for VB2013, including abstracts for each paper, can be viewed here.
Click here for more details about the conference or register online.