Mar 12, 2010

AVG & The Aurora Exploit

Unfortunately, we have observed that some products rely heavily on file-based detection (of malware). These products are scanning for payloads once they hit the disk. The problem with this approach is that exploits occur in memory (e.g. Aurora) and might never touch the disk.

We do not know why AVG failed to prevent the Aurora exploit (which operates in memory). But we know that it did. We observed the exploit successfully gain control of the PC and perform arbitrary remote code execution (the exploit ran Calc.exe as proof). And we did observe AVG detect the attack in Internet Explorer's cache - after the fact.

This video was captured on March 11, 2010. We turned off automatic updates to preserve the version in time, which of course caused multiple red blinky warnings to be issued. We tested again (see 2nd video below) after updating to put to rest any FUD.

To be fair, AVG may have protection for other exploits.

However, as of today, nearly 2 months after the story of the attack first broke, a fully updated AVG still does not provide protection from the the original Aurora exploit. What is additionally concerning is that the product issues a pop-up message telling the user that the threat was detected and quarantined. See for yourself.

This video was captured on March 12, 2010. We turned on automatic updates, plus manually updated to ensure the latest protection was installed.