Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: New attack bypasses virtually all AV protection


09 May 2010   #1
JMH

Win 7 Ultimate 64-bit. SP1.
 
 
New attack bypasses virtually all AV protection

Quote:
Researchers say they've devised a way to bypass protections built in to dozens of the most popular desktop anti-virus products, including those offered by McAfee, Trend Micro, AVG, and BitDefender.

The method, developed by software security researchers at matousec.com, works by exploiting the driver hooks the anti-virus programs bury deep inside the Windows operating system. In essence, it works by sending them a sample of benign code that passes their security checks and then, before it's executed, swaps it out with a malicious payload.

The exploit has to be timed just right so the benign code isn't switched too soon or too late. But for systems running on multicore processors, matousec's "argument-switch" attack is fairly reliable because one thread is often unable to keep track of other simultaneously running threads. As a result, the vast majority of malware protection offered for Windows PCs can be tricked into allowing malicious code that under normal conditions would be blocked.

All that's required is that the AV software use SSDT, or System Service Descriptor Table, hooks to modify parts of the OS kernel.

"We have performed tests with [most of] today's Windows desktop security products," the researchers wrote. "The results can be summarized in one sentence: If a product uses SSDT hooks or other kind of kernel mode hooks on similar level to implement security features it is vulnerable. In other words, 100% of the tested products were found vulnerable."
Source -
New attack bypasses virtually all AV protection ? The Register

My System SpecsSystem Spec
.

09 May 2010   #2

Windows XP - Now Windows 7 Home Premium (64-bit).
 
 

OMG!! "In other words, 100% of the tested products were found vulnerable."

Thanks JMH.
My System SpecsSystem Spec
09 May 2010   #3

W7-Enterprise + WS-2008 (Converted to Workstation)
 
 

hi !

THANKS JMH !

but, what about a directlink to Matousec´s report ?

KHOBE – 8.0 earthquake for Windows desktop security software - www.matousec.com
My System SpecsSystem Spec
.


09 May 2010   #4
JMH

Win 7 Ultimate 64-bit. SP1.
 
 

Quote:
Poor Hook Implementations Leave Most Antivirus Products Vulnerable

According to a new research paper published by the matousec project, critical protection mechanisms are poorly implemented and can be easily bypassed for the majority of desktop antivirus programs. The problem stems from an unreliable and insecure use of kernel and user mode hooks to get the job done.

The research starts from the premise that malware writers are able at any time to write malicious code that evades traditional methods of detection, a theory that has been proven true over and over again. In order to compensate for this, antivirus products employ additional protection layers like Host-based Intrusion Detection Systems (HIPS), which monitor applications' behavior and block any actions deemed suspicious.
More -
Poor Hook Implementations Leave Most Antivirus Products Vulnerable - Researchers claim low-level protection mechanisms can easily be bypassed - Softpedia
My System SpecsSystem Spec
09 May 2010   #5
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Quote:
There is still a debate about the impact of this vulnerability, especially since the underlying problem has been known for years, yet no practical attack has been detected in the wild. On the other hand, it is also true that multi-core processors, which drastically increase the success rate of this attack, have since become widespread in desktop computers. Nevertheless, from information we received in confidence, some antivirus vendors were already planning to stop using SSDT hooks in the next version of their products, since before this research came out.
I guess we'll see what happens, and if it works like they plan.
My System SpecsSystem Spec
Reply

 New attack bypasses virtually all AV protection




Thread Tools



Similar help and support threads for2: New attack bypasses virtually all AV protection
Thread Forum
DDoS Attack, Changed IPs Still Under Attack System Security
Virtually New to Virtualization Virtualization
Firewall virtually not existent System Security
Newly discovered Windows kernel flaw bypasses UAC Security News
New Windows 0-day vulnerability emerges, bypasses UAC Security News
New attack bypasses virtually all AV protection System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 06:23 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33