Windows 7: New attack bypasses virtually all AV protection

Researchers say they've devised a way to bypass protections built in to dozens of the most popular desktop anti-virus products, including those offered by McAfee, Trend Micro, AVG, and BitDefender.

The method, developed by software security researchers at matousec.com, works by exploiting the driver hooks the anti-virus programs bury deep inside the Windows operating system. In essence, it works by sending them a sample of benign code that passes their security checks and then, before it's executed, swaps it out with a malicious payload.

The exploit has to be timed just right so the benign code isn't switched too soon or too late. But for systems running on multicore processors, matousec's "argument-switch" attack is fairly reliable because one thread is often unable to keep track of other simultaneously running threads. As a result, the vast majority of malware protection offered for Windows PCs can be tricked into allowing malicious code that under normal conditions would be blocked.

All that's required is that the AV software use SSDT, or System Service Descriptor Table, hooks to modify parts of the OS kernel.

"We have performed tests with [most of] today's Windows desktop security products," the researchers wrote. "The results can be summarized in one sentence: If a product uses SSDT hooks or other kind of kernel mode hooks on similar level to implement security features it is vulnerable. In other words, 100% of the tested products were found vulnerable."

Poor Hook Implementations Leave Most Antivirus Products Vulnerable

According to a new research paper published by the matousec project, critical protection mechanisms are poorly implemented and can be easily bypassed for the majority of desktop antivirus programs. The problem stems from an unreliable and insecure use of kernel and user mode hooks to get the job done.

The research starts from the premise that malware writers are able at any time to write malicious code that evades traditional methods of detection, a theory that has been proven true over and over again. In order to compensate for this, antivirus products employ additional protection layers like Host-based Intrusion Detection Systems (HIPS), which monitor applications' behavior and block any actions deemed suspicious.

There is still a debate about the impact of this vulnerability, especially since the underlying problem has been known for years, yet no practical attack has been detected in the wild. On the other hand, it is also true that multi-core processors, which drastically increase the success rate of this attack, have since become widespread in desktop computers. Nevertheless, from information we received in confidence, some antivirus vendors were already planning to stop using SSDT hooks in the next version of their products, since before this research came out.