 | |
| |
| 09 May 2010 | #1 |
| | New attack bypasses virtually all AV protection . New attack bypasses virtually all AV protection ? The Register Quote: Researchers say they've devised a way to bypass protections built in to dozens of the most popular desktop anti-virus products, including those offered by McAfee, Trend Micro, AVG, and BitDefender. The method, developed by software security researchers at matousec.com, works by exploiting the driver hooks the anti-virus programs bury deep inside the Windows operating system. In essence, it works by sending them a sample of benign code that passes their security checks and then, before it's executed, swaps it out with a malicious payload. The exploit has to be timed just right so the benign code isn't switched too soon or too late. But for systems running on multicore processors, matousec's "argument-switch" attack is fairly reliable because one thread is often unable to keep track of other simultaneously running threads. As a result, the vast majority of malware protection offered for Windows PCs can be tricked into allowing malicious code that under normal conditions would be blocked. |
My System Specs | |
| 09 May 2010 | #2 |
| | Very interesting. Thanks for the post |
| My System Specs |
| 09 May 2010 | #3 |
| | Quote: Matousec's test systems were running Windows XP SP3 and Vista SP1, though they claim that the technique should work on all versions of Windows (including 7) and that x64 software is no safer than x86. However, Huger also told me "This attack [..] will not work (or should not work) under non-XP systems." BSODhook -- the tools Matousec developed to automatically find vulnerabilities -- failed to run on my Windows 7 x64 system, even with administrator permissions. A Guy |
| My System Specs |
| . |
| |
| 10 May 2010 | #4 |
| | well..then i would like to prefer linux is matters of security ! |
| My System Specs |
| 10 May 2010 | #5 |
| | This goes way back Rustock and All That - Securelist and it's just getting worse ... |
| My System Specs |
| 10 May 2010 | #6 |
| | So the built in DEP protection would not stop this either, or I am thinking of something different??  |
| My System Specs |
| 11 May 2010 | #7 |
| | 
Quote: Originally Posted by Jacee  This goes way back Rustock and All That - Securelist and it's just getting worse ... |
| My System Specs |
| 11 May 2010 | #8 |
| |
Quote: Originally Posted by Ryan2320 So the built in DEP protection would not stop this either, or I am thinking of something different?? The kernel hook exploits described by Matousec are different and are a direct result of software vendors not following the laid down rules and guidelines for kernel mode code writing. There are MS documents which describe how this is to be done correctly and stably but many vendors just dont bother. So basically, most current AVs and firewalls are faulty by design and need to rectify at their end. |
| My System Specs |
| 11 May 2010 | #9 |
| |
Quote: Originally Posted by Bill2 There are MS documents which describe how this is to be done correctly and stably but many vendors just dont bother. So basically, most current AVs and firewalls are faulty by design and need to rectify at their end. |
| My System Specs |
| 11 May 2010 | #10 |
| | To the best of my knowledge, the Matousec team did not test MSE. They have listed 34 products that did not stop the attack and stated that they were limited by time to do more testing. IDK if MSE uses SSDT hooks, my guess would be a MS product would use MS API before ever using hooks. |
| My System Specs |
 |
New attack bypasses virtually all AV protection problems?
| Thread Tools | |
| Similar help and support threads for: New attack bypasses virtually all AV protection | ||||
| Thread | Forum | |||
| Virtually New to Virtualization | Virtualization | |||
| Newly discovered Windows kernel flaw bypasses UAC | Security News | |||
| New Windows 0-day vulnerability emerges, bypasses UAC | Security News | |||
| New attack bypasses virtually all AV protection | Security News | |||
All times are GMT -5. The time now is 06:54 PM.
