Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: New attack bypasses virtually all AV protection


09 May 2010   #1

XP-Vista-W7
 
 
New attack bypasses virtually all AV protection

.

New attack bypasses virtually all AV protection ? The Register

Quote:
Researchers say they've devised a way to bypass protections built in to dozens of the most popular desktop anti-virus products, including those offered by McAfee, Trend Micro, AVG, and BitDefender.

The method, developed by software security researchers at matousec.com, works by exploiting the driver hooks the anti-virus programs bury deep inside the Windows operating system. In essence, it works by sending them a sample of benign code that passes their security checks and then, before it's executed, swaps it out with a malicious payload.


The exploit has to be timed just right so the benign code isn't switched too soon or too late. But for systems running on multicore processors, matousec's "argument-switch" attack is fairly reliable because one thread is often unable to keep track of other simultaneously running threads. As a result, the vast majority of malware protection offered for Windows PCs can be tricked into allowing malicious code that under normal conditions would be blocked.
.

My System SpecsSystem Spec
.

09 May 2010   #2

Windows 7 Ultimate 32 bit
 
 

Very interesting. Thanks for the post
My System SpecsSystem Spec
09 May 2010   #3

Microsoft Community Contributor Award Recipient

Windows 7 Home Premium x64 SP1
 
 

Quote:
Matousec's test systems were running Windows XP SP3 and Vista SP1, though they claim that the technique should work on all versions of Windows (including 7) and that x64 software is no safer than x86. However, Huger also told me "This attack [..] will not work (or should not work) under non-XP systems." BSODhook -- the tools Matousec developed to automatically find vulnerabilities -- failed to run on my Windows 7 x64 system, even with administrator permissions.
Matousec report says your antivirus app is way too easy to exploit

A Guy
My System SpecsSystem Spec
.


10 May 2010   #4

Windows 7 + Windows Xp Pro + Ubuntu 10.04 + openSUSE 11.2
 
 

well..then i would like to prefer linux is matters of security !
My System SpecsSystem Spec
10 May 2010   #5
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

This goes way back Rustock and All That - Securelist and it's just getting worse ...
My System SpecsSystem Spec
10 May 2010   #6

Windows Seven x64
 
 

So the built in DEP protection would not stop this either, or I am thinking of something different??
My System SpecsSystem Spec
11 May 2010   #7

Windows 7 Ultimate 32 bit
 
 

Quote   Quote: Originally Posted by Jacee View Post
This goes way back Rustock and All That - Securelist and it's just getting worse ...
Great read!
My System SpecsSystem Spec
11 May 2010   #8

Windows 7 x64 pro/ Windows 7 x86 Pro/ XP SP3 x86
 
 

Quote   Quote: Originally Posted by Ryan2320 View Post
So the built in DEP protection would not stop this either, or I am thinking of something different??
DEP prevents malicious code from running from memory locations that only Windows and other programs should use. Such malware damages your system by taking over one or more memory locations in use by a program. These kind of attacks used to be quite common, as a result MS introduced the DEP feature from XP SP2 onwards. DEP does not prevent nasties from being installed on your computer, it just monitors your programs to determine if they use system memory safely. The way it does this to mark some memory locations as "non-executable". If any program tries to run code (ANY code) from such a protected location, DEP closes the program and notifies you with a warning message.

The kernel hook exploits described by Matousec are different and are a direct result of software vendors not following the laid down rules and guidelines for kernel mode code writing. There are MS documents which describe how this is to be done correctly and stably but many vendors just dont bother. So basically, most current AVs and firewalls are faulty by design and need to rectify at their end.
My System SpecsSystem Spec
11 May 2010   #9

Win7 Home Premium 64x
 
 

Quote   Quote: Originally Posted by Bill2 View Post
There are MS documents which describe how this is to be done correctly and stably but many vendors just dont bother. So basically, most current AVs and firewalls are faulty by design and need to rectify at their end.
So would MSE be safe from this as it is coded by Microsoft and should be coded correctly?
My System SpecsSystem Spec
11 May 2010   #10

Windows 7 x64 pro/ Windows 7 x86 Pro/ XP SP3 x86
 
 

To the best of my knowledge, the Matousec team did not test MSE. They have listed 34 products that did not stop the attack and stated that they were limited by time to do more testing.

IDK if MSE uses SSDT hooks, my guess would be a MS product would use MS API before ever using hooks.
My System SpecsSystem Spec
Reply

 New attack bypasses virtually all AV protection




Thread Tools



Similar help and support threads for2: New attack bypasses virtually all AV protection
Thread Forum
DDoS Attack, Changed IPs Still Under Attack System Security
Virtually New to Virtualization Virtualization
Firewall virtually not existent System Security
Newly discovered Windows kernel flaw bypasses UAC Security News
New Windows 0-day vulnerability emerges, bypasses UAC Security News
New attack bypasses virtually all AV protection Security News

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 03:50 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33