Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: New attack bypasses virtually all AV protection

11 May 2010   #11
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Two more articles, or reactions to Matousec's findings:

Khobe “vulnerability” – no earth shaker | Paul Ducklin's blog

http://www.f-secure.com/weblog/archives/00001949.html


My System SpecsSystem Spec
.
11 May 2010   #12
CarlTR6

Windows 7 Ultimate 32 bit
 
 

http://www.f-secure.com/weblog/archives/00001949.html
Quote:
In a nutshell: We believe in defense in depth
Spot on.
My System SpecsSystem Spec
11 May 2010   #13
Corrine

Windows 7 & Windows Vista Ultimate
 
 

Excellent article at Fran's Computer Services' Blog, particularly including the recommendation:
Quote:
You might also consider installing a preventative program like BillP’s WinPatrol on your system to make you aware of potential changes to your system.
Article at Race Conditions aka TOCTOU and now KHOBE
My System SpecsSystem Spec
.

11 May 2010   #14
hackerman1

W7-Enterprise + WS-2008 (Converted to Workstation)
 
 

thanks Mombodog !
interesting reading.

i´m going to read the whole document on KHOBE later.
but what happens if you run your browser under Sandboxie or Returnil ?
wouldn´t that stop the SSDT-exploit ?
My System SpecsSystem Spec
11 May 2010   #15
Ryan2320

Windows Seven x64
 
 

Bill2, Thanks for the information, and clarification...
My System SpecsSystem Spec
11 May 2010   #16
WindowsStar

Windows 7 Enterprise (x64); Windows Server 2008 R2 (x64)
 
 

Quote   Quote: Originally Posted by Mombodog View Post
.

New attack bypasses virtually all AV protection ? The Register

Quote:
Researchers say they've devised a way to bypass protections built in to dozens of the most popular desktop anti-virus products, including those offered by McAfee, Trend Micro, AVG, and BitDefender.

The method, developed by software security researchers at matousec.com, works by exploiting the driver hooks the anti-virus programs bury deep inside the Windows operating system. In essence, it works by sending them a sample of benign code that passes their security checks and then, before it's executed, swaps it out with a malicious payload.


The exploit has to be timed just right so the benign code isn't switched too soon or too late. But for systems running on multicore processors, matousec's "argument-switch" attack is fairly reliable because one thread is often unable to keep track of other simultaneously running threads. As a result, the vast majority of malware protection offered for Windows PCs can be tricked into allowing malicious code that under normal conditions would be blocked.
.
WARNING!!!

I contacted matousec.com about some further testing (long story); this must have caught them off guard, because they completely refused to do more testing and had lame accuses as to why they would not. They are completely biased I would not take anything they say as gospel. Their testing may be questionable at best.
My System SpecsSystem Spec
13 May 2010   #17
Corrine

Windows 7 & Windows Vista Ultimate
 
 

Another article to add to the list: http://www.darkreading.com/blog/arch...Y_2010-05-11_h (also references Paul Ducklin's article on Sophos, but then again Graham Cluley works for Sophos too )

My System SpecsSystem Spec
15 May 2010   #18
Corrine

Windows 7 & Windows Vista Ultimate
 
 

My System SpecsSystem Spec
15 May 2010   #19
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

I found this on another forum in a post about this same subject

Quote:
Interesting how some journalists/publishers carry on........
It makes me think that perhaps I should write an article along the lines off:

"Security expert finds a way of "picking" a lock.... rendering all locks throughout the world useless"
My System SpecsSystem Spec
15 May 2010   #20
CarlTR6

Windows 7 Ultimate 32 bit
 
 

Quote   Quote: Originally Posted by Corrine View Post
Another article to add to the list: http://www.darkreading.com/blog/arch...Y_2010-05-11_h (also references Paul Ducklin's article on Sophos, but then again Graham Cluley works for Sophos too )
Quote   Quote: Originally Posted by Corrine View Post
Good reads, Corrine. Thanks for the links. "Much ado about nothing."
My System SpecsSystem Spec
Reply

 New attack bypasses virtually all AV protection




Thread Tools



Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 13:34.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App