New attack bypasses virtually all AV protection

Page 1 of 3 123 LastLast

  1. Posts : 80
    XP-Vista-W7
       #1

    New attack bypasses virtually all AV protection


    .

    New attack bypasses virtually all AV protection ? The Register

    Researchers say they've devised a way to bypass protections built in to dozens of the most popular desktop anti-virus products, including those offered by McAfee, Trend Micro, AVG, and BitDefender.

    The method, developed by software security researchers at matousec.com, works by exploiting the driver hooks the anti-virus programs bury deep inside the Windows operating system. In essence, it works by sending them a sample of benign code that passes their security checks and then, before it's executed, swaps it out with a malicious payload.


    The exploit has to be timed just right so the benign code isn't switched too soon or too late. But for systems running on multicore processors, matousec's "argument-switch" attack is fairly reliable because one thread is often unable to keep track of other simultaneously running threads. As a result, the vast majority of malware protection offered for Windows PCs can be tricked into allowing malicious code that under normal conditions would be blocked.
    .
      My Computer


  2. Posts : 11,990
    Windows 7 Ultimate 32 bit
       #2

    Very interesting. Thanks for the post
      My Computer


  3. Posts : 53,363
    Windows 10 Home x64
       #3

    Matousec's test systems were running Windows XP SP3 and Vista SP1, though they claim that the technique should work on all versions of Windows (including 7) and that x64 software is no safer than x86. However, Huger also told me "This attack [..] will not work (or should not work) under non-XP systems." BSODhook -- the tools Matousec developed to automatically find vulnerabilities -- failed to run on my Windows 7 x64 system, even with administrator permissions.
    Matousec report says your antivirus app is way too easy to exploit

    A Guy
      My Computer


  4. Posts : 43
    Windows 7 + Windows Xp Pro + Ubuntu 10.04 + openSUSE 11.2
       #4

    well..then i would like to prefer linux is matters of security !
      My Computer


  5. Posts : 8,608
    Windows 7 Ultimate 32bit SP1
       #5

    This goes way back Rustock and All That - Securelist and it's just getting worse ...
      My Computer


  6. Posts : 428
    Windows Seven x64
       #6

    So the built in DEP protection would not stop this either, or I am thinking of something different??
      My Computer


  7. Posts : 11,990
    Windows 7 Ultimate 32 bit
       #7

    Jacee said:
    This goes way back Rustock and All That - Securelist and it's just getting worse ...
    Great read!
      My Computer


  8. Posts : 5,056
    Windows 7 x64 pro/ Windows 7 x86 Pro/ XP SP3 x86
       #8

    Ryan2320 said:
    So the built in DEP protection would not stop this either, or I am thinking of something different??
    DEP prevents malicious code from running from memory locations that only Windows and other programs should use. Such malware damages your system by taking over one or more memory locations in use by a program. These kind of attacks used to be quite common, as a result MS introduced the DEP feature from XP SP2 onwards. DEP does not prevent nasties from being installed on your computer, it just monitors your programs to determine if they use system memory safely. The way it does this to mark some memory locations as "non-executable". If any program tries to run code (ANY code) from such a protected location, DEP closes the program and notifies you with a warning message.

    The kernel hook exploits described by Matousec are different and are a direct result of software vendors not following the laid down rules and guidelines for kernel mode code writing. There are MS documents which describe how this is to be done correctly and stably but many vendors just dont bother. So basically, most current AVs and firewalls are faulty by design and need to rectify at their end.
      My Computer


  9. Posts : 3,300
    Win7 Home Premium 64x
       #9

    Bill2 said:
    There are MS documents which describe how this is to be done correctly and stably but many vendors just dont bother. So basically, most current AVs and firewalls are faulty by design and need to rectify at their end.
    So would MSE be safe from this as it is coded by Microsoft and should be coded correctly?
      My Computer


  10. Posts : 5,056
    Windows 7 x64 pro/ Windows 7 x86 Pro/ XP SP3 x86
       #10

    To the best of my knowledge, the Matousec team did not test MSE. They have listed 34 products that did not stop the attack and stated that they were limited by time to do more testing.

    IDK if MSE uses SSDT hooks, my guess would be a MS product would use MS API before ever using hooks.
      My Computer


 
Page 1 of 3 123 LastLast

Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 00:19.
Find Us