New attack bypasses virtually all AV protection

[Mombodog]

.

New attack bypasses virtually all AV protection ? The Register

Researchers say they've devised a way to bypass protections built in to dozens of the most popular desktop anti-virus products, including those offered by McAfee, Trend Micro, AVG, and BitDefender.

The method, developed by software security researchers at matousec.com, works by exploiting the driver hooks the anti-virus programs bury deep inside the Windows operating system. In essence, it works by sending them a sample of benign code that passes their security checks and then, before it's executed, swaps it out with a malicious payload.


The exploit has to be timed just right so the benign code isn't switched too soon or too late. But for systems running on multicore processors, matousec's "argument-switch" attack is fairly reliable because one thread is often unable to keep track of other simultaneously running threads. As a result, the vast majority of malware protection offered for Windows PCs can be tricked into allowing malicious code that under normal conditions would be blocked.

.

 

[CarlTR6]

Very interesting. Thanks for the post

 

[A Guy]

Matousec's test systems were running Windows XP SP3 and Vista SP1, though they claim that the technique should work on all versions of Windows (including 7) and that x64 software is no safer than x86. However, Huger also told me "This attack [..] will not work (or should not work) under non-XP systems." BSODhook -- the tools Matousec developed to automatically find vulnerabilities -- failed to run on my Windows 7 x64 system, even with administrator permissions.

Matousec report says your antivirus app is way too easy to exploit

A Guy

 

[celldweller1591]

well..then i would like to prefer linux is matters of security !

 

[Jacee]

This goes way back Rustock and All That - Securelist and it's just getting worse ...

 

[Ryan2320]

So the built in DEP protection would not stop this either, or I am thinking of something different?? :huh:

 

[CarlTR6]

This goes way back Rustock and All That - Securelist and it's just getting worse ...

Great read!

 

[Bill2]

So the built in DEP protection would not stop this either, or I am thinking of something different?? :huh:

DEP prevents malicious code from running from memory locations that only Windows and other programs should use. Such malware damages your system by taking over one or more memory locations in use by a program. These kind of attacks used to be quite common, as a result MS introduced the DEP feature from XP SP2 onwards. DEP does not prevent nasties from being installed on your computer, it just monitors your programs to determine if they use system memory safely. The way it does this to mark some memory locations as "non-executable". If any program tries to run code (ANY code) from such a protected location, DEP closes the program and notifies you with a warning message.

The kernel hook exploits described by Matousec are different and are a direct result of software vendors not following the laid down rules and guidelines for kernel mode code writing. There are MS documents which describe how this is to be done correctly and stably but many vendors just dont bother. So basically, most current AVs and firewalls are faulty by design and need to rectify at their end.

 

[Thorsen]

There are MS documents which describe how this is to be done correctly and stably but many vendors just dont bother. So basically, most current AVs and firewalls are faulty by design and need to rectify at their end.

So would MSE be safe from this as it is coded by Microsoft and should be coded correctly?

 

[Bill2]

To the best of my knowledge, the Matousec team did not test MSE. They have listed 34 products that did not stop the attack and stated that they were limited by time to do more testing.

IDK if MSE uses SSDT hooks, my guess would be a MS product would use MS API before ever using hooks.

 

[Jacee]

Two more articles, or reactions to Matousec's findings:

Khobe “vulnerability” – no earth shaker | Paul Ducklin's blog

http://www.f-secure.com/weblog/archives/00001949.html

 

[CarlTR6]

http://www.f-secure.com/weblog/archives/00001949.html

In a nutshell: We believe in defense in depth

Spot on.

 

[Corrine]

Excellent article at Fran's Computer Services' Blog, particularly including the recommendation:

You might also consider installing a preventative program like BillP’s WinPatrol on your system to make you aware of potential changes to your system.

Article at Race Conditions aka TOCTOU and now KHOBE

 

[hackerman1]

thanks Mombodog !
interesting reading.

i´m going to read the whole document on KHOBE later.
but what happens if you run your browser under Sandboxie or Returnil ?
wouldn´t that stop the SSDT-exploit ?

 

[Ryan2320]

Bill2, Thanks for the information, and clarification...

 

[WindowsStar]

.

New attack bypasses virtually all AV protection ? The Register

Researchers say they've devised a way to bypass protections built in to dozens of the most popular desktop anti-virus products, including those offered by McAfee, Trend Micro, AVG, and BitDefender.

The method, developed by software security researchers at matousec.com, works by exploiting the driver hooks the anti-virus programs bury deep inside the Windows operating system. In essence, it works by sending them a sample of benign code that passes their security checks and then, before it's executed, swaps it out with a malicious payload.


The exploit has to be timed just right so the benign code isn't switched too soon or too late. But for systems running on multicore processors, matousec's "argument-switch" attack is fairly reliable because one thread is often unable to keep track of other simultaneously running threads. As a result, the vast majority of malware protection offered for Windows PCs can be tricked into allowing malicious code that under normal conditions would be blocked.

.

WARNING!!!

I contacted matousec.com about some further testing (long story); this must have caught them off guard, because they completely refused to do more testing and had lame accuses as to why they would not. They are completely biased I would not take anything they say as gospel. Their testing may be questionable at best.

 

[Corrine]

Another article to add to the list: http://www.darkreading.com/blog/archives/2010/05/is_khobe_an_ear.html?cid=nl_DR_DAILY_2010-05-11_h (also references Paul Ducklin's article on Sophos, but then again Graham Cluley works for Sophos too )

 

[Corrine]

Further discrediting of Matousec's findings:

Evilcodecave: Ruining a Myth - KHOBE The AntiVirus Earthquake - Pure Hysteria

 

[Jacee]

I found this on another forum in a post about this same subject

Interesting how some journalists/publishers carry on........
It makes me think that perhaps I should write an article along the lines off:

"Security expert finds a way of "picking" a lock.... rendering all locks throughout the world useless"

:roflmao:

 

[CarlTR6]

Another article to add to the list: http://www.darkreading.com/blog/archives/2010/05/is_khobe_an_ear.html?cid=nl_DR_DAILY_2010-05-11_h (also references Paul Ducklin's article on Sophos, but then again Graham Cluley works for Sophos too )

Further discrediting of Matousec's findings:

Evilcodecave: Ruining a Myth - KHOBE The AntiVirus Earthquake - Pure Hysteria

Good reads, Corrine. Thanks for the links. "Much ado about nothing."