|
|
|
|
|
|
| Search | ||||||||||||
| Security News | ||||||||||||
|
||||||||||||
| IT Directory | ||||||||||||
|
||||||||||||
 | |
|
2010-05-10 16:45:01 | |
|
The flaw that Matousec's Proof of Concept exploits for attacking Windows computers resides at the heart of security software functionality. And multi-core processors, which are more popular than ever, seem to make the problem even worse.
Most, if not all antivirus solutions work by using signatures and heuristic to detect known viruses, rootkits and other threats. Also, security vendors have developed newer techniques for identifying malware that are usually called kernel mode hooks. These hooks have been improved and implemented in the past couple of years in a number of security products, although not always in a proper way. Matousec has developed an argument-switch attack or KHOBE attack (where KHOBE stands for Kernel HOok Bypassing Engine). In their paper, they show how such an attack can be used "to bypass protection mechanisms of security applications," or to target "SSDT [System Service Descriptor Table] hooks, which are the most common kernel hooks in today's security software." Matousec's demonstration focuses on how to bypass security software detection, not infection itself. However, such code could theoretically be added to a worm per se, giving it the ability to rest undetected even on a machine protected by antivirus software with the latest updates. The whole exploit is rather complex and the paper explains in details its inner workings, why and how it can go unnoticed. In short, it is built to target antivirus applications at a specific time during their scanning process. Once the antivirus software gives the green light for a piece of code to be executed, there is a small amount of time where it can be modified (by malicious code, we assume) before it is actually being called for execution. The antivirus software will never notice the change. The now common multi-core processors (or multi-processor hardware solutions) make matters worse, unfortunately. In fact, the technique relies on two threads requesting access to the same resource at the same time, and such machines makes this easier, according to the paper. On a final note, Matousec points out that it is important to remember that while the exploit is actually very simple in its execution, it is not as easily applicable. In fact, the proof of concept requires a significant amount of malicious code to be already present on the machine in order for it to execute the attacks. Moreover, Matousec says it has not spotted actual code of this nature in the wild, so with a little luck this will stay in the realm of theoretical attacks. However, they believe antivirus vendors should definitely work to plug this hole, which plagues every antivirus software they tested, including McAfee, Norton and Kaspersky products. | |
Reference 1: http://www.itpro.co.uk/623104/researchers-find-way-to-bypass-all-windows-security-software
Reference 2: http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php
|
© 2006-2010 Heptacube Inc. |