.

New attack bypasses virtually all AV protection

<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Sat May 08, 2010 1:06 am

New attack bypasses virtually all AV protection

Researchers at Matousec have devised a new attack technique, called the argument-switch attack or KHOBE attack, that allows malicious code to bypass protection mechanisms of security applications.

The method works by exploiting the driver hooks the anti-virus programs bury deep inside the Windows operating system. In essence, it works by sending them a sample of benign code that passes their security checks and then, before it's executed, swaps it out with a malicious payload.

The exploit has to be timed just right so the benign code isn't switched too soon or too late. But for systems running on multicore processors, matousec's "argument-switch" attack is fairly reliable because one thread is often unable to keep track of other simultaneously running threads. As a result, the vast majority of malware protection offered for Windows PCs can be tricked into allowing malicious code that under normal conditions would be blocked.

All that's required is that the AV software use SSDT, or System Service Descriptor Table, hooks to modify parts of the OS kernel.


ALL the security products tested were vulnerable to this attack. Matusec has listed all the tested products on their website. The attack works even with a limited account.

The complete article can be found here:
http://www.matousec.com/info/articles/k ... ftware.php

The Register also covered it in their article:
http://www.theregister.co.uk/2010/05/07 ... av_bypass/
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sat May 08, 2010 8:57 am

Re: New attack bypasses virtually all AV protection

That's a very good read.  Thanks!
~~~~~~~~~~~~~~
Ketchup
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Sat May 08, 2010 1:25 pm

Re: New attack bypasses virtually all AV protection

Great article!
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Mon May 10, 2010 10:24 pm

Re: New attack bypasses virtually all AV protection

Just read SANS ISC's take on this subject. Patchguard might provide some protection, but it'll only work with x64 editions of Windows.
http://isc.sans.org/diary.html?storyid=8773&rss
Last edited by Xen on Mon May 10, 2010 10:27 pm, edited 1 time in total.
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Tue May 11, 2010 4:10 am

Re: New attack bypasses virtually all AV protection

i did some extra research on this one, and found another article by someone who claims its a relatively old attack:
http://seclists.org/fulldisclosure/2010/May/93

some more info on the TOCTOU binding flaw:
http://nob.cs.ucdavis.edu/bishop/papers/1996-compsys/racecond.pdf
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Tue May 11, 2010 4:53 am

Re: New attack bypasses virtually all AV protection

Paul Ducklin, Sophos's Head of Technology, Asia Pacific published an article on his blog. He argues that the khobe attack is just an overrated vulnerability. According to him, the attack works if the malicious code has already bypassed the antivirus in the first place.
http://www.sophos.com/blogs/duck/g/2010 ... th-shaker/

The sample "attack" describes a way in which the tamper protection implemented by some anti-malware products might potentially be bypassed. Assuming you can get your malicious code past the anti-malware product in the first place, of course.

The attack needs a multiprocessor CPU, a security product which is using SSDT hooks and a bit of luck. It also requires that you evade detection by the security product in the first place in order to launch your Khobe code.

For what it's worth, only the optional Host Intrusion Prevention System component (HIPS) in Sophos's anti-malware software uses SSDT hooks. This is the behavioural part of our software, used for monitoring processes which we have already allowed to run. And HIPS doesn't even use SSDT hooks on Windows versions after XP, because Vista and Windows 7 include Microsoft's Kernel Patch Protection, which precludes the use of SSDT hooking.


The fuss about Khobe is in my opinion unwarranted, and the claims that it "bypasses virtually all anti-virus software" is scaremongering.

But these blog posts appear nothing more than 'saving face' kind of a thing. Unless other antivirus vendors come up with strong defenses we should believe that attackers have a good method at hand which they can and will use.
Last edited by Xen on Sun May 16, 2010 12:07 am, edited 1 time in total.

Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software