I'm not qualified to evaluate this research on its technical merits, but I believe that some of you are.
---Rsk ----- Forwarded message from Richard Forno <[email protected]> ----- > Date: Sun, 9 May 2010 11:47:41 -0400 > From: Richard Forno <[email protected]> > To: List Infowarrior <[email protected]> > Subject: [Infowarrior] - New attack bypasses virtually all AV protection > > New attack bypasses virtually all AV protection > > http://www.theregister.co.uk/2010/05/07/argument_switch_av_bypass/ > > By Dan Goodin in San Francisco ? Get more from this author > > Posted in Security, 7th May 2010 18:17 GMT > > Researchers say they've devised a way to bypass protections built in to > dozens of the most popular desktop anti-virus products, including those > offered by McAfee, Trend Micro, AVG, and BitDefender. > > The method, developed by software security researchers at matousec.com, works > by exploiting the driver hooks the anti-virus programs bury deep inside the > Windows operating system. In essence, it works by sending them a sample of > benign code that passes their security checks and then, before it's executed, > swaps it out with a malicious payload. > > The exploit has to be timed just right so the benign code isn't switched too > soon or too late. But for systems running on multicore processors, matousec's > "argument-switch" attack is fairly reliable because one thread is often > unable to keep track of other simultaneously running threads. As a result, > the vast majority of malware protection offered for Windows PCs can be > tricked into allowing malicious code that under normal conditions would be > blocked. > > All that's required is that the AV software use SSDT, or System Service > Descriptor Table, hooks to modify parts of the OS kernel. > > "We have performed tests with [most of] today's Windows desktop security > products," the researchers wrote. "The results can be summarized in one > sentence: If a product uses SSDT hooks or other kind of kernel mode hooks on > similar level to implement security features it is vulnerable. In other > words, 100% of the tested products were found vulnerable." > > The researchers listed 34 products that they said were susceptible to the > attack, but the list was limited by the amount of time they had for testing. > "Otherwise, the list would be endless," they said. > > The technique works even when Windows is running under an account with > limited privileges. > > Still, the exploit has its limitations. It requires a large amount of code to > be loaded onto the targeted machine, making it impractical for > shellcode-based attacks or attacks that rely on speed and stealth. It can > also be carried out only when an attacker already has the ability to run a > binary on the targeted PC. > > Still, the technique might be combined with an exploit of another piece of > software, say, a vulnerable version of Adobe Reader or Oracle's Java Virtual > Machine to install malware without arousing the suspicion of the any AV > software the victim was using. > > "Realistic scenario: someone uses McAfee or another affected product to > secure their desktops," H D Moore, CSO and Chief Architect of the Metasploit > project, told The Register in an instant message. "A malware developer abuses > this race condition to bypass the system call hooks, allowing the malware to > install itself and remove McAfee. In that case, all of the 'protection' > offered by the product is basically moot." > > A user without administrative rights could also use the attack to kill an > installed and running AV, even though only admin accounts should be able to > do this, Charlie Miller, principal security analyst at Independent Security > Evaluators, said. > > Matousec.com's research is here > http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php > _______________________________________________ > Infowarrior mailing list > [email protected] > https://attrition.org/mailman/listinfo/infowarrior ----- End forwarded message ----- _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
