New attack bypasses EVERY Windows security product

Members,
Just when we all thought that we were on a good roll this hits us all again and again just when are we going to be secure,safe as well able to stop this How or Never hey?whats your view on this as for me it crushes my future that this is going to be a huge part of being Online today especially in 2010.



Are you a Windows user? Do you make sure that your antivirus program is updated regularly? Do you feel safe? You shouldn’t! Read on to find out why …
Security researchers at Matousec.com have come up with an ingenious attack that can bypass every Windows security product tested and allow malicious code to make its way to your system.
Yes, you read that right - every Windows security product tested. And the list is both huge and sobering:

• 3D EQSecure Professional Edition 4.2
• avast! Internet Security 5.0.462
• AVG Internet Security 9.0.791
• Avira Premium Security Suite 10.0.0.536
• BitDefender Total Security 2010 13.0.20.347
• Blink Professional 4.6.1
• CA Internet Security Suite Plus 2010 6.0.0.272
• Comodo Internet Security Free 4.0.138377.779
• DefenseWall Personal Firewall 3.00
• Dr.Web Security Space Pro 6.0.0.03100
• ESET Smart Security 4.2.35.3
• F-Secure Internet Security 2010 10.00 build 246
• G DATA TotalCare 2010
• Kaspersky Internet Security 2010 9.0.0.736
• KingSoft Personal Firewall 9 Plus 2009.05.07.70
• Malware Defender 2.6.0
• McAfee Total Protection 2010 10.0.580
• Norman Security Suite PRO 8.0
• Norton Internet Security 2010 17.5.0.127
• Online Armor Premium 4.0.0.35
• Online Solutions Security Suite 1.5.14905.0
• Outpost Security Suite Pro 6.7.3.3063.452.0726
• Outpost Security Suite Pro 7.0.3330.505.1221 BETA VERSION
• Panda Internet Security 2010 15.01.00
• PC Tools Firewall Plus 6.0.0.88
• PrivateFirewall 7.0.20.37
• Security Shield 2010 13.0.16.313
• Sophos Endpoint Security and Control 9.0.5
• ThreatFire 4.7.0.17
• Trend Micro Internet Security Pro 2010 17.50.1647.0000
• Vba32 Personal 3.12.12.4
• VIPRE Antivirus Premium 4.0.3272
• VirusBuster Internet Security Suite 3.2
• Webroot Internet Security Essentials 6.1.0.145
• ZoneAlarm Extreme Security 9.1.507.000
• probably other versions of above mentioned software
• possibly many other software products that use kernel hooks to implement security features

The attack is a clever “bait-and-switch” style move. Harmless code is passed to the security software for scanning, but as soon as it’s given the green light, it’s swapped for the malicious code. The attack works even more reliably on multi-core systems because one thread doesn’t keep an eye on other threads that are running simultaneously, making the switch easier.
The attack, called KHOBE (Kernel HOok Bypassing Engine), leverages a Windows module called the System Service Descriptor Table, or SSDT, which is hooked up to the Windows kernel. Unfortunately, SSDT is utilized by antivirus software.

Note: The issue affecting SSDT have been known for some time but as yet haven’t been leveraged by attackers. However, as multi-core systems make this attack more reliable, and they are now becoming the norm, this is now a much greater threat.

Oh, and don’t think that just because you are running as a standard user that you’re safe, you’re not. This attack doesn’t need admin rights.
However, it does require a lot of code to work, so it’s far from ideal for attackers. That said, its ability to completely neuter security software is quite frightening. I assume that security vendors the world over are now scrambling to come up with a fix for this issue.
[UPDATE: Graham Cluley, Senior Technology Consultant at Sophos, has this to say:

The dramatic headlines might make you think that this is TEOTWAWKI*, but the truth is somewhat different.
Because KHOBE is not really a way that hackers can avoid detection and get their malware installed on your computer. What Matousec describes is a way of "doing something extra" if the bad guys' malicious code manages to get past your anti-virus software in the first place.
In other words, KHOBE is only an issue if anti-virus products such as Sophos (and many others) miss the malware. And that's one of the reasons, of course, why we - and to their credit other vendors - offer a layered approach using a variety of protection technologies.

While Cluley has a point here in that AV companies will still be able to add signatures to detect any KHOBE-like package in the wild, thus labeling the whole thing as malware and preventing it from getting a foothold on a system in the first place. But this still doesn't change the fact that there's one vulnerability here that basically "rules them all."
Paul Ducklin, Sophos's Head of Technology, has this to add:

So the Khobe "attack" boils down to this: if you can write malware which already gets past Sophos's on-access virus blocker, and past Sophos's HIPS, then you may be able to use the Khobe code to bypass Sophos's HIPS - which, of course, you just bypassed anyway. Oh, and only if you are using Windows XP.
In short: Sophos's on-access anti-virus scanner doesn't uses SSDT hooks, so it's fair for us to say that this isn't a vulnerabilty for us at all. But what about other anti-virus software? Though I'm not usually an apologist for our competitors, I feel compelled to speak out in this case.
The fuss about Khobe is in my opinion unwarranted, and the claims that it "bypasses virtually all anti-virus software" is scaremongering.

While I agree with the majority of what Ducklin has to say, I take issue with two points. First, that throwaway "Oh, and only if you are using Windows XP" line belittles the fact that while Vista and 7 users are safe, some 60% of PCs still use XP, and quite a lot of these are multi-core equipped. Secondly, while Sophos's own on-access scanner might not use SSDT hooks, it's clear that a lot of products do.
F-Secure has the following on KHOBE:

This is a serious issue and Matousec's technical findings are correct. However, this attack does not "break" all antivirus systems forever. Far from it.
First of all, any malware that we detect by our antivirus will still be blocked, just like it always was.
So the issue only affects new, unknown malware that we do not have signature detection for.
To protect our customers against such unknown malware, we have several layers of sensors and generic detection engines. Matousec's discovery is able to bypass only a few of these sensors.
We believe our multi-layer approach will provide sufficient protection level even if malicious code were to attempt use of Matousec's technique.
And if we would see such an attack, we would simply add signature detection for it, stopping it in its tracks. We haven't seen any attacks using this technique in the wild.

Are you reassured?]
Mac and Linux users, feel free to engage “smug mode” for a little while …


Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology.

copy & pasted by jeffreyobrien for and on behalf of ZDNet 13/05/2010

Ah... That's pretty scary.
Though, was there any know uses of this flaw by hackers?

Thanks.
Fire Cat

Fire Cat,
read the article the links do work & it isn't scary I think it s always that a good thing is always ruined by the small majority (Hackers) yes they abuse a Known flaw backdoor however I myself can do this and that but at the end of the day its all Good to know about things as serious as this especially today.

In todays world everything just about is done with computers and that is scary.
regards
jeffreyobrien

Well... this sucks! I wish these hackers would get a real life and do something constructive, like passing out burgers at McDonalds/

I was reading near the middle of the article that most of the affected systems were XP ones (as I understood it). Does this mean that Windows 7 & Vista are off the hook? Does this have anything to do with "remote code execution"? Almost every computer user uses one or more of the AV suites in that list. What does this mean for us?

Nibiru,
I despise hackers especially ones that think they do good but I feel they are the ruin of the Internet and feel that my post was meant for members that are not as up to date as the users that do receive regular updated newsletters from tech net,Zdnet,Microsoft,Mary Jo etc,,I was emailed & told my post was to be marked as solved and I did,so to the member that emailed me with your lousy comments know this "'I am blind'" thats Vision Impaired not stupid OKAY!

regards to all
respectfully
jeffreyobrien

Catilley,
this should answer your question,I have enclosed the email address for the Author of that report .matousec.com
Not vulnerable software:

• All software products that do not use SSDT hooks or other kinds of kernel mode hooks on similar level or user mode hooks to implement security features

Events:

• 2010-05-05: Advisory released
• 2008-10-28–2010-04-20: Vendors notifications, some vendors confirmed the vulnerability

References:

• SecurityFocus Vulnerabilities BID 39924
• Computer Security Vulnerabilities
• Time-of-check-to-time-of-use bugs on Wikipedia
• Checking for Race Conditions in File Accesses by Matt Bishop and Michael Dilger
• TOCTOU with NT System Service Hooking by Andrey Kolishak
• From Ring Zero to UID Zero by twiz and sgrakkyu

email here E-mail:research_(at)_matousec.com

research_@_matousec.com

While I don't find this particularly alarming (I've seen bad vulnerabilities come and go, it's the price of doing business where Windows is concerned), it's always good to be aware. At the end of the day, the greatest risk remains between the keyboard and the chair.

This is 100% true. The user should always be aware of what's going on, and watch what they click onto. With Mint, this risk is lowered significantly. But even with Linux OS's, you can't be reckless, the possibility of remote code execution still exists.

Does this mean you're a representative of ZDNet? This is confusing because if you aren't it appears as though you're acting as their agent.

Also, if you don't mind since it's proper forum etiquette, to post a SOURCE link so others may go to the actual site the article came from. In this case, to the ZDNet article.

Again, many Thanks for the article.