SOLVED New attack bypasses EVERY Windows security product


Joined
Feb 21, 2010
Messages
165
Reaction score
77
Members,
Just when we all thought that we were on a good roll this hits us all again and again just when are we going to be secure,safe as well able to stop this How or Never hey?whats your view on this as for me it crushes my future that this is going to be a huge part of being Online today especially in 2010.



Are you a Windows user? Do you make sure that your antivirus program is updated regularly? Do you feel safe? You shouldn’t! Read on to find out why …
Security researchers at Matousec.com have come up with an ingenious attack that can bypass every Windows security product tested and allow malicious code to make its way to your system.
Yes, you read that right - every Windows security product tested. And the list is both huge and sobering:
  • 3D EQSecure Professional Edition 4.2
  • avast! Internet Security 5.0.462
  • AVG Internet Security 9.0.791
  • Avira Premium Security Suite 10.0.0.536
  • BitDefender Total Security 2010 13.0.20.347
  • Blink Professional 4.6.1
  • CA Internet Security Suite Plus 2010 6.0.0.272
  • Comodo Internet Security Free 4.0.138377.779
  • DefenseWall Personal Firewall 3.00
  • Dr.Web Security Space Pro 6.0.0.03100
  • ESET Smart Security 4.2.35.3
  • F-Secure Internet Security 2010 10.00 build 246
  • G DATA TotalCare 2010
  • Kaspersky Internet Security 2010 9.0.0.736
  • KingSoft Personal Firewall 9 Plus 2009.05.07.70
  • Malware Defender 2.6.0
  • McAfee Total Protection 2010 10.0.580
  • Norman Security Suite PRO 8.0
  • Norton Internet Security 2010 17.5.0.127
  • Online Armor Premium 4.0.0.35
  • Online Solutions Security Suite 1.5.14905.0
  • Outpost Security Suite Pro 6.7.3.3063.452.0726
  • Outpost Security Suite Pro 7.0.3330.505.1221 BETA VERSION
  • Panda Internet Security 2010 15.01.00
  • PC Tools Firewall Plus 6.0.0.88
  • PrivateFirewall 7.0.20.37
  • Security Shield 2010 13.0.16.313
  • Sophos Endpoint Security and Control 9.0.5
  • ThreatFire 4.7.0.17
  • Trend Micro Internet Security Pro 2010 17.50.1647.0000
  • Vba32 Personal 3.12.12.4
  • VIPRE Antivirus Premium 4.0.3272
  • VirusBuster Internet Security Suite 3.2
  • Webroot Internet Security Essentials 6.1.0.145
  • ZoneAlarm Extreme Security 9.1.507.000
  • probably other versions of above mentioned software
  • possibly many other software products that use kernel hooks to implement security features
The attack is a clever “bait-and-switch” style move. Harmless code is passed to the security software for scanning, but as soon as it’s given the green light, it’s swapped for the malicious code. The attack works even more reliably on multi-core systems because one thread doesn’t keep an eye on other threads that are running simultaneously, making the switch easier.
The attack, called KHOBE (Kernel HOok Bypassing Engine), leverages a Windows module called the System Service Descriptor Table, or SSDT, which is hooked up to the Windows kernel. Unfortunately, SSDT is utilized by antivirus software.
Note: The issue affecting SSDT have been known for some time but as yet haven’t been leveraged by attackers. However, as multi-core systems make this attack more reliable, and they are now becoming the norm, this is now a much greater threat.
Oh, and don’t think that just because you are running as a standard user that you’re safe, you’re not. This attack doesn’t need admin rights.
However, it does require a lot of code to work, so it’s far from ideal for attackers. That said, its ability to completely neuter security software is quite frightening. I assume that security vendors the world over are now scrambling to come up with a fix for this issue.
[UPDATE: Graham Cluley, Senior Technology Consultant at Sophos, has this to say:
The dramatic headlines might make you think that this is TEOTWAWKI*, but the truth is somewhat different.
Because KHOBE is not really a way that hackers can avoid detection and get their malware installed on your computer. What Matousec describes is a way of "doing something extra" if the bad guys' malicious code manages to get past your anti-virus software in the first place.
In other words, KHOBE is only an issue if anti-virus products such as Sophos (and many others) miss the malware. And that's one of the reasons, of course, why we - and to their credit other vendors - offer a layered approach using a variety of protection technologies.
While Cluley has a point here in that AV companies will still be able to add signatures to detect any KHOBE-like package in the wild, thus labeling the whole thing as malware and preventing it from getting a foothold on a system in the first place. But this still doesn't change the fact that there's one vulnerability here that basically "rules them all."
Paul Ducklin, Sophos's Head of Technology, has this to add:
So the Khobe "attack" boils down to this: if you can write malware which already gets past Sophos's on-access virus blocker, and past Sophos's HIPS, then you may be able to use the Khobe code to bypass Sophos's HIPS - which, of course, you just bypassed anyway. Oh, and only if you are using Windows XP.
In short: Sophos's on-access anti-virus scanner doesn't uses SSDT hooks, so it's fair for us to say that this isn't a vulnerabilty for us at all. But what about other anti-virus software? Though I'm not usually an apologist for our competitors, I feel compelled to speak out in this case.
The fuss about Khobe is in my opinion unwarranted, and the claims that it "bypasses virtually all anti-virus software" is scaremongering.
While I agree with the majority of what Ducklin has to say, I take issue with two points. First, that throwaway "Oh, and only if you are using Windows XP" line belittles the fact that while Vista and 7 users are safe, some 60% of PCs still use XP, and quite a lot of these are multi-core equipped. Secondly, while Sophos's own on-access scanner might not use SSDT hooks, it's clear that a lot of products do.
F-Secure has the following on KHOBE:
This is a serious issue and Matousec's technical findings are correct. However, this attack does not "break" all antivirus systems forever. Far from it.
First of all, any malware that we detect by our antivirus will still be blocked, just like it always was.
So the issue only affects new, unknown malware that we do not have signature detection for.
To protect our customers against such unknown malware, we have several layers of sensors and generic detection engines. Matousec's discovery is able to bypass only a few of these sensors.
We believe our multi-layer approach will provide sufficient protection level even if malicious code were to attempt use of Matousec's technique.
And if we would see such an attack, we would simply add signature detection for it, stopping it in its tracks. We haven't seen any attacks using this technique in the wild.
Are you reassured?]
Mac and Linux users, feel free to engage “smug mode” for a little while …


Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology.

copy & pasted by jeffreyobrien for and on behalf of ZDNet 13/05/2010
 
Ad

Advertisements

Fire cat

Established Member
VIP Member
Joined
Mar 7, 2010
Messages
1,157
Reaction score
191
Ah... That's pretty scary.
Though, was there any know uses of this flaw by hackers?

Thanks.
Fire Cat
 
Joined
Feb 21, 2010
Messages
165
Reaction score
77
Ah... That's pretty scary.
Though, was there any know uses of this flaw by hackers?

Thanks.
Fire Cat
Fire Cat,
read the article the links do work & it isn't scary I think it s always that a good thing is always ruined by the small majority (Hackers) yes they abuse a Known flaw backdoor however I myself can do this and that but at the end of the day its all Good to know about things as serious as this especially today.

In todays world everything just about is done with computers and that is scary.
regards
jeffreyobrien
 

Nibiru2012

Quick Scotty, beam me up!
VIP Member
Joined
Oct 27, 2009
Messages
4,955
Reaction score
1,302
Well... this sucks! I wish these hackers would get a real life and do something constructive, like passing out burgers at McDonalds/
 

catilley1092

Win 7/Linux Mint Lover
VIP Member
Joined
Nov 13, 2009
Messages
3,507
Reaction score
563
I was reading near the middle of the article that most of the affected systems were XP ones (as I understood it). Does this mean that Windows 7 & Vista are off the hook? Does this have anything to do with "remote code execution"? Almost every computer user uses one or more of the AV suites in that list. What does this mean for us?
 
Joined
Feb 21, 2010
Messages
165
Reaction score
77
[SOLVED] New attack bypasses EVERY Windows security product

Nibiru,
I despise hackers especially ones that think they do good but I feel they are the ruin of the Internet and feel that my post was meant for members that are not as up to date as the users that do receive regular updated newsletters from tech net,Zdnet,Microsoft,Mary Jo etc,,I was emailed & told my post was to be marked as solved and I did,so to the member that emailed me with your lousy comments know this "'I am blind'" thats Vision Impaired not stupid OKAY!

regards to all
respectfully
jeffreyobrien
 
Ad

Advertisements

Joined
Feb 21, 2010
Messages
165
Reaction score
77
[SOLVED] New attack bypasses EVERY Windows security product

Catilley,
this should answer your question,I have enclosed the email address for the Author of that report(e-mail address removed)
Not vulnerable software:

  • All software products that do not use SSDT hooks or other kinds of kernel mode hooks on similar level or user mode hooks to implement security features
Events:

  • 2010-05-05: Advisory released
  • 2008-10-28–2010-04-20: Vendors notifications, some vendors confirmed the vulnerability
References:

email here E-mail:research_(at)_matousec.com

(e-mail address removed)
 

Core

all ball, no chain
Moderator
Joined
Feb 13, 2009
Messages
1,175
Reaction score
272
While I don't find this particularly alarming (I've seen bad vulnerabilities come and go, it's the price of doing business where Windows is concerned), it's always good to be aware. At the end of the day, the greatest risk remains between the keyboard and the chair.
 

catilley1092

Win 7/Linux Mint Lover
VIP Member
Joined
Nov 13, 2009
Messages
3,507
Reaction score
563
While I don't find this particularly alarming (I've seen bad vulnerabilities come and go, it's the price of doing business where Windows is concerned), it's always good to be aware. At the end of the day, the greatest risk remains between the keyboard and the chair.
This is 100% true. The user should always be aware of what's going on, and watch what they click onto. With Mint, this risk is lowered significantly. But even with Linux OS's, you can't be reckless, the possibility of remote code execution still exists.
 

Nibiru2012

Quick Scotty, beam me up!
VIP Member
Joined
Oct 27, 2009
Messages
4,955
Reaction score
1,302
copy & pasted by jeffreyobrien for and on behalf of ZDNet 13/05/2010
Does this mean you're a representative of ZDNet? This is confusing because if you aren't it appears as though you're acting as their agent.

Also, if you don't mind since it's proper forum etiquette, to post a SOURCE link so others may go to the actual site the article came from. In this case, to the ZDNet article.

Again, many Thanks for the article.
 
Joined
Feb 21, 2010
Messages
165
Reaction score
77
[SOLVED] New attack bypasses EVERY Windows security product

Does this mean you're a representative of ZDNet? This is confusing because if you aren't it appears as though you're acting as their agent.

Also, if you don't mind since it's proper forum etiquette, to post a SOURCE link so others may go to the actual site the article came from. In this case, to the ZDNet article.

Again, many Thanks for the article.
YES thats correct & the links were fine when I posted SOLVED
jeffreyobrien
 
Ad

Advertisements

catilley1092

Win 7/Linux Mint Lover
VIP Member
Joined
Nov 13, 2009
Messages
3,507
Reaction score
563
Jeffrey, I didn't know you were a rep for ZDNet. I've been reading their articles for quite some time, especially Mary Jo's. There is a ton of news regarding all brands of OS's & computers, and other tech gadgets, on that site. Many are quite useful, but some are rumors.
 
Joined
Feb 21, 2010
Messages
165
Reaction score
77
[SOLVED] New attack bypasses EVERY Windows security product >

catilley,
my association with zdnet,technet,Microsoft,Verisign,Mary Jo,many more are all because I help them in obtaining facts,as you said mate rumours are many on the internet,as my website states"If it's Fair Dinkum"i like it :) my true expertise is Search Engine Optimisation (SEO) using IBP4 about 10 years ago has paid off look here at the figures of traffic through my blog all because I entered backlinks such as newspapers,media,advertising,I linked my blog to as many huge companies like technet,zdnet,microsoft etc so I am very proud the traffic speaks for itself.

Oh did I mention the $Money$ is great also :)


Worldwide Rank
7

Monthly Users*
614,646,091
20,207,543 per day*

Monthly Pageviews*
3,239,184,896
106,493,750 per day*

*Estimated Traffic Data


jeffreyobrien.blogspot.com - Overview

Updated:10 minutes ago 18/05/2010

jeffreyobrien.blogspot.com is a website that ranks 7 in Alexa and has a Google PageRank of 8. jeffreyobrien.blogspot.com is ranked on position 31 within com and has 430,891 backlinks according to Alexa. The Site was launched at Monday, 31 July 2000 and is 9 years and 10 months old. The hostname or fully qualified domain name (FQDN) jeffreyobrien.blogspot.com consists of the label jeffreyobrien within the domain name blogspot.com. The domain is registered under the domain suffix com and is named blogspot. The jeffreyobrien.blogspot.com Server is powered by GSE webserver software and is located in United States (California). The median load time is 1718 milliseconds which is faster than 49% of the other websites. jeffreyobrien.blogspot.com is listed in the dmoz open directory project in at least 8 categories. jeffreyobrien.blogspot.com - Website Title

jeffreyobrien
 

catilley1092

Win 7/Linux Mint Lover
VIP Member
Joined
Nov 13, 2009
Messages
3,507
Reaction score
563
Jeffrey, you really have been getting around very well! I never realized you had been working for that long in the field. In fact, had Nibiru not brought it up, we may never had known. You said the money is good, and apparently you enjoy your work, so keep the great articles coming.:top:
 
Ad

Advertisements

Veedaz

~
VIP Member
Joined
Sep 1, 2009
Messages
1,988
Reaction score
374
Ive heard of what some have called (Ai malicious code) its a good idea to keep a full backup of your system / systems outside of your system :)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top