New attack bypasses virtually all AV protection
Bait, switch, exploit!
Regcast training : Hyper-V 3.0, VM high availability and disaster recovery
Researchers say they've devised a way to bypass protections built in to dozens of the most popular desktop anti-virus products, including those offered by McAfee, Trend Micro, AVG, and BitDefender.
The method, developed by software security researchers at matousec.com, works by exploiting the driver hooks the anti-virus programs bury deep inside the Windows operating system. In essence, it works by sending them a sample of benign code that passes their security checks and then, before it's executed, swaps it out with a malicious payload.
The exploit has to be timed just right so the benign code isn't switched too soon or too late. But for systems running on multicore processors, matousec's "argument-switch" attack is fairly reliable because one thread is often unable to keep track of other simultaneously running threads. As a result, the vast majority of malware protection offered for Windows PCs can be tricked into allowing malicious code that under normal conditions would be blocked.
All that's required is that the AV software use SSDT, or System Service Descriptor Table, hooks to modify parts of the OS kernel.
"We have performed tests with [most of] today's Windows desktop security products," the researchers wrote. "The results can be summarized in one sentence: If a product uses SSDT hooks or other kind of kernel mode hooks on similar level to implement security features it is vulnerable. In other words, 100% of the tested products were found vulnerable."
The researchers listed 34 products that they said were susceptible to the attack, but the list was limited by the amount of time they had for testing. "Otherwise, the list would be endless," they said.
The technique works even when Windows is running under an account with limited privileges.
Still, the exploit has its limitations. It requires a large amount of code to be loaded onto the targeted machine, making it impractical for shellcode-based attacks or attacks that rely on speed and stealth. It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC.
Still, the technique might be combined with an exploit of another piece of software, say, a vulnerable version of Adobe Reader or Oracle's Java Virtual Machine to install malware without arousing the suspicion of the any AV software the victim was using.
"Realistic scenario: someone uses McAfee or another affected product to secure their desktops," H D Moore, CSO and Chief Architect of the Metasploit project, told The Register in an instant message. "A malware developer abuses this race condition to bypass the system call hooks, allowing the malware to install itself and remove McAfee. In that case, all of the 'protection' offered by the product is basically moot."
A user without administrative rights could also use the attack to kill an installed and running AV, even though only admin accounts should be able to do this, Charlie Miller, principal security analyst at Independent Security Evaluators, said.
Matousec.com's research is here. ®
COMMENTS
I bet...
it can't remove Norton.
NOTHING can remove Norton...
Re: What a load of FUD, sort of.
"The problem now with Linux is that there are more and more non-technical users who don't understand the model"
'ere we go again. Techie snobbery, everyone else who doesn't have technical knowledge is inferior etc. etc. Let's make a virtue out of complexity etc. etc. What do you want Linux to become? Do you want it to increase in popularity or not. Many "don't want to understand the model" and shouldn't have to. The funky computer should itself sort that out - just like the one in the 80s Ulysses cartoon. I'm with Shuttleworth and Ubuntu on this. Oh yeah and don't get me started on the nerdy Linux names: G-this K-that etc...
"still insist on installing packages with sudo instead of putting them in their own home dir. "
And why is that? If it was just as easy, if not easier to install the package in their home directory without needing sudo, then don't you think they would do it? Obviously its not so easy that's why they do it.
"Encouraged by the infrastructure of apt/yum/etc...."
Well that is a problem: the plethora of distribution and installation methods. No benefit in this duplicity. If there was just one OR a standard for them to follow then it would be simpler.
Go on, thumb me down.
Re : using linux
"I will point out that saying "we're immune because we're unpopular!" is not a good strategy for an OS, one way or another"
You'll be glad to hear that that has NEVER been a strategy for Linux or FreeBSD
@cornz1 - posted from an apparently unusable computer - which is also unusable for e-mail, video watching, word processing, spreadsheets, audio and video editing, Google Earth, software development, PCB design, PIC programming, protein modelling, photography including RAW development for my shiny new Canon 550D, remote access to my home server and wife's school's Windows server, etc,......... get the idea ?
No - no AV here either.
IT infrastructure monitoring strategies
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Steps to Take Before Choosing a Business Continuity Partner
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
