Feeds

New attack bypasses virtually all AV protection

Bait, switch, exploit!

Combat fraud and increase customer satisfaction

Researchers say they've devised a way to bypass protections built in to dozens of the most popular desktop anti-virus products, including those offered by McAfee, Trend Micro, AVG, and BitDefender.

The method, developed by software security researchers at matousec.com, works by exploiting the driver hooks the anti-virus programs bury deep inside the Windows operating system. In essence, it works by sending them a sample of benign code that passes their security checks and then, before it's executed, swaps it out with a malicious payload.

The exploit has to be timed just right so the benign code isn't switched too soon or too late. But for systems running on multicore processors, matousec's "argument-switch" attack is fairly reliable because one thread is often unable to keep track of other simultaneously running threads. As a result, the vast majority of malware protection offered for Windows PCs can be tricked into allowing malicious code that under normal conditions would be blocked.

All that's required is that the AV software use SSDT, or System Service Descriptor Table, hooks to modify parts of the OS kernel.

"We have performed tests with [most of] today's Windows desktop security products," the researchers wrote. "The results can be summarized in one sentence: If a product uses SSDT hooks or other kind of kernel mode hooks on similar level to implement security features it is vulnerable. In other words, 100% of the tested products were found vulnerable."

The researchers listed 34 products that they said were susceptible to the attack, but the list was limited by the amount of time they had for testing. "Otherwise, the list would be endless," they said.

The technique works even when Windows is running under an account with limited privileges.

Still, the exploit has its limitations. It requires a large amount of code to be loaded onto the targeted machine, making it impractical for shellcode-based attacks or attacks that rely on speed and stealth. It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC.

Still, the technique might be combined with an exploit of another piece of software, say, a vulnerable version of Adobe Reader or Oracle's Java Virtual Machine to install malware without arousing the suspicion of the any AV software the victim was using.

"Realistic scenario: someone uses McAfee or another affected product to secure their desktops," H D Moore, CSO and Chief Architect of the Metasploit project, told The Register in an instant message. "A malware developer abuses this race condition to bypass the system call hooks, allowing the malware to install itself and remove McAfee. In that case, all of the 'protection' offered by the product is basically moot."

A user without administrative rights could also use the attack to kill an installed and running AV, even though only admin accounts should be able to do this, Charlie Miller, principal security analyst at Independent Security Evaluators, said.

Matousec.com's research is here. ®

SANS - Survey on application security programs

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.