UPDATE - New attack bypasses EVERY Windows security product

UPDATE - New attack bypasses EVERY Windows security product

Summary: Are you a Windows user? Do you make sure that your antivirus program is updated regularly? Do you feel safe? You shouldn't! Read on to find out why ...

TOPICS: Security

Are you a Windows user? Do you make sure that your antivirus program is updated regularly? Do you feel safe? You shouldn't! Read on to find out why ...

Security researchers at Matousec.com have come up with an ingenious attack that can bypass every Windows security product tested and allow malicious code to make its way to your system.

Yes, you read that right - every Windows security product tested. And the list is both huge and sobering:

  • 3D EQSecure Professional Edition 4.2
  • avast! Internet Security 5.0.462
  • AVG Internet Security 9.0.791
  • Avira Premium Security Suite
  • BitDefender Total Security 2010
  • Blink Professional 4.6.1
  • CA Internet Security Suite Plus 2010
  • Comodo Internet Security Free 4.0.138377.779
  • DefenseWall Personal Firewall 3.00
  • Dr.Web Security Space Pro
  • ESET Smart Security
  • F-Secure Internet Security 2010 10.00 build 246
  • G DATA TotalCare 2010
  • Kaspersky Internet Security 2010
  • KingSoft Personal Firewall 9 Plus 2009.05.07.70
  • Malware Defender 2.6.0
  • McAfee Total Protection 2010 10.0.580
  • Norman Security Suite PRO 8.0
  • Norton Internet Security 2010
  • Online Armor Premium
  • Online Solutions Security Suite 1.5.14905.0
  • Outpost Security Suite Pro
  • Outpost Security Suite Pro 7.0.3330.505.1221 BETA VERSION
  • Panda Internet Security 2010 15.01.00
  • PC Tools Firewall Plus
  • PrivateFirewall
  • Security Shield 2010
  • Sophos Endpoint Security and Control 9.0.5
  • ThreatFire
  • Trend Micro Internet Security Pro 2010 17.50.1647.0000
  • Vba32 Personal
  • VIPRE Antivirus Premium 4.0.3272
  • VirusBuster Internet Security Suite 3.2
  • Webroot Internet Security Essentials
  • ZoneAlarm Extreme Security 9.1.507.000
  • probably other versions of above mentioned software
  • possibly many other software products that use kernel hooks to implement security features

The attack is a clever "bait-and-switch" style move. Harmless code is passed to the security software for scanning, but as soon as it's given the green light, it's swapped for the malicious code. The attack works even more reliably on multi-core systems because one thread doesn't keep an eye on other threads that are running simultaneously, making the switch easier.

The attack, called KHOBE (Kernel HOok Bypassing Engine), leverages a Windows module called the System Service Descriptor Table, or SSDT, which is hooked up to the Windows kernel. Unfortunately, SSDT is utilized by antivirus software.

Note: The issue affecting SSDT have been known for some time but as yet haven't been leveraged by attackers. However, as multi-core systems make this attack more reliable, and they are now becoming the norm, this is now a much greater threat.

Oh, and don't think that just because you are running as a standard user that you're safe, you're not. This attack doesn't need admin rights.

However, it does require a lot of code to work, so it's far from ideal for attackers. That said, its ability to completely neuter security software is quite frightening. I assume that security vendors the world over are now scrambling to come up with a fix for this issue.

[UPDATE: Graham Cluley, Senior Technology Consultant at Sophos, has this to say:

The dramatic headlines might make you think that this is TEOTWAWKI*, but the truth is somewhat different.

Because KHOBE is not really a way that hackers can avoid detection and get their malware installed on your computer. What Matousec describes is a way of "doing something extra" if the bad guys' malicious code manages to get past your anti-virus software in the first place.

In other words, KHOBE is only an issue if anti-virus products such as Sophos (and many others) miss the malware. And that's one of the reasons, of course, why we - and to their credit other vendors - offer a layered approach using a variety of protection technologies.

While Cluley has a point here in that AV companies will still be able to add signatures to detect any KHOBE-like package in the wild, thus labeling the whole thing as malware and preventing it from getting a foothold on a system in the first place. But this still doesn't change the fact that there's one vulnerability here that basically "rules them all."

Paul Ducklin, Sophos's Head of Technology, has this to add:

So the Khobe "attack" boils down to this: if you can write malware which already gets past Sophos's on-access virus blocker, and past Sophos's HIPS, then you may be able to use the Khobe code to bypass Sophos's HIPS - which, of course, you just bypassed anyway. Oh, and only if you are using Windows XP.

In short: Sophos's on-access anti-virus scanner doesn't uses SSDT hooks, so it's fair for us to say that this isn't a vulnerabilty for us at all. But what about other anti-virus software? Though I'm not usually an apologist for our competitors, I feel compelled to speak out in this case.

The fuss about Khobe is in my opinion unwarranted, and the claims that it "bypasses virtually all anti-virus software" is scaremongering.

While I agree with the majority of what Ducklin has to say, I take issue with two points. First, that throwaway "Oh, and only if you are using Windows XP" line belittles the fact that while Vista and 7 users are safe, some 60% of PCs still use XP, and quite a lot of these are multi-core equipped. Secondly, while Sophos's own on-access scanner might not use SSDT hooks, it's clear that a lot of products do.

F-Secure has the following on KHOBE:

This is a serious issue and Matousec's technical findings are correct. However, this attack does not "break" all antivirus systems forever. Far from it.

First of all, any malware that we detect by our antivirus will still be blocked, just like it always was.

So the issue only affects new, unknown malware that we do not have signature detection for.

To protect our customers against such unknown malware, we have several layers of sensors and generic detection engines. Matousec's discovery is able to bypass only a few of these sensors.

We believe our multi-layer approach will provide sufficient protection level even if malicious code were to attempt use of Matousec's technique.

And if we would see such an attack, we would simply add signature detection for it, stopping it in its tracks. We haven't seen any attacks using this technique in the wild.

Are you reassured?]

Mac and Linux users, feel free to engage "smug mode" for a little while ...

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Cue the Microsoft fanboys?

    *cricket sounds*...
    • RE: RE: RE: Okay, maybe the longer version...

      TBH, one can reliably run any machine w/o an antivirus and have a reasonable expectation of not getting infected, so long as you follow some basic rules (mind you'd I'd never say the same about enterprises, but individually, a clued-in person can do it).<br><br>That said, I use all three OSes, and feel no smugness about it. Malware is malware, and those friends and relatives whom I have not yet convinced to go Mac or Linux are still going to demand/cajole/beg me to do something about it the next time they get infected.<br><br>That said, I'm gonna get up some popcorn to see just how this gets spun by the Microsoft fanboy crowd. I can comfortably predict that the responses will be one of the following:<br><br>* "All OSes get infected!" (though there will be a complete lack of cites showing similar amounts or proportional infections).<br><br>* "pwn2own!" (in spite of the fact that out here in the real world, you still can't seem to find any OSX infections that don't require an absolute --and hormone-soused-- idiot at the keyboard with his or her admin password handy).<br><br>* "marketshare!" (in spite of the fact that MacOS 9 and before were positively virus-ridden, yet had far smaller marketshares... then there's the whole IIS vs. Apache marketshare thing, then the fact that Macs as a whole are an environment that is practically homogeneous, practically without any A/V, are usually always on, owned by folks who have more disposable wealth and are thus more attractive targets, etc).<br><br>* some attempt at citing vulnerability counts, while disregarding severities, disregarding apps vs. kernel vulns, lumping in binaries on Linux or Macs while ignoring app vulns on Windows, etc.<br><br>* some form of ad hominem against either the author, myself, or any other non-fanboy who posts down here<br><br>* a furious clicking of the "report as spam" link on posts by anyone who presents uncomfortable truths.<br><br>...did I miss any? &lt;img border="0" src="http://www.cnet.com/i/mb/emoticons/happy.gif" alt="happy">
      • It happened to you too?


        I posted a comment, found a typo, tried to edit it but couldn't because one minute later it had already been reported as spam.

        Happened already on two posts this morning.
        OS Reload
      • RE: RE: New attack bypasses EVERY Windows security product

        @Random_Walk <br><br><br>I could not have said it better myself. This is going to get real good. Where can I get some popcorn or chocolates. Let thy WARS begin.<br><br><br> Bwahahahahaha
  • But

    @OS Reload

    The rise of another OS will bring about 23985429384293847 more...
    The one and only, Cylon Centurion
    • Care to elaborate?


      How did you arrive at that number?

      P.S. I started by assuming that it was really you (a human) who posted that message but now, after looking at it more closely and seeing that it makes no sense, I'm starting to think that it was generated and posted by some malware that pwned your system.

      Has your system been pwned by malware?
      OS Reload
    • RE: New attack bypasses EVERY Windows security product

      @NStalnecker It was a random number I put in. Truth is for one vulnerability fixed, numerous more pop up in its place. That goes for any operating system used.
      The one and only, Cylon Centurion
    • RE: New attack bypasses EVERY Windows security product

      @NStalnecker I wouldn't worry about it...the dude has some anger issues.
  • Sure thing, OS Reload, sure thing

    Sorry, but the people have spoken, and it looks as though Linux is [i]persona non grata[/i] on 99 percent of the world's computers.

    Sorry to have to throw in some facts, but that is what we are here for. ;)
    John Zern
    • Either your Math or your data are completely wrong

      Most certainly both are completely wrong.
      OS Reload
    • RE: New attack bypasses EVERY Windows security product

      @John Zern Read his post again. He was referencing mobile devices. And last I checked, there was a whole lot more iPhones and Android phones out there than Windows based phones.
    • re: Sure thing, OS Reload, sure thing

      [i]Sorry, but the people have spoken, and it looks as though Linux is persona non grata on 99 percent of the world's computers.[/i]

      I'm gonna eat some worms.

      Most people don't even know Linux exists. Hmm. would that be an ad hominem? Whatever, In any event, it certainly lacks relevance whether it is true, or otherwise.
    • Go get 'em

      @John Zern, I couldn't agree more. I have worked on more OS'es in my 17 year IT career than I can count. Windows may not be the best, but it certainly has the largest installed user base - period. The Linux and Apple zealots cannot deny this fact.
    • RE: New attack bypasses EVERY Windows security product

      @John Zern "Linux is persona non grata on 99 percent of the world's DESKTOPS."
      There fixed that for you.

      Yes linux is not a significant player on the desktop. However it is significant in servers (60 percent of web servers ran Linux in 2008). More importantly, the smartphone market is iPhone and Android (and Blackberry). Microsoft has become insignificant in that market which is the highest growth sector. Smartphones will (or have already) outnumber PCs and people are using them more and more in place of laptops & netbooks. Is Linux invulnerable? Of course not, but it's not nearly the leaky sieve that Windows is.
  • RE: New attack bypasses EVERY Windows security product

    Obviously you are unaware of ATM machines running windows now.
    Hackers Targeting Windows XP-Based ATM Machines | Maximum PC
    Jun 4, 2009 ... Windows XP on an ATM Machine Seriously? Aren't you just asking for trouble. And they are freely connected to the internet? ...
    • It's very dangerous to use the most popular OS in the world (Windows XP)..

      ..because Microsoft is responsible for keeping it secure.

      They say in the contract that it is still officially supported, but then let shit like this hit the fan..
    • edit: Double post, delete this one please

      [b] [/b]
  • RE: New attack bypasses EVERY Windows security product

    @OS Reload : Well if Microsoft did suddenly die, who or what do think would be the next target??? You best hope that MS last for quite a bit longer, we make a great umbrella. :-)
    • They're the only low hanging fruit, so cyber-crime would likely end.

      [b] [/b]
  • RE: New attack bypasses EVERY Windows security product

    Don't be silly: the versions of Linux running on mobile phones have their own security problems -- to date much smaller than on Windows, but that could change over time.