Attack defeats 'most' antivirus software

A bypassing technique can fool commonly-used antivirus programs into allowing the execution of malicious code, according to a security research firm
Written by Matthew Broersma, Contributor

Security research firm Matousec has published details of a technique for bypassing some of the protections offered by widely-used Windows security software, including programs from McAfee and Trend Micro.

However, the attack has serious limitations, including the requirement that the attacker must already have the ability to execute code on a system, Matousec acknowledged. That means the method would have to be used in combination with another attack vector, or employed by an attacker with local access to a system.

The method, called an argument-switch attack, can be used against Windows security programs that use a technique called System Service Descriptor Table (SSDT) hooking. All of the 35 applications tested by Matousec featured this technique, including products from BitDefender, F-Secure, Kaspersky and Sophos, as well as McAfee and Trend Micro.

"We tested the most widely used security applications and found out that all of them are vulnerable," Matousec said in a paper outlining its research, published on Wednesday. "Today's most popular security solutions simply do not work."

SSDT hooking is used by many — though not all — antivirus programs as part of their mechanism for detecting and blocking attacks already running on the system. The technique involves modifying the contents of the SSDT. The company's research focused on kernel-mode hooks, though the attack is also effective against user-mode hooks, Matousec said.

"The results can be summarised in one sentence: if a product uses SSDT hooks or another kind of kernel-mode hook on a similar level to implement security features, it is vulnerable," the company said.

The company's researchers noted that there are some products from providers such as Immunet that do not use the technique.

The attack makes use of a bug known as a race condition, in which two threads compete for access to a shared resource, resulting in a breakdown in program logic. It uses this bug to make the antivirus program think it is allowing the execution of harmless code, when it is actually executing malicious code, the company said.

The bypass does not have a 100 percent success rate. However, if a system is running multiple processors or multicore processors, the attack is more reliable, according to Matousec.

"Today, multiprocessor (systems) or multicore processors are very common hardware in desktop computers," the company said in a statement. The attack can be run successfully from restricted user accounts, it added.

The tests were run on Windows XP Service Pack 3 and Windows Vista Service Pack 1 running on 32-bit hardware. Matousec said all Windows versions were likely to be vulnerable, including Windows 7.

The attack is, however, subject to important limitations — for instance, it can only be carried out when the intruder already has the ability to run code on the system.

If an attacker used another method to gain the ability to execute code on the system — exploiting a bug in Internet Explorer or Adobe Reader, for example — the argument-switch attack could then be used to install malicious code on the system without being blocked by antivirus software, Matousec said.

The company called for antivirus vendors to secure the way they use kernel hooks, and said it has carried out research into how this could be done. That research has not yet been published.

"Securing kernel hooks might be quite complicated task for security software vendors, particularly for those whose software uses huge amounts of SSDT and other types of hooks," the company stated.

Editorial standards