Windows hole can cripple antivirus

Researchers have developed a way to attack desktops by bypassing a majority of antivirus software running on Windows.
Written by Colin Ho, Contributor

update Researchers have developed a way to attack desktops by bypassing a majority of antivirus software running on Windows. Popular products offered by McAfee, Trend Micro, AVG and Sophos have been identified as susceptible to the exploit.

"The only reason there are not more products in the following table is our time limitation. Otherwise, the list would be endless," said the security researchers from Matousec.com in a report released last week.

According to Matousec's report, the vulnerability lies in the driver hooks used in Windows-based antivirus software.

The attack, which Matousec dubbed the "argument-switch attack", avoids detection by antivirus software running on Windows via deploying benign code which passes the antivirus software's signature detections and then switching that code with a piece of malicious code.

"It relies on a critical timing component," said Kaan Kivilcim, a consultant from the Australian security research firm, Sense of Security. Kivilcim explained that the code can't be switched too early or too late. Switched too early, it won't pass the security check, too late and it won't work. However, Matousec had also developed an engine called KHOBE (Kernel HOok Bypassing Engine) that simplifies writing exploits for this vulnerability.

According to Kivilcim, the attack could shut down a desktop's antivirus software, rendering it useless.

"In addition to executing malicious code, the attacker can also terminate processes without administrator or privileged access. This could be used to terminate or disable antivirus on a system," he added.

However, a user would need to click on an infected file in order to be vulnerable to this exploit, as it requires a binary to be run on the system. Users who have higher end systems, running multiple cores, are more vulnerable to the attack according to Kivilcim, because multiple, parallel processes can be used to switch benign code running on one process with malicious code running on another one.

"This simplifies the exploit process," said Kivilcim.

Sophos head of technology, Asia Pacific, Phil Ducklin said on his blog today that the problem was not as serious as it had been made out.

The attack needed a multiprocessor CPU, a security product using System Service Descriptor Table hooks and luck, he said. It also needed to evade detection by the security product in order to launch the KHOBE code, he said.

Only the optional Host Intrusion Prevention System (HIPS) component in Sophos' anti-malware software used SSDT (System Service Descriptor Table) hooks, according to Ducklin. That component was used for monitoring processes, which are already allowed to run. The hooks weren't used on Windows versions after XP, he continued.

HIPS was designed to provide extra protection against malicious code, Ducklin said, identifying malware that wasn't detected early enough to be blocked out.

"So the KHOBE 'attack' boils down to this: if you can write malware which already gets past Sophos' on-access virus blocker, and past Sophos' HIPS, then you may be able to use the KHOBE code to bypass Sophos' HIPS — which, of course, you just bypassed anyway. And only if you are using Windows XP," he said.

Ducklin also spoke for his competitors.

"The fuss about KHOBE is in my opinion unwarranted, and the claims that it 'bypasses virtually all antivirus software' is scaremongering. A fairer assessment would be that KHOBE amounts to little more than saying that malware which can already bypass antivirus software may be able to bypass it again," he said.

AVG said that it had looked into the issue and had determined that one of its layers of protection did contain the vulnerability.

"Because AVG's offerings are multi-layered, our users, both free and paid, are protected and not currently at risk. That being said, AVG is urgently working on an update and will push that update out to our user base as soon as possible," the company said in a statement.

AVG said that the attack seemed to be a proof-of-concept and not in the wild. "So while the exploit apparently exists, the attack does not really affect our users in the real world," it said.

McAfee was also contacted for comment, but had not responded at the time of writing.

Editorial standards