New research unveils anti-virus bypass

New research unveils anti-virus bypass

The attack - developed by a team at security firm Matousec - was 100 percent effective in tests.

A new method for bypassing anti-virus software has been discovered, capable of confusing the vast majority of Windows packages currently available.

Discovered by security firm Matousec - and profiled over on The Register - the discovery makes use of the inability of multi-core systems to effectively track threads running on other processing cores to perform a bait-and-switch attack on the anti-virus software.

The idea behind the attack is simple to describe but pretty complex to execute: by sending some innocent piece of code to be scanned, it is possible to get the green light from the anti-virus scanner; once validated for execution, there is a very small window during which it is possible to replace the innocuous code with malicious code - which is then executed in its place, without the anti-virus package ever getting a look-in.

According to the team, this technique - which relies on the anti-virus scanner using the System Service Descriptor Table hooks built in to Windows to access certain parts of the operating system's kernel - was effective on "100 percent of the tested products," and provided a list of 34 packages which were known to be vulnerable to the attack.

The list includes many popular free and paid-for packages, including software from Avast!, AVG, BitDefender, Kaspersky, McAfee, Norton, Sophos, and ZoneAlarm. Interestingly, Microsoft's free Security Essentials package is not listed among the vulnerable - although the team say this is due to a lack of time for testing, rather than any evidence of security against the attack.

The team even claim that the attack is effective when executed by a non-privileged account and affects all Windows versions across all architectures, with the only mitigation so far being the complexity of the technique - which requires a large amount of code to be present on the system, making it inefficient for a drive-by attack.

As a proof of concept, the researchers have created an engine for developing exploits called KHOBE, or Kernel HOok Bypassing Engine, which they are using internally for testing. So far the technique is not thought to be in use in-the-wild.

Are you shocked that such a simple-seeming technique as bait-and-switch would work against so many anti-virus packages, or is the technique nothing more than a curiosity that will be too complex for use in-the-wild? Share your thoughts over in the forums.


Discuss in the forums Reply
rickysio 10th May 2010, 10:51 Quote
Now my PC is ever safe.

Like it ever was.

To be 100% safe, you should unplug your internet connection and throw your hard drive out of the window.
ZeDestructor 10th May 2010, 10:57 Quote
Well, at least we should expect the AV makers to patch themselves up eventually
GFC 10th May 2010, 11:01 Quote
Biggest anti virus and firewall is yourself. If you go to azi0npr0nx0x all day long - well... Then you might need a bit more than a strong anti virus.
ripmax 10th May 2010, 12:41 Quote
Just be carfull when browsing, use firefox with no script and don't download anything you don't trust.
B1GBUD 10th May 2010, 13:23 Quote
Yay for MS Security Essentials!
EvilRusk 10th May 2010, 13:48 Quote
Originally Posted by rickysio
To be 100% safe, you should unplug your internet connection and throw your hard drive out of the window.

But then anyone could just pick up your hard drive and walk off with it!

Anyway, since the biggest danger to any pc is the user, good practice should still help with this one.

Also, how does the "bad" code get onto the system with the "good" code in the first place? Wouldn't it be caught in a file scan?
Psytek 10th May 2010, 13:53 Quote
Anyone who thought their anti virus was protecting them was just deluding themselves.

For this software to get on your computer, you'd have to download and run it, just like 99% of other malware, and anti-virus software does nothing to stop that.

UAC is a step in the right direction, but let's be honest, people are too narcissistic to ever stop and think "maybe I've just downloaded a bad program, I should double check where I got it from is legitimate" ... everyone just turns UAC off and installs every exe they receive in an e-mail that says 'click me to speed up your computer'.
aussiebear 10th May 2010, 14:03 Quote
Originally Posted by rickysio
Now my PC is ever safe.

Like it ever was.

To be 100% safe, you should unplug your internet connection and throw your hard drive out of the window.

The problem with Windows users is that they have not been told what good security practice is. The "install AV; set and forget" is downright sloppy.

You don't need AV when you change the default approach from:
"Default Allow"; (Allow ANYTHING to run.)
"Default Deny". (Only allow what you need and nothing more.)

* Get the edition of Windows with Software Restriction Policy (SRP) or AppLocker. Set it to deny everything except for the apps you need to work with. (So your Limited/Restricted account can read and write in its assigned folders; but not allowed to execute any random code in those areas. Only Program Files or Windows folders are allowed to have executables running by default.)

* Use Limited/Restricted User for day-to-day usage.
(The reason is because you don't have write access to Program Files or Windows folders. Only Read and Execute.)

* Only use Administrator account for maintenance, troubleshooting, etc.
(This is from the Linux/Unix way. Using root for day-to-day computer use is considered bad practice and looked down upon.)

* Be strict in where you get your software from. If you don't know where it came from (untrusted or unverified source). Don't run it; just delete it.

...I have tested this approach against real drive-by downloads and such with various folks from business and home. It works. Malware doesn't infect if it can't run. (Malware is just software written for a purpose. You're just preventing execution of it with SRP.)

Breaking bad computing habits and replacing them with effective practices is the key.

The AV approach is the dumbest, most insecure way to computer security. It has never been an effective method of prevention against real world attacks.
Redbeaver 10th May 2010, 14:44 Quote
Originally Posted by aussiebear
[The AV approach is the dumbest, most insecure way to computer security. It has never been an effective method of prevention against real world attacks.

but it's a good first step.
paisa666 10th May 2010, 14:56 Quote
like i always have said.

The best way to be protected againts virus its common sense.. that's all you need

(just dont click on that "you won money" or "hey look my pics at www.face-book/virus.exe") DAMN IT DONT DO IT
Shagbag 10th May 2010, 15:02 Quote
Security is a process, not a product.
rickysio 10th May 2010, 15:52 Quote
Best security?

Lock the user out of the room where the PC is housed.
Fordy 10th May 2010, 17:18 Quote
Ha, I love how there's just a subtle picture of some of the code :p

(Could be code for anything, but y'know.. The effects priceless :p)
Arj12 10th May 2010, 18:06 Quote
hmmm, what exactly am I doing reading all these articles on bit-tech when I could be picking up a virus at any time ! :P
How to stop your pc from getting infected : use antibacterial wipes!!
mjm25 10th May 2010, 19:47 Quote
The old switcheroo!
shanky887614 10th May 2010, 20:41 Quote
wouldnt a good firewall stop this?

comodo blocks everything from running (i admit it wouldnt work for noobs becasue they would be worse off)
but it treats everything as a virus unless you sepcify otherwise and it asks you everytime it tries to accses anything like system settings unless you allow that program to do it
LordPyrinc 10th May 2010, 23:48 Quote
For the bulk of the 'buy and use computer' users out there, they need a robust AV software. Even still that does not make them safe. Educating these users helps, but many don't have the time or the basic awareness to care about security notifications. The threats will continue to evolve and even us that are somewhat savy may find themselves vulnerable to attack.

Running as a non-admin account is probably the best defense with or without AV software.
RichCreedy 11th May 2010, 23:19 Quote
if i read the article correctly, this particular exploit would work wether you are an admin user or a limited user, so in this case running as a limited account wouldnt matter, it would infect you
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.

Discuss in the forums