Security Experts Discovered New Attack to Break-in All AV Protection

As per some Internet security researchers, they have discovered a new way to break in the protection systems of dozens of the anti-virus products prepared by leading security firms, including AVG, Trend Micro and BitDefender, as reported by theregister on May 7, 2010.

The researchers, who devised the new break-in method, are associated with the software firm matousec.com. The method exploits driver hooks buried by the antivirus programs deep inside the Windows operating system. It works through the process in which a sample of benign code is sent to them. The benign code penetrates into their security check, and before execution, it swaps out with a malicious payload.

This attack is called "argument-switch attack" and particularly targets kernel mode hooks which change the System Service Descriptor Table (SSDT). The SSDT hooks become a common way of introducing low-level protection in security tools. Nevertheless, other kinds of hooks could also be vulnerable in case few conditions are fulfilled.

As per the security researchers, an important dimension of the attack is that it doesn't need special privileges on the system and could even function from a limited account. The biggest challenge in front of researchers is to find way of bypassing the primary level of protection and injection of malicious code in the system. Both the functions (code injection and penetrating primary level of protection) are under their power.

The researchers have given a name "KHOBE" to the exploit.

After evaluating matousec's research, H D Moore (Chief Architect of Penetration Testing Framework, Metasploit) commented that people used McAfee and another affected product to protect their desktops. But a malware author exploited the condition to penetrate into the system call hooks that allow the malware to inject and eliminate McAfee. In such conditions, all the protection given by the products become moot, as reported by softpedia on May 8, 2010.

Finally, the matousec research also reveals that 64-bit Windows should not be different. The matousec also states that security products might disable PatchGuard before installation, but Microsoft clarifies that there is no method to disable PatchGuard. It is possible that undocumented Application Programming Interfaces (APIs) of Microsoft work in similar fashion that the attack technique works on 32-bit Windows. However, there are no testing descriptions provided to support this.

Related article: Securities Push Up A Must For Web Companies

» SPAMfighter News - 5/18/2010