Fwd: [rforno () infowarrior org: [Infowarrior] - New attack bypasses virtually all AV protection]

[Rich Kulawiec <rsk () gsp org>]

I'm not qualified to evaluate this research on its technical merits,
but I believe that some of you are.

---Rsk

----- Forwarded message from Richard Forno <rforno () infowarrior org> -----

> Date: Sun, 9 May 2010 11:47:41 -0400
> From: Richard Forno <rforno () infowarrior org>
> To: List Infowarrior <infowarrior () attrition org>
> Subject: [Infowarrior] - New attack bypasses virtually all AV protection
>
> New attack bypasses virtually all AV protection
>
> http://www.theregister.co.uk/2010/05/07/argument_switch_av_bypass/
>
> By Dan Goodin in San Francisco ? Get more from this author
>
> Posted in Security, 7th May 2010 18:17 GMT
>
> Researchers say they've devised a way to bypass protections built in to dozens of the most popular desktop anti-virus 
> products, including those offered by McAfee, Trend Micro, AVG, and BitDefender.
>
> The method, developed by software security researchers at matousec.com, works by exploiting the driver hooks the 
> anti-virus programs bury deep inside the Windows operating system. In essence, it works by sending them a sample of 
> benign code that passes their security checks and then, before it's executed, swaps it out with a malicious payload.
>
> The exploit has to be timed just right so the benign code isn't switched too soon or too late. But for systems 
> running on multicore processors, matousec's "argument-switch" attack is fairly reliable because one thread is often 
> unable to keep track of other simultaneously running threads. As a result, the vast majority of malware protection 
> offered for Windows PCs can be tricked into allowing malicious code that under normal conditions would be blocked.
>
> All that's required is that the AV software use SSDT, or System Service Descriptor Table, hooks to modify parts of 
> the OS kernel.
>
> "We have performed tests with [most of] today's Windows desktop security products," the researchers wrote. "The 
> results can be summarized in one sentence: If a product uses SSDT hooks or other kind of kernel mode hooks on similar 
> level to implement security features it is vulnerable. In other words, 100% of the tested products were found 
> vulnerable."
>
> The researchers listed 34 products that they said were susceptible to the attack, but the list was limited by the 
> amount of time they had for testing. "Otherwise, the list would be endless," they said.
>
> The technique works even when Windows is running under an account with limited privileges.
>
> Still, the exploit has its limitations. It requires a large amount of code to be loaded onto the targeted machine, 
> making it impractical for shellcode-based attacks or attacks that rely on speed and stealth. It can also be carried 
> out only when an attacker already has the ability to run a binary on the targeted PC.
>
> Still, the technique might be combined with an exploit of another piece of software, say, a vulnerable version of 
> Adobe Reader or Oracle's Java Virtual Machine to install malware without arousing the suspicion of the any AV 
> software the victim was using.
>
> "Realistic scenario: someone uses McAfee or another affected product to secure their desktops," H D Moore, CSO and 
> Chief Architect of the Metasploit project, told The Register in an instant message. "A malware developer abuses this 
> race condition to bypass the system call hooks, allowing the malware to install itself and remove McAfee. In that 
> case, all of the 'protection' offered by the product is basically moot."
>
> A user without administrative rights could also use the attack to kill an installed and running AV, even though only 
> admin accounts should be able to do this, Charlie Miller, principal security analyst at Independent Security 
> Evaluators, said.
>
> Matousec.com's research is here  
> http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php
> _______________________________________________
> Infowarrior mailing list
> Infowarrior () attrition org
> https://attrition.org/mailman/listinfo/infowarrior

----- End forwarded message -----
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.