Are you a Windows user? Do you make sure that your antivirus program is updated regularly? Do you feel safe? You shouldn’t!
Read on to find out why …
Security researchers at Matousec.com have come up with an ingenious attack that can bypass every Windows security product
tested and allow malicious code to make its way to your system.
Yes, you read that right - every Windows security
product tested. And the list is both huge and sobering:
3D EQSecure Professional Edition 4.2avast! Internet Security
5.0.462AVG Internet Security 9.0.791Avira Premium Security Suite 10.0.0.536BitDefender Total Security 2010 188.8.131.527Blink
Professional 4.6.1CA Internet Security Suite Plus 2010 184.108.40.2062Comodo Internet Security Free 4.0.138377.779DefenseWall
Personal Firewall 3.00Dr.Web Security Space Pro 6.0.0.03100ESET Smart Security 220.127.116.11F-Secure Internet Security 2010 10.00
build 246G DATA TotalCare 2010Kaspersky Internet Security 2010 18.104.22.1686KingSoft Personal Firewall 9 Plus
2009.05.07.70Malware Defender 2.6.0McAfee Total Protection 2010 10.0.580Norman Security Suite PRO 8.0Norton Internet Security
2010 22.214.171.124Online Armor Premium 126.96.36.199Online Solutions Security Suite 1.5.14905.0Outpost Security Suite Pro
188.8.131.5263.452.0726Outpost Security Suite Pro 7.0.3330.505.1221 BETA VERSIONPanda Internet Security 2010 15.01.00PC Tools
Firewall Plus 184.108.40.206PrivateFirewall 220.127.116.11Security Shield 2010 18.104.22.1683Sophos Endpoint Security and Control
9.0.5ThreatFire 22.214.171.124Trend Micro Internet Security Pro 2010 17.50.1647.0000Vba32 Personal 126.96.36.199VIPRE Antivirus Premium
4.0.3272VirusBuster Internet Security Suite 3.2Webroot Internet Security Essentials 188.8.131.52ZoneAlarm Extreme Security
9.1.507.000probably other versions of above mentioned softwarepossibly many other software products that use kernel hooks to
implement security featuresThe attack is a clever “bait-and-switch” style move. Harmless code is passed to the security
software for scanning, but as soon as it’s given the green light, it’s swapped for the malicious code. The attack works even
more reliably on multi-core systems because one thread doesn’t keep an eye on other threads that are running simultaneously,
making the switch easier.
The attack, called KHOBE (Kernel HOok Bypassing Engine), leverages a Windows module called the System Service Descriptor
Table, or SSDT, which is hooked up to the Windows kernel. Unfortunately, SSDT is utilized by antivirus software.
The issue affecting SSDT have been known for some time but as yet haven’t been leveraged by attackers. However, as multi-core
systems make this attack more reliable, and they are now becoming the norm, this is now a much greater threat.Oh, and don’t
think that just because you are running as a standard user that you’re safe, you’re not. This attack doesn’t need admin
However, it does require a lot of code to work, so it’s far from ideal for attackers. That said, its ability to completely
neuter security software is quite frightening. I assume that security vendors the world over are now scrambling to come up
with a fix for this issue.
[UPDATE: Graham Cluley, Senior Technology Consultant at Sophos, has this to say:
The dramatic headlines might make you
think that this is TEOTWAWKI*, but the truth is somewhat different.
Because KHOBE is not really a way that hackers can avoid detection and get their malware installed on your computer. What
Matousec describes is a way of "doing something extra" if the bad guys' malicious code manages to get past your anti-virus
software in the first place.
In other words, KHOBE is only an issue if anti-virus products such as Sophos (and many others) miss the malware. And that's
one of the reasons, of course, why we - and to their credit other vendors - offer a layered approach using a variety of
protection technologies.While Cluley has a point here in that AV companies will still be able to add signatures to detect any
KHOBE-like package in the wild, thus labeling the whole thing as malware and preventing it from getting a foothold on a
system in the first place. But this still doesn't change the fact that there's one vulnerability here that basically "rules
Paul Ducklin, Sophos's Head of Technology, has this to add:
So the Khobe "attack" boils down to this: if you can write
malware which already gets past Sophos's on-access virus blocker, and past Sophos's HIPS, then you may be able to use the
Khobe code to bypass Sophos's HIPS - which, of course, you just bypassed anyway. Oh, and only if you are using Windows XP.
In short: Sophos's on-access anti-virus scanner doesn't uses SSDT hooks, so it's fair for us to say that this isn't a
vulnerabilty for us at all. But what about other anti-virus software? Though I'm not usually an apologist for our
competitors, I feel compelled to speak out in this case.
The fuss about Khobe is in my opinion unwarranted, and the claims that it "bypasses virtually all anti-virus software" is
scaremongering.While I agree with the majority of what Ducklin has to say, I take issue with two points. First, that
throwaway "Oh, and only if you are using Windows XP" line belittles the fact that while Vista and 7 users are safe, some 60%
of PCs still use XP, and quite a lot of these are multi-core equipped. Secondly, while Sophos's own on-access scanner might
not use SSDT hooks, it's clear that a lot of products do.
F-Secure has the following on KHOBE:
This is a serious issue and Matousec's technical findings are correct. However,
this attack does not "break" all antivirus systems forever. Far from it.
First of all, any malware that we detect by our antivirus will still be blocked, just like it always was.
So the issue only affects new, unknown malware that we do not have signature detection for.
To protect our customers against such unknown malware, we have several layers of sensors and generic detection engines.
Matousec's discovery is able to bypass only a few of these sensors.
We believe our multi-layer approach will provide sufficient protection level even if malicious code were to attempt use of
And if we would see such an attack, we would simply add signature detection for it, stopping it in its tracks. We haven't
seen any attacks using this technique in the wild.Are you reassured?]
Mac and Linux users, feel free to engage “smug
mode” for a little while …
UPDATE - New attack bypasses EVERY Windows security product | ZDNet
me if I'm wrong but I don't see MSE mentioned....