New paper on using kernel hooking to bypass AV

Published: 2010-05-10. Last Updated: 2010-05-10 23:00:16 UTC
by Toby Kohlenberg (Version: 1)
2 comment(s)

Matousec has released a new paper (http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php)detailing their proof of concept for using kernel hooking (specifically what they are calling an "argument switch attack") to bypass antivirus software. The concept isn't new, as they acknowledge but the paper is nicely detailed and the use of a race condition of sorts to bypass security checks made when a kernel hook is requested/handled is cool. It should be noted that PatchGuard should provide some protection against this attack though how much is uncertain.

Keywords:
2 comment(s)

Comments

Here is an interesting write up about it from the guys @ Sophos. At the end of the day i don't think it's the big hype that seems to be going around. The original piece of code would still need to beat an Anti-virus On Access scanning before it can even use this 'vulnerability'
http://www.sophos.com/blogs/duck/g/2010/05/11/khobe-vulnerability-earth-shaker/
Fresh malware usually beats most on access scanning anti-malware software.

The scary part is that an executable run by an unprivileged user may gain system rights *thanks to* software that was intended to protect the PC as seems to have been confirmed by McAfee here: http://www.h-online.com/security/news/item/New-attack-bypasses-anti-virus-software-997621.html : "The argument switching attack would *only* allow it to escalate its privileges".

I know that most XP home users run as administrators anyway, but many companies have better policies, and they may be at risk because of this.

Diary Archives