Researchers claim to have bypassed traditional AV protection

by Steve Ragan - May 11 2010, 18:55

Researchers at Matousec, after developing an exploit writing engine called KHOBE (Kernel Hook Bypassing Engine), said they have discovered a serious flaw in the traditional desktop-based anti-Virus protections offered by thirty-five vendors. Should you worry and remove your security software because of this?

Matousec’s research centers on the KHOBE engine and a technique that, if pulled off successfully, would allow an attacker to bypass many of the protections and checks that are deployed to the desktop via typical security software. Matousec tested their argument-switch attack, or KHOBE attack, on many of the popular security vendors, including Symantec, McAfee, ESET, Sophos and more. Each one of them failed.

The attack itself doesn’t work all the time, but it can work sometimes. Multi-core processors will increase the odds of a successful attack. The reason for that is because anti-Virus vendors use System Service Descriptor Table (SSDT) hooks to monitor malicious software that could be running on a system.

The SSDT is where operating system call handles are located. When an operating system call is made by any software, the anti-Virus vendor will check the call for legitimacy using the hooks they have placed into the SSDT.

In the KHOBE attack, these hooks are being bypassed using a race condition. Race conditions aren’t uncommon, but they are tricky. They happen when program logic goes to the wayside because of resource conflicts. The common scenario for a race condition in multithreaded programming is when you see two threads ask for access to the same resource at the same time. The problem for multi-core processors is that there is no way to track threads.

Essentially the attack will send harmless code at first making a system call, and once the security checks made by the anti-Virus software are complete, proving that the call and code is in fact harmless, the code is then swapped something malicious just before execution.

“If the tampering operation occurs after the security checks are done but before the original service, which does the main work, is called, the attack is successful,” the researchers explain. [Their research can be seen here.]

In speaking to the research and the results of the KHOBE attack testing, the researchers wrote that the results can be summarized in one sentence; “If a product uses SSDT hooks or other kind of kernel mode hooks on similar level to implement security features it is vulnerable In other words, 100 % of the tested products were found vulnerable.”

With that said, is there a need to worry and remove your security software? No. For several reasons, least of all being that this attack scenario was first mentioned in the 90’s and later resurfaced in 2003.

Matousec themselves say that this attack requires a lot of code for it to work, so drive-by attacks are out. This would only be a reality in a full scale deliberate attack. If a business were to be targeted by an attack like KHOBE, then they had larger issues in the first place, and it is game over.

The Tech Herald reached out to McAfee, Trend Micro, Sophos, PC Tools, Sunbelt Software, Kaspersky, ESET, Comodo, Check Point, Symantec, Panda, BitDefender, and AVG, each named by the Matousec report as being vulnerable, and allowed them to comment. We’ll have their responses up in a follow-up to this story.

However, ESET's Randy Abrams sent over some thoughts before the others had a chance.

“Matousec is making a big mountain out of a molehill,” Abrams said.

“It used to be that Antivirus was the [number one] cause of blue screens on Windows NT 4, but then [Microsoft] introduced a filter quality program and invited legitimate vendors, small and large, to workshops where they shared developers, best practices, dynamically and dramatically reducing the instances where security, backup, and other filter driver products didn’t play well together. I personally saw to it that small and legitimate Antivirus vendors were invited and participated.”

“Yes, there will always be some problems, and there will always be some vulnerabilities, but the article Matousec published is really a self serving advertisement. It really doesn’t matter what the attack angle is, if the malicious code trying to exploit a vulnerability anywhere is not detected prior to execution the game is all over."

“‘SSDT hooking’ is one of a billion things that potentially has room for improvement, but as long as computers run programs there will be room for exploitation,” he added.

Around the Web