Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: New paper on using kernel hooking to bypass AV - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New paper on using kernel hooking to bypass AV

Matousec has released a new paper (http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php)detailing their proof of concept for using kernel hooking (specifically what they are calling an "argument switch attack") to bypass antivirus software. The concept isn't new, as they acknowledge but the paper is nicely detailed and the use of a race condition of sorts to bypass security checks made when a kernel hook is requested/handled is cool. It should be noted that PatchGuard should provide some protection against this attack though how much is uncertain.

Toby

68 Posts
Here is an interesting write up about it from the guys @ Sophos. At the end of the day i don't think it's the big hype that seems to be going around. The original piece of code would still need to beat an Anti-virus On Access scanning before it can even use this 'vulnerability'
http://www.sophos.com/blogs/duck/g/2010/05/11/khobe-vulnerability-earth-shaker/
Anonymous
Fresh malware usually beats most on access scanning anti-malware software.

The scary part is that an executable run by an unprivileged user may gain system rights *thanks to* software that was intended to protect the PC as seems to have been confirmed by McAfee here: http://www.h-online.com/security/news/item/New-attack-bypasses-anti-virus-software-997621.html : "The argument switching attack would *only* allow it to escalate its privileges".

I know that most XP home users run as administrators anyway, but many companies have better policies, and they may be at risk because of this.
Erik van Straten

122 Posts

Sign Up for Free or Log In to start participating in the conversation!