Thursday, 18 November 2010
Monday, 1 November 2010
Some of the Latest Mac Threats, Courtesty of Bit Defender
Application.Osx.Cosmac.A, Application.Posx.Dldr.C, Application.Posx.Dldr.D, Backdoor.Mac.Subseven.A, Backdoor.Macos.Sub7me.A, Backdoor.Macos.Sub7me.B, Java.OSX.Inqtana.A, Java.OSX.Inqtana.Gen, MAC.OSX.Adware.MacSweeper.A,, Mac.OSX.Trojan.DNSChanger.A, Mac.OSX.Trojan.DNSChanger.B,, MAC.OSX.Trojan.DNSChanger.C, MAC.OSX.Trojan.Krowi.A, MAC.OSX.Trojan.Krowi.B, MacOS.AutoStart.A, MacOS.AutoStart.B, MacOS.Init29.A, MacOS.Sevendust.B, OSX.Trojan.PWS.Corpref.A, OSX.Worm.Inqtana.A, OSX.Worm.Tored.A, Trojan.Exploit.Macos.Icqes.A, Trojan.Exploit.Osx.Launch.A, Trojan.Exploit.Osx.Launch.B, Trojan.Flooder.Macos.Portassult.1.0(m68k).A, Trojan.Mac.Horse.A, Trojan.Macos.Chinatalk.A, Trojan.Macos.Cowhand.A, Trojan.Macos.NVP, Trojan.OSX.Dropper.A, Trojan.Osx.Exploit.Launchd.A, Trojan.Osx.Exploit.Launchd.B, Trojan.OSX.Jahlav.A, Trojan.OSX.Jahlav.B, Trojan.OSX.Loader.A, Trojan.Osx.Weapox.A, Trojan.Osx.Weapox.B, Win32.Worm.Mac.Opener.A, Win32.Worm.Mac.Opener.G, Win32.Worm.Mac.W97.Vmpc.G, Win32.Worm.Osx.Niqtana.A, Worm.MAC.Autostart.A, Worm.MAC.Autostart.B,, Worm.MAC.Autostart.D, Worm.MAC.Autostart.E, Worm.MAC.Autostart.F, Worm.MAC.Autostart.H, Worm.MAC.Leap.A, Worm.MAC.Opener.A, Worm.MAC.Opener.B, Worm.MAC.Opener.C, Worm.MAC.Opener.D, Worm.MAC.Opener.E, Worm.MAC.Opener.G, Worm.MAC.Opener.H,,, Worm.MAC.Opener.I, Worm.Mac.Opener.J, Worm.MAC.Opener.K, Worm.MAC.Opener.L, Worm.MAC.Opener.M, Worm.MAC.Opener.O, Worm.MAC.Opener.P, Worm.Macos.Autostart.A, Worm.Macos.Macmag.A, Worm.Macos.Macmag.B, Worm.Macos.Macmag.C, Worm.Macos.Tetricyrcle.A, Worm.OSX.Inqtana.A
Mac users warned of growing virus threat
Now up to 500 threats per month, says security vendor
Attacks on the Mac are now significant enough to warrant Apple users investing in an anti-virus product, security company Panda Security said as it launched a new product that offers such protection.
Marketing spin to harvest the Apple economy or justified caution? Panda points to the numbers. There are now 5,000 ‘strains’ of malware that target the Mac and the company says it is seeing 500 new Mac-specific samples appearing every month.
In 2009, 34 vulnerabilities were detected in Apple’s OS X, which had risen to 175 so far for 2010, with a 20-year total of 170,000 macros ‘viruses’ affecting the platform.
To be clear, such security threats relate only to Apple desktop and laptop computers and not iPads of iPhones, which are only vulnerable if they have been ‘jailbroken’ or if, somehow, a rogue app breaks through the approval process.
Security companies eyeing the affluent Apple users is nothing new and every notable antivirus company now has a Mac product, driven in part by the somewhat larger user base in the US.
Questions remain about the scale of the threat, however.
Relative to Windows, the comparison is no contest. New Windows malware threats outnumber Apple ones by between 100-1 and 500-1 depending on who you ask, and that ignores the vastly greater sophistication they exhibit.
Many of the software vulnerabilities Panda notes were cross-platform browser flaws, and not specific to the Mac. As to the 170,000 macro viruses, while threatening in a general sense, such malware is so obsolete on the PC that vendors don’t even bother to count them.
The argument rests on the number of new malware threats now being seen and their complexity. So far, the evidence suggests that while the odd Trojan is now appearing, Mac malware is still a low-key threat.
“We have always held the theory that when Apple reaches a more significant market share, around 15 percent worldwide (which given its current rapid growth will be achieved shortly), hackers will begin to target attacks against this platform,” claimed Panda vice president, Ivan Fermon.
“We would even say that today, the Windows operating system is more secure than Mac, simply because Microsoft has been working proactively on security for many years,” he added.
There are few reliable figures about Apple’s market share and those that do exist tend to relate only to the US and the consumer market. With desktop computers waning in significance, the chances of Apple taking 15 percent of sales seems extremely remote. This scale matters because it is what drives criminal interest.
Given the small but plausible nature of the threat, there is an argument that Apple itself should offer a security program as part of its offering, instead of leaving it up to third parties. It’s what Microsoft ended up doing, retro-fitting a firewall to XP and more recently giving away a free antivirus program, Security Essentials.
Ironically, the reason Microsoft avoided doing such a thing in the first place was worry over anti-trust probes which would have viewed such a move as anti-competitive. This free-market ethos woefully misunderstood the nature of the threat and the world is still cleaning up the mess today.
For the record, Panda antivirus for Mac offers realtime protection, file scanning and the ability to probe iPhones and iPads to ensure they are not harbouring malware even if that malware can’t hurt those devices.
Panda also points out that antivirus products on Macs stop Windows malware being passed on (as attachments) to PC users although it seems unlikely many people will want to buy protection for other users who probably have their own security anway.
Mac users interested in Panda Security for Mac can buy a one-year licence for the software for £42 (approx $66). This is higher than a Windows user would pay for equivalent protection but that is the case with all Mac software. Development costs are higher for a smaller number of users.
Attacks on the Mac are now significant enough to warrant Apple users investing in an anti-virus product, security company Panda Security said as it launched a new product that offers such protection.
Marketing spin to harvest the Apple economy or justified caution? Panda points to the numbers. There are now 5,000 ‘strains’ of malware that target the Mac and the company says it is seeing 500 new Mac-specific samples appearing every month.
In 2009, 34 vulnerabilities were detected in Apple’s OS X, which had risen to 175 so far for 2010, with a 20-year total of 170,000 macros ‘viruses’ affecting the platform.
To be clear, such security threats relate only to Apple desktop and laptop computers and not iPads of iPhones, which are only vulnerable if they have been ‘jailbroken’ or if, somehow, a rogue app breaks through the approval process.
Security companies eyeing the affluent Apple users is nothing new and every notable antivirus company now has a Mac product, driven in part by the somewhat larger user base in the US.
Questions remain about the scale of the threat, however.
Relative to Windows, the comparison is no contest. New Windows malware threats outnumber Apple ones by between 100-1 and 500-1 depending on who you ask, and that ignores the vastly greater sophistication they exhibit.
Many of the software vulnerabilities Panda notes were cross-platform browser flaws, and not specific to the Mac. As to the 170,000 macro viruses, while threatening in a general sense, such malware is so obsolete on the PC that vendors don’t even bother to count them.
The argument rests on the number of new malware threats now being seen and their complexity. So far, the evidence suggests that while the odd Trojan is now appearing, Mac malware is still a low-key threat.
“We have always held the theory that when Apple reaches a more significant market share, around 15 percent worldwide (which given its current rapid growth will be achieved shortly), hackers will begin to target attacks against this platform,” claimed Panda vice president, Ivan Fermon.
“We would even say that today, the Windows operating system is more secure than Mac, simply because Microsoft has been working proactively on security for many years,” he added.
There are few reliable figures about Apple’s market share and those that do exist tend to relate only to the US and the consumer market. With desktop computers waning in significance, the chances of Apple taking 15 percent of sales seems extremely remote. This scale matters because it is what drives criminal interest.
Given the small but plausible nature of the threat, there is an argument that Apple itself should offer a security program as part of its offering, instead of leaving it up to third parties. It’s what Microsoft ended up doing, retro-fitting a firewall to XP and more recently giving away a free antivirus program, Security Essentials.
Ironically, the reason Microsoft avoided doing such a thing in the first place was worry over anti-trust probes which would have viewed such a move as anti-competitive. This free-market ethos woefully misunderstood the nature of the threat and the world is still cleaning up the mess today.
For the record, Panda antivirus for Mac offers realtime protection, file scanning and the ability to probe iPhones and iPads to ensure they are not harbouring malware even if that malware can’t hurt those devices.
Panda also points out that antivirus products on Macs stop Windows malware being passed on (as attachments) to PC users although it seems unlikely many people will want to buy protection for other users who probably have their own security anway.
Mac users interested in Panda Security for Mac can buy a one-year licence for the software for £42 (approx $66). This is higher than a Windows user would pay for equivalent protection but that is the case with all Mac software. Development costs are higher for a smaller number of users.
Friday, 14 May 2010
Discount Antivirus Day!
iRemove Discount Antivirus Day.
For more available deals please contact us
United States - Norton AntiVirus 11 for Mac - 10% off Coupon Offer Expires 07/10/10
Coupon Code: 10NAVMAC08
********************************
10% off Site Wide Offer Expires 07/10/10
Coupon Code: 10%OFF09
********************************
Students Save 50% off Norton AntiVirus 2010 and Norton AntiVirus 11 for Mac Offer Expires 10/07/10
Coupon Code: No Coupon needed
********************************
10% off Norton AntiVirus 2010 Offer Expires 07/13/10
Coupon Code: 15%OFFNAV10
********************************
UK - 10% Off - Internet Security 2010 - SC Link Offer Expires 12/31/10
Coupon Code: trendtis
********************************
US - Internet Security 2010 - 10% Off - Product Page Link Offer Expires 07/10/10
Coupon Code: trendsecurity
********************************
US - AntiVirus plus AntiSpyware 2010 - 10% Off - Product Page Page Offer Expires 07/10/10
Coupon Code: trendtav
********************************
US - AntiVirus plus AntiSpyware 2010 - 10% Off - Shopping Cart Link Offer Expires 07/10/10
Coupon Code: trendtav
********************************
NL - 10% Off - Internet Security Pro 2010 - SC Link Offer Expires 12/31/10
Coupon Code: trendpro
********************************
US - Smart Surfing for Mac - 10% Off - Shopping Cart Link Offer Expires 07/10/10
Coupon Code: trendmac
********************************
Use this coupon and save 10% on Kaspersky Internet Security(excludes 1PC, 1YR) Offer Expires 12/20/11
Coupon Code: KIS10%
********************************
Save on your purchase of Kaspersky Anti-Virus 2010 (Excludes 1PC, 1YR) Offer Expires 12/04/10
Coupon Code: KAV10
********************************
Receive 10% off on a one-year license (Excludes 1PC, 1YR) Offer Expires 12/04/10
Coupon Code: No Code Needed!
********************************
NEW PROMOTION - Kaspersky UK are offering a massive 10% off discount on their top selling security products: Kaspersky Anti-Virus 2010 and Kaspersky Internet Security 2010. Get 10% off now with coupon code KASUK10%OFF Offer Expires 08/10/10
Coupon Code: KASUK10%OFF
********************************
10% off Spyware Doctor Offer Expires 05/30/10
Coupon Code: pctools10
********************************
10% off Spyware Doctor with AntiVirus Offer Expires 05/30/10
Coupon Code: pctools10
********************************
10% off Registry Mechanic Offer Expires 05/30/10
Coupon Code: pctools10
********************************
10% off PC Tools Internet Security Offer Expires 05/30/10
Coupon Code: pctools10
********************************
25% off Norman Security Suite. Coupon 25OFFNSSUS Offer Expires 10/10/11
Coupon Code: 25OFFNSSUS.
********************************
25% off Norman Security Suite. Coupon 25OFFNSSGB Offer Expires 10/10/11
Coupon Code: 25OFFNSSGB.
********************************
avast! NEW PRODUCT PROMOTION : 10% off avast! Internet Security. Click here.Click here. Offer Expires 06/10/10
Coupon Code: DISCOUNTED LINK
********************************
avast! NEW PRODUCT PROMOTION : 10% off avast! Internet Security. Click here. Offer Expires 06/10/10
Coupon Code: DISCOUNTED LINK
For more available deals please contact us
United States - Norton AntiVirus 11 for Mac - 10% off Coupon Offer Expires 07/10/10
Coupon Code: 10NAVMAC08
********************************
10% off Site Wide Offer Expires 07/10/10
Coupon Code: 10%OFF09
********************************
Students Save 50% off Norton AntiVirus 2010 and Norton AntiVirus 11 for Mac Offer Expires 10/07/10
Coupon Code: No Coupon needed
********************************
10% off Norton AntiVirus 2010 Offer Expires 07/13/10
Coupon Code: 15%OFFNAV10
********************************
UK - 10% Off - Internet Security 2010 - SC Link Offer Expires 12/31/10
Coupon Code: trendtis
********************************
US - Internet Security 2010 - 10% Off - Product Page Link Offer Expires 07/10/10
Coupon Code: trendsecurity
********************************
US - AntiVirus plus AntiSpyware 2010 - 10% Off - Product Page Page Offer Expires 07/10/10
Coupon Code: trendtav
********************************
US - AntiVirus plus AntiSpyware 2010 - 10% Off - Shopping Cart Link Offer Expires 07/10/10
Coupon Code: trendtav
********************************
NL - 10% Off - Internet Security Pro 2010 - SC Link Offer Expires 12/31/10
Coupon Code: trendpro
********************************
US - Smart Surfing for Mac - 10% Off - Shopping Cart Link Offer Expires 07/10/10
Coupon Code: trendmac
********************************
Use this coupon and save 10% on Kaspersky Internet Security(excludes 1PC, 1YR) Offer Expires 12/20/11
Coupon Code: KIS10%
********************************
Save on your purchase of Kaspersky Anti-Virus 2010 (Excludes 1PC, 1YR) Offer Expires 12/04/10
Coupon Code: KAV10
********************************
Receive 10% off on a one-year license (Excludes 1PC, 1YR) Offer Expires 12/04/10
Coupon Code: No Code Needed!
********************************
NEW PROMOTION - Kaspersky UK are offering a massive 10% off discount on their top selling security products: Kaspersky Anti-Virus 2010 and Kaspersky Internet Security 2010. Get 10% off now with coupon code KASUK10%OFF Offer Expires 08/10/10
Coupon Code: KASUK10%OFF
********************************
10% off Spyware Doctor Offer Expires 05/30/10
Coupon Code: pctools10
********************************
10% off Spyware Doctor with AntiVirus Offer Expires 05/30/10
Coupon Code: pctools10
********************************
10% off Registry Mechanic Offer Expires 05/30/10
Coupon Code: pctools10
********************************
10% off PC Tools Internet Security Offer Expires 05/30/10
Coupon Code: pctools10
********************************
25% off Norman Security Suite. Coupon 25OFFNSSUS Offer Expires 10/10/11
Coupon Code: 25OFFNSSUS.
********************************
25% off Norman Security Suite. Coupon 25OFFNSSGB Offer Expires 10/10/11
Coupon Code: 25OFFNSSGB.
********************************
avast! NEW PRODUCT PROMOTION : 10% off avast! Internet Security. Click here.Click here. Offer Expires 06/10/10
Coupon Code: DISCOUNTED LINK
********************************
avast! NEW PRODUCT PROMOTION : 10% off avast! Internet Security. Click here. Offer Expires 06/10/10
Coupon Code: DISCOUNTED LINK
Twitter-controlled botnets come to the unwashed masses
By Dan Goodin in San Francisco
The Register
13th May 2010
A security researcher has unearthed a tool that simplifies the process of building bot armies that take their marching orders from specially created Twitter accounts.
TwitterNet Builder offers script kiddies a point-type-and-click interface that forces infected PCs to take commands from a Twitter account under the control of attackers. Bot herders can then force the zombies to carry out denial-of-service attacks or silently download and install software with the ease of their Twitter-connected smartphones.
"All in all, a very slick tool and no doubt script kiddies everywhere are salivating over the prospect of hitting a website with a DDoS from their mobile phones," Christopher Boyd, a researcher with anti-virus provider Sunbelt Software, writes here.
Alas, TwitterNet Builder requires accounts to be public, so spotting people who use the software is fairly straightforward. A quick search revealed accounts here, here and here that appeared to be using the DIY kit, although it appeared these might be harmless demonstrations rather than brazen attacks.
The Register
13th May 2010
A security researcher has unearthed a tool that simplifies the process of building bot armies that take their marching orders from specially created Twitter accounts.
TwitterNet Builder offers script kiddies a point-type-and-click interface that forces infected PCs to take commands from a Twitter account under the control of attackers. Bot herders can then force the zombies to carry out denial-of-service attacks or silently download and install software with the ease of their Twitter-connected smartphones.
"All in all, a very slick tool and no doubt script kiddies everywhere are salivating over the prospect of hitting a website with a DDoS from their mobile phones," Christopher Boyd, a researcher with anti-virus provider Sunbelt Software, writes here.
Alas, TwitterNet Builder requires accounts to be public, so spotting people who use the software is fairly straightforward. A quick search revealed accounts here, here and here that appeared to be using the DIY kit, although it appeared these might be harmless demonstrations rather than brazen attacks.
Twitter-controlled botnets
Twitter®-Controlled Botnet SDK At Large
Date: 05/14/2010
Author: Bogdan Botezatu
Coordinated DDOS attacks now at hand via mobile phone
Huge armies of zombified computers unanimously executing the commands sent by their master – that’s what comes in the mind of a computer user at the sound of the word “botnet”. Fortunately enough, writing a bot is an extremely tedious task that takes a lot of in-depth programming knowledge, so not everyone can become a botmaster overnight, despite the obvious financial advantages.
BitDefender has released an emergency update to protect against a potential pandemic caused by the emergence of a botnet self-development kit controllable via the popular social media service Twitter®. In order to create their custom bot, an attacker only has to launch the SDK, enter a Twitter username that would act as a command & control center and modify the resulting bot’s name and icon to suit their distribution method.
The newly-created bot will constantly interrogate the specified Twitter® profile (available at http://www.http://www.twitter.com/userprofile for posts resembling specially-crafted commands. In order to avoid confusion, all of the six supported commands have to start with a period:
- The .VISIT command accepts two parameters separated by the * sign, as follows: .VISIT*URL*1 or .VISIT*URL*0. The command would make the bot visit a web page specified in the URL parameter. The latter parameter tells the bot whether to visit the URL in a visible (1) or an invisible (0) window.
- The .SAY command only takes one parameter and would initialize the Microsoft Text-To-Speech Engine to read the specific parameter. Example: .SAY*Something to say.
- The .DOWNLOAD command takes a URL as the first parameter and either 0 or 1 as the second one: .DOWNLOAD*URL/somefile.exe*0 or .DOWNLOAD*URL/somefile.exe*1. The URL tells the bot where to take the file from, while the numeric parameter tells is if the file should be executed or not when download completes.
- The .DDOS*IP*PORT command would trigger an UDP flood attack against the indicated IP on the specified port number (be it computer, router or server), thus taking the criminal game to a whole new level of aggression.
- .STOP ensures that the bots eventually stop the repetitive actions such as visiting web resources or hammering an IP to cause a DDOS condition, and return to a “listening” state.
- The .REMOVEALL command tells the bots to disconnect from the Twitter account and stay dormant until the next restart. This command practically eliminates all traffic between the bot and the Web, thus making it less “visible” to network packet monitoring tools such as Wireshark®.
This is, undoubtedly, one of the first attempts at creating an automated bot creation tool to be used in conjunction with a Twitter C&C. However, the overall mood of the TwitterNET Builder, as it is called, is experimental: the creator didn’t spend too much to protect the generated bots from reverse engineering or from detection and termination, but this flaw doesn’t make them less dangerous for the average computer user.
One thing to bear in mind though: a closer look into the file reveals that the wannabe botmaster is not the only one controlling the network. There is a secondary hardcoded Twitter account name called @Korrupt that may pass commands to any bot generated with the tool, regardless of the C & C account specified by the bot’s creator. However, at the moment, this account does not reveal any traces of criminal activity.
And even if coordinating a botnet via a Twitter profile has its specific drawbacks (this is a single point-of-failure C&C – once the Twitter account is deleted for abuse, the entire botnet would fall apart the next second), it also has its advantages – a botmaster can unleash a large-scale malware pandemic (by silently downloading and executing malware to all the zombie systems) or a DDOS attack by simply tweeting a single line of text from a mobile phone.
In order to protect customers, BitDefender has added detection for Trojan.TweetBot.A and released a free removal tool available here http://www.malwarecity.com/files/Anti-TweetBot-EN.rar
Monday, 10 May 2010
10% off Kaspersky Internet Security 2010
10% off Kaspersky Internet Security 2010 - Everything you Need for a Safe and Secure Internet Experience Offer Expires 08/09/10
Coupon Code: KASUK10%OFF
KHOBE – 8.0 earthquake for Windows desktop security software
KHOBE – 8.0 earthquake for Windows desktop security software
Published: 2010/05/05Last updates: 2010/05/10 – Information about related work added
2010/05/09 – ThreatFire 4.7.0.17 added to the table of vulnerable software
2010/05/07 – paragraph about which platforms are affected added to Final observations and notes
In September 2007, we have published an article about a great disease that affected tens of Windows security products. The article called Plague in (security) software drivers revealed awful quality of kernel mode drivers installed by all the major desktop security products for Windows. The revealed problems could cause random system crashes, freezes and in some cases more severe security issues.
Today, we reveal even more serious problem of the Windows desktop security products that can be exploited to bypass a big portion of security features implemented by the affected products. The protection implemented by kernel mode drivers of today's security products can be bypassed effectively by a code running on an unprivileged user account. If you ever heard of SSDT hooks or similar techniques to implement various security features such as products' self-defense, we will show you how to bypass the protection easily.
Contents:
- Introduction
- The goal of this paper
- Original research
- Why are user mode hooks insecure
- SSDT hooking
- The problem
- Argument-switch attack to bypass checks of security software
- Combined attack
- Table of vulnerable software
- Final observations and notes
- Related work
- Summary
Introduction
The task of today's security software is to protect computers against malware and hacker attacks. This kind of application is generally very complex because it is trying to protect its users against threats of various kind. The security software use signatures and heuristic to detect known viruses, rootkis and trojan horses.Malware writers are skilled enough to write malicious software that bypasses these detection techniques. To close this hole, modern security solutions implement HIPS and other forms of behavior control and blocking.
Because there were not many documented interfaces and APIs in the past which allowed to monitor and filter applications' activity in the system, many software vendors decided to make direct modifications to the user and kernel code and data structures. These modifications are often called as hooks. Today's security software often use tens of them to implement their security features.
Kernel mode hook implementation in security applications were subject of our research in 2007. This research showed that most of security software vendors implemented their kernel hooks very poorly and their applications were creating another holes into the operating system instead of protecting it. A special tool, BSODhook, was developed to find these vulnerabilities automatically. You can read more details about the research in Plague in (security) software drivers.
After we disclosed the results of our previous research, many vendors fixed the bogus implementation of their kernel mode hooks in reaction to the great publicity. This approach is required again because without the pressure from the media, it seems that many vendors are (again) absolutely uninterested in security holes in their software.
The goal of this paper
Most of security software perform their hooking on several well-known places. Some still base their protection mostly on user mode hooks which are, as reminded later in this document, faulty by design. Many vendors decided to alter the kernel part of system call mechanism implementation. They modify contents of System Service Descriptor Table (SSDT), which is often referred SSDT hooking. Other use different kind of kernel hooks for example by modifying the kernel code directly.The main goal of this paper is to present an attack technique, called the argument-switch attack or KHOBE attack, that allows malicious code to bypass protection mechanisms of security applications. The attack is effective against user mode and kernel mode hooks. Because user mode hooks can be bypassed by simpler techniques, we focus on kernel mode hooks bypassing only. In the further text we demonstrate the attack techniques on SSDT hooks, which are the most common kernel hooks in today's security software. However, the attack techniques need no change to succeed against the other kinds of vulnerable kernel or user mode hooks.
For testing purposes, we have developed an engine called KHOBE (Kernel HOok Bypassing Engine) which simplifies writing of the exploits. With KHOBE we were able, in relatively short time, to verify that the presented vulnerability is an issue for many known security products on the market.
Original research
The research devoted to the problems we present in this article started in August 2008. Ten weeks later we finished it having a full documentation of the problem structured to three separate documents:- The documentation of the problem and explanations of its aspects on examples of vulnerable implementations.
- The documentation of possible solutions – how to implement all the requested functionality safely.
- The documentation of KHOBE, the code library that can be used for fast and easy creation of exploits against the vulnerable implementations. This part was supported by various proof of concept exploits based on KHOBE.
Why are user mode hooks insecure
Applications communicate with the operating system kernel through functions exported by various dynamic link libraries of Windows API, such as kernel32.dll, user32.dll, advapi32.dll and ntdll.dll. These routines usually transmit execution flow to the lower layer of the interface libraries. The layer on the bottom, represented by ntdll.dll (and partially user32.dll and gdi32.dll), uses special instruction, such as INT 0x2E, SYSENTER or SYSCALL, to call the kernel.Various security applications place their hooks on the beginning of Windows API routines to stop malicious code working. However, all dynamic link libraries belonging to Windows API reside in the user mode portion of process' address space, hence the application code might avoid calling them which effectively bypasses hooks made by security software. If the application needs to communicate with the kernel, it can use the system call instruction directly. And this action cannot be caught or prevented by any type of user mode hooking.
SSDT hooking
System Service Descriptor Tables belong to the kernel mode part of system call interface implementation. They contain addresses of routines (referenced also as system services) that user mode code can invoke indirectly as a result of the special system call instruction. Through SSDTs, one can control every useful transition from user mode to kernel mode. That is why they seem to be so suitable for implementation of real time protection and self-defense.Security software often modifies addresses stored in the tables to point to its own routines, called hook functions or hook handlers. These routines perform various checks to find out whether the call endangers the system or might be a threat to the security application itself. In these cases, the hook handler blocks the call or asks user what to do. If the hook routine considers the call as safe, it invokes original system service with same parameters it got from the user mode application. This must be done without changing the context of the call. Everything must be transparent to the original system service which expects no installed hooks.
The following code snippet shows a sample hook handler for NtLoadDriver system service. The handler attempts to block every attempt to load driver which service name is "SampleDriver".
00 NTSTATUS
NewNtLoadDriver(IN
PUNICODE_STRING DriverServiceName)
01 {
02
NTSTATUS status=STATUS_SUCCESS;
03
06 WCHAR *buffer=NULL;
07
08 __try
09 {
0C
SIZE_T name_len=DriverServiceName->Length/sizeof(WCHAR);
0F
SIZET_T buf_len=(name_len+1)*sizeof(WCHAR);
10
buffer=(WCHAR*)ExAllocatePoolWithTag(NonPagedPool,buf_len,POOL_TAG);
11 if (buffer)
12 {
13
RtlZeroMemory(buffer,buf_len);
16
WCHAR *drv_name=wcsrchr(buffer,L"\\");
17
if (drv_name) drv_name++;
18
else
drv_name=buffer;
19
1A
SIZE_T drv_len=wcslen(drv_name);
1B
1C
PWSTR pattern=L"SampleDriver";
1D
SIZE_T pat_len=wcslen(pattern);
1E
1F
if (pat_len==drv_len)
20
{
21
UNICODE_STRING pattern_name;
22
RtlInitUnicodeString(&pattern_name,pattern);
23
24
UNICODE_STRING driver_name;
25
RtlInitUnicodeString(&driver_name,drv_name);
26
2A } else status=STATUS_INSUFFICIENT_RESOURCES;
2B } __except (EXCEPTION_EXECUTE_HANDLER)
2C {
2F
30 if (buffer)
31
ExFreePoolWithTag(buffer);
32
33 if (!NT_SUCCESS(status))
34
return
status;
35 }
36
Example 1: Vulnerable NtLoadDriver hook handler. Firstly, the hook handler routine determines the origin of the call (line 04). Filtering is applied only to calls coming from user mode. SSDT hooks are not very suitable for protection against kernel mode threats and hence passing calls that come from kernel mode is very common in hooking drivers. Then, the routine jumps to the try/except block where the verification of the parameter is made. NewNtLoadDriver(IN
PUNICODE_STRING DriverServiceName)
01 {
02
NTSTATUS status=STATUS_SUCCESS;
03
04 if (KeGetPreviousMode()!=KernelMode)
05 {06 WCHAR *buffer=NULL;
07
08 __try
09 {
0A
ProbeForRead(DriverServiceName,sizeof(UNICODE_STRING),1);
0BProbeForRead(DriverServiceName,sizeof(UNICODE_STRING),1);
0C
SIZE_T name_len=DriverServiceName->Length/sizeof(WCHAR);
0D
ProbeForRead(DriverServiceName->Buffer,name_len*sizeof(WCHAR),2);
0EProbeForRead(DriverServiceName->Buffer,name_len*sizeof(WCHAR),2);
0F
SIZET_T buf_len=(name_len+1)*sizeof(WCHAR);
10
buffer=(WCHAR*)ExAllocatePoolWithTag(NonPagedPool,buf_len,POOL_TAG);
11 if (buffer)
12 {
13
RtlZeroMemory(buffer,buf_len);
14
RtlCopyMemory(buffer,DriverServiceName->buffer,name_len*sizeof(WCHAR));
15RtlCopyMemory(buffer,DriverServiceName->buffer,name_len*sizeof(WCHAR));
16
WCHAR *drv_name=wcsrchr(buffer,L"\\");
17
if (drv_name) drv_name++;
18
else
drv_name=buffer;
19
1A
SIZE_T drv_len=wcslen(drv_name);
1B
1C
PWSTR pattern=L"SampleDriver";
1D
SIZE_T pat_len=wcslen(pattern);
1E
1F
if (pat_len==drv_len)
20
{
21
UNICODE_STRING pattern_name;
22
RtlInitUnicodeString(&pattern_name,pattern);
23
24
UNICODE_STRING driver_name;
25
RtlInitUnicodeString(&driver_name,drv_name);
26
27 if (RtlCompareUnicodeString(&pattern_name,&driver_name,TRUE)==0)
28
status=STATUS_ACCESS_DENIED;
29 }28
status=STATUS_ACCESS_DENIED;
2A } else status=STATUS_INSUFFICIENT_RESOURCES;
2B } __except (EXCEPTION_EXECUTE_HANDLER)
2C {
2D
status=STATUS_INVALID_PARAMETER;
2E }status=STATUS_INVALID_PARAMETER;
2F
30 if (buffer)
31
ExFreePoolWithTag(buffer);
32
33 if (!NT_SUCCESS(status))
34
return
status;
35 }
36
37 status=OldNtLoadDriver(DriverServiceName);
3839 return status;
3A }The hook routine uses ProbeForRead function (lines 0A and 0D) to verify that the address of the UNICODE_STRING parameter DriverServiceName, and the address specified in the Buffer member of the structure, are pointing to user mode memory. If the application passed kernel mode address to the NtLoadDriver system call, ProbeForRead raises exception which the hook handler catches by the try/except block and indicates by setting status code to STATUS_INVALID_PARAMETER on line 2D.
If no exception occurs, the hook handler copies the name of the driver service registry key to the kernel memory and compares it with the "SampleDriver" string, which stands for malicious driver service, that should be blocked from loading. The try/except block catches all exceptions that can be raised during copying of the DriverServiceName structure, which might happen when the application specified address in user mode which points to invalid memory region. You can read more about checking parameters of various types in Plague in (security) software drivers.
The comparison of unicode strings is made on line 27. If the handler discovers that the application is attempting to load the malicious "SampleDriver" driver, it blocks the call by setting status code to STATUS_ACCESS_DENIED on line 28.
If the call originates from kernel mode or the verification finishes successfully, the hook handler invokes the original system service and passes the original DriverServiceName pointer as its argument (line 37). Then it returns status code of the call (line 39). Passing original values of parameters to the system service is very important because its code will also check their validity using try/except block and ProbeForRead function. The hook handler must behave in a way that does not impact the execution flow of the original function.
The problem
The code of system services runs on IRQL PASSIVE_LEVEL which also applies to their hook handlers. Code running at this level can access pageable memory and, when the scheduler decides, might be preempted by another thread. And the scheduler plays the key role in the argument-switch attack.The hook handler might be preempted at every moment of its execution. Imagine that the context switch occurs just before the line 37 is about to be executed. At this point, all security checks are done and the hook handler is about to invoke the original system service. Before the scheduler switches back to the hook handler, many threads might use the processor for some time, including other threads of the application that called NtLoadDriver.
If another thread of the application is scheduled onto the processor, it might theoretically change the driver service name passed to the NtLoadDriver call because the whole string lies in user mode portion of address space. The execution of hook handler had advanced too far to detect this modification and perform additional checks to stop malicious driver from loading. When the scheduler switch thread context back to the thread executing the hook handler, the original system service is invoked and might load driver which name was not subject of any security check made by the security software. And this is exactly how the argument-switch attack works.
Things get more simple on multiprocessor systems where two or more threads of the same application might run really simultaneously and the context switch at the crucial moment is not really needed. Today, multiprocessors or multi-core processors are very common hardware in desktop computers.
In the following sections, the thread that invokes the system service will be called the attacker thread and one that attempts to modify the parameters in order to bypass security checks will be referenced as the faker thread. Surprisingly, the attacking technique may be implemented even if the attacker thread runs in different process than the faker thread. In further text, however, we limit our thoughts to a single attacking process only.
Argument-switch attack to bypass checks of security software
As shown in the previous section, the idea of the argument-switch attack is quite simple. The attacker calls the system service with values of parameters that will certainly pass the checks made during the execution of services' hook handlers. When the faker thread gets its time slice, it tampers the contents of the parameters to values that would never pass the checks of the hook handler. If the tampering operation occurs after the security checks are done but before the original service, which does the main work, is called, the attack is successful.So, one of the remaining questions is, which types of parameters can be faked and how to achieve it. Generally speaking, there are three types of arguments passed to system services:
- integer values, boolean values, bit masks (access mask, flags etc.) and other unstructured arguments;
- pointers to flat buffers or more complex structures such as UNICODE_STRING or OBJECT_ATTRIBUTES;
- handles to kernel objects.
The idea of faking pointers was described for the example code of NewNtLoadDriver function in the previous sections. The faker thread cannot modify the value of the pointer, because it is copied to the kernel stack, hence not accessible from user space. However, the pointer refers to a region in the user memory and contents of this region can be changed. If the change occurs in the right time (after the security check but before the execution of the original system service), the hook is bypassed.
The situation with handles is more difficult. Again, the value of the handle itself can not be changed because it is copied to the kernel stack. What we can do, however, is to change the actual meaning of the handle value. We will describe the attack on the example of sample NtTerminateProcess hook. The handle type can be understood as a special type of pointer (handles refer to kernel objects like pointers do to memory regions), so one can conclude that the attack on handle arguments will have much in common with tampering pointers.
Consider the following implementation of NtTerminateProcess hook handler. We assume that the security software allows us to get handle with PROCESS_TERMINATE flag to the protected process and that the level of defense lies only in this NtTerminateProcess hook which blocks attempts to terminate process with PID saved in protected_process_id variable.
00 NTSTATUS
NewNtTerminateProcess(IN HANDLE ProcessHandle, IN NTSTATUS ExitStatus)
01 {
02
NTSTATUS status=STATUS_SUCCESS;
03
06
PROCESS_BASIC_INFORMATION info;
09 {
0A ULONG pid=info.UniqueProcessId;
0E }
0F
10 if (NT_SUCCESS(status))
13 return status;
14 }
Example 2: Vulnerable NtTerminateProcess hook handler. Unlike the NtLoadDriver hook example, validating of parameters does not require any probing or copying, actions that must be performed within try/except block. There is no need to check ExitStatus argument, because every value is valid as the process exit code, and the most of the required handle checking (ProcessHandle parameter) is performed in ZwQueryInformationProcess call. The hook handler only checks the origin of the call and whether the handle could be valid or does not point directly to current process. This validation is performed on line 04. NewNtTerminateProcess(IN HANDLE ProcessHandle, IN NTSTATUS ExitStatus)
01 {
02
NTSTATUS status=STATUS_SUCCESS;
03
04 if (ProcessHandle && (ProcessHandle!=NtCurrentProcess) && (KeGetPreviousMode()!=KernelMode))
05 {06
PROCESS_BASIC_INFORMATION info;
07 status=ZwQueryInformationProcess(ProcessHandle,ProcessBasicInformation,&info,sizeof(info),NULL);
08 if (NT_SUCCESS(status))09 {
0A ULONG pid=info.UniqueProcessId;
0B if (pid==protected_process_id)
0C status=STATUS_ACCESS_DENIED;
0D }0E }
0F
10 if (NT_SUCCESS(status))
11 status=OldNtTerminateProcess(ProcessHandle,ExitStatus);
1213 return status;
14 }
If the handle seems to be valid and the call comes from user mode, the hook handler routine tries to find out which process the handle belongs to. Basic information, which includes PID of the target process, is retrieved on line 07 via call to ZwQueryInformationProcess. This routine filters out handles of bad type or entirely invalid.
The final check is made on line 0B where the PID of the target process is compared to PID of the process protected by the security software. In case of equality, the return status code is changed to "access denied" (line 0C) and the original handler is not invoked. Otherwise, the original system service is called (line 11). It is left for the original service code to verify that the handle was opened with PROCESS_TERMINATE access right, which is required for terminating the process via this service call.
Similarly to the NtLoadDriver example, the success of the attack depends whether the faker thread is able to alter the meaning of the ProcessHandle parameter when the attacker thread is executing lines from 08 to 10, i.e. after the check of PID, but before the execution of the original code. It seems that there is not much space for the attack, but in fact even the first instructions of the function called on line 11 can be executed. All instructions in the original function prior the handle value passed in ProcessHandle is dereferenced can be executed without affecting the result of the attack. Moreover, it should be noted that unlike our sample hook handler, hook handlers in security products are usually very complex and there are many instructions to be executed between the security check and the original function call.
The faker thread can not change the value of the ProcessHandle parameter, because it is pushed onto the kernel stack before the hook handler is executed. However, it can change the meaning. This is analogous to pointers – it is not possible to change their values but it is possible to change the memory region they point to. Changing meaning of a handle is just a bit more difficult than changing the contents of memory region.
The faker thread must destroy the handle passed by the attacker to the system call. This operation must be performed after the hook handler successfully returns from ZwQueryInformationProcess call, but before the original NtTerminateProcess is executed. Then the faker thread opens a handle to the protected process with PROCESS_TERMINATE access right (which will be allowed by security software due to our assumptions made in the beginning). If we are lucky, the new handle will have the same value as the closed one. In case the new handle is created before the attack thread reaches line 11 and invokes original NtTerminateProcess, the attack succeeds and the protected process is terminated. This sounds like a very unlikely thing to happen, but with a good implementation, such as KHOBE, it is possible to effectively, i.e. in real time, attack pointer arguments as well as handle arguments.
Combined attack
The previous sections illustrate how to bypass a single SSDT hook like NtLoadDriver or NtTerminateProcess. However, some security products implement multi-level protection – for example, they hook NtOpenProcess, where all attempts to get handle with PROCESS_TERMINATE access right are blocked. Additionally, NtTerminateProcess is intercepted to block termination attempts of those, who somehow obtained the handle with sufficient access rights.However, even two-level protection is not enough and can be bypassed by slightly modified variant of the argument-switch attack. We will describe its semantics on the protection scheme presented in the previous paragraph. We need one attacker and two faker threads. During the initialization phase, a handle to the current process is opened with access rights that prevent its use for process termination. Then the attacker thread invokes NtTerminateProcess with this handle. This call is intercepted by the NtTerminateProcess hook handler. The hook handler finds out that the handle does not belong to any of the protected processes. Hence, the termination operation is allowed and the original system service is about to be executed.
Now, we need to use the standard argument-switch attack to bypass the hook of NtOpenProcess. If this sub-attack finishes before the attacker is scheduled on the processor again, the attack succeeds and the protected process is terminated.
At this moment, the attack needs scheduler to switch to the first faker thread which closes the handle to our process opened during the initialization phase and tries to call NtOpenProcess with PID of the current process again. The task of the second faker thread is to change the CLIENT_ID argument to point to the protected process just after the NtOpenProcess hook handler invokes the original system service. So the scheme of the sub-attack is similar to the attacks described in previous sections – the first faker thread plays role of the attacker thread and the second one acts as the faker thread.
If the sub-attack successfully finishes before the NtTerminateProcess system service begins its execution and if the handle to the protected process has the same value as the handle opened during the initialization, the combined attack succeeds and the protected process is terminated.
If the single argument-switch attack was seemed to be a very unlikely thing to happen, the combined version seems to be a miracle. Using KHOBE, however, we have proved again that on multiprocessor hardware the combined attack can be performed again in real time, the combined attack needs only few seconds to succeed.
Table of vulnerable software
We have performed tests with today's most Windows desktop security products. The results are presented in table below. The results can be summarized in one sentence: If a product uses SSDT hooks or other kind of kernel mode hooks on similar level to implement security features it is vulnerable. In other words, 100 % of the tested products were found vulnerable. The only reason there are not more products in the following table is our time limitation. Otherwise, the list would be endless.Product name and version | Result |
---|---|
3D EQSecure Professional Edition 4.2 | VULNERABLE |
avast! Internet Security 5.0.462 | VULNERABLE |
AVG Internet Security 9.0.791 | VULNERABLE |
Avira Premium Security Suite 10.0.0.536 | VULNERABLE |
BitDefender Total Security 2010 13.0.20.347 | VULNERABLE |
Blink Professional 4.6.1 | VULNERABLE |
CA Internet Security Suite Plus 2010 6.0.0.272 | VULNERABLE |
Comodo Internet Security Free 4.0.138377.779 | VULNERABLE |
DefenseWall Personal Firewall 3.00 | VULNERABLE |
Dr.Web Security Space Pro 6.0.0.03100 | VULNERABLE |
ESET Smart Security 4.2.35.3 | VULNERABLE |
F-Secure Internet Security 2010 10.00 build 246 | VULNERABLE |
G DATA TotalCare 2010 | VULNERABLE |
Kaspersky Internet Security 2010 9.0.0.736 | VULNERABLE |
KingSoft Personal Firewall 9 Plus 2009.05.07.70 | VULNERABLE |
Malware Defender 2.6.0 | VULNERABLE |
McAfee Total Protection 2010 10.0.580 | VULNERABLE |
Norman Security Suite PRO 8.0 | VULNERABLE |
Norton Internet Security 2010 17.5.0.127 | VULNERABLE |
Online Armor Premium 4.0.0.35 | VULNERABLE |
Online Solutions Security Suite 1.5.14905.0 | VULNERABLE |
Outpost Security Suite Pro 6.7.3.3063.452.0726 | VULNERABLE |
Outpost Security Suite Pro 7.0.3330.505.1221 BETA VERSION | VULNERABLE |
Panda Internet Security 2010 15.01.00 | VULNERABLE |
PC Tools Firewall Plus 6.0.0.88 | VULNERABLE |
PrivateFirewall 7.0.20.37 | VULNERABLE |
Security Shield 2010 13.0.16.313 | VULNERABLE |
Sophos Endpoint Security and Control 9.0.5 | VULNERABLE |
ThreatFire 4.7.0.17 | VULNERABLE |
Trend Micro Internet Security Pro 2010 17.50.1647.0000 | VULNERABLE |
Vba32 Personal 3.12.12.4 | VULNERABLE |
VIPRE Antivirus Premium 4.0.3272 | VULNERABLE |
VirusBuster Internet Security Suite 3.2 | VULNERABLE |
Webroot Internet Security Essentials 6.1.0.145 | VULNERABLE |
ZoneAlarm Extreme Security 9.1.507.000 | VULNERABLE |
Final observations and notes
The argument-switch attack requires specific behavior from system scheduler which is impossible to ensure from user mode. However, this fact does not affect the strength of the attack too much. If the goal of the attack is to perform the action that the security software always blocks, the attacker and faker threads might try the method many times till they succeed. Our experiments show that in most cases, the attack succeeds after few attempts and sometimes even the first attempt is successful. The number of attempts needed can be radically lowered using smart manipulation of the threads' priorities.The attack pattern described in this document does not, in general, use any feature present only on privileged user accounts. This means, that successful attack might come even from processes running under restricted user account.
We showed how the argument-switch attack works on the example of SSDT hooks. However, this method might be used to exploit other types of hooks as well. It only needs several conditions, which hold in most common implementations of hooks. The attack might function also on hooks, which:
- run on low IRQL with scheduler enabled, this condition theoretically is not needed to be true on multiprocessor systems, where the attacker and the faker threads can run on different processors simultaneously;
- accept handles to kernel objects, or pointers referencing memory in user mode portion of address space;
- perform validity and security checks;
- call original routines with unchanged values of the important arguments.
One might think that installing two security applications will protect against the argument-switch attack. This makes, however, the situation even worse. Imagine that two security applications, A and B, hooked the NtOpenProcess system service. When application tries to open a process, the execution flow is intercepted by the hook handler installed by driver of application B (this application hooked the service when it was hooked already by application A).
If the hook handler of B is not implemented securely against the argument-switch attack, it gives no additional security to hook routine of A. It might even create additional security risk for A. The hook handler of B might call the hook handler of A, but it does not have to; if B calls original system service instead, the function of operating system is not affected (except for performance), but A does not have a chance to perform its security checks.
On the other hand, if B wants to preserve the functionality of the A's hook handler and calls it with original arguments then B's hook handler is vulnerable to the argument-switch attack regardless the implementation of A's hook handler. So, unless A and B are implemented perfectly and can rely on each other's perfection (which is a very strong assumption similar to cooperation of two applications written by competitive vendors), A or B will be vulnerable to the argument-switch attack. This is why installing more than one security product on a single machine is a risk today even if their vendors claim the products to be compatible.
The research was done on Windows XP Service Pack 3 and Windows Vista Service Pack 1 on 32-bit hardware. However, it is valid for all Windows versions including Windows 7. Even the 64-bit platform is not a limitation for the attack. It will work there against all user mode hooks and it will also work against the kernel mode hooks if they are installed, for example after disabling the PatchGuard.
Related work
Checking for Race Conditions in File Accesses by Matt Bishop and Michael Dilger was the first paper that discussed the idea of the attack described in our paper. The authors named the technique TOCTTOU flaw, which stands for time-of-check-to-time-of-use flaw. Later, Andrey Kolishak wrote a paper called TOCTOU with NT System Service Hooking in which he firstly applied the attacking technique against kernel hooks on Windows NT systems. Various papers were published discussing TOCTTOU flaws in applications for UNIX systems.KHOBE was developed independently to TOCTTOU research and any other related work. TOCTTOU papers had minimal media attention and were completely unknown to us prior our disclosure of KHOBE research. And not only to us. TOCTTOU research was unknown to all security software vendors that we have been in contact with, in relation to KHOBE research, which is the obvious reason of why today's Windows security products are still vulnerable to the problem firstly invented in 1996. This means the KHOBE research does not come with the new idea, yet still it is an original research and plays a very important role because the presented techniques are now in the interest of top security companies for the first time. Vendors of Windows security software now attempt to fix the vulnerable hooks.
Our research is also quite innovative. For the first time the attack on Windows systems is presented not only for the pointer-typed arguments but also for input HANDLE-typed arguments, which has not been seen in previous works. Manipulating input HANDLEs greatly extends the power of the attack. The KHOBE research is also the first one to investigate concrete Windows security products.
Summary
This paper presents attack pattern called the argument-switch attack which shows that common implementations of kernel mode hooks are not secure. This attack represents serious threat because many security software vendors base their security features on hooking. We tested the most widely used security applications and found out that all of them are vulnerable. Today's most popular security solutions simply do not work.New attack bypasses virtually all AV protection !!ATTENTION!!
By Dan Goodin in San Francisco
The Register
7th May 2010
Researchers say they've devised a way to bypass protections built in to dozens of the most popular desktop anti-virus products, including those offered by McAfee, Trend Micro, AVG, and BitDefender.
The method, developed by software security researchers at matousec.com, works by exploiting the driver hooks the anti-virus programs bury deep inside the Windows operating system. In essence, it works by sending them a sample of benign code that passes their security checks and then, before it's executed, swaps it out with a malicious payload.
The exploit has to be timed just right so the benign code isn't switched too soon or too late. But for systems running on multicore processors, matousec's "argument-switch" attack is fairly reliable because one thread is often unable to keep track of other simultaneously running threads. As a result, the vast majority of malware protection offered for Windows PCs can be tricked into allowing malicious code that under normal conditions would be blocked.
All that's required is that the AV software use SSDT, or System Service Descriptor Table, hooks to modify parts of the OS kernel.
"We have performed tests with [most of] today's Windows desktop security products," the researchers wrote. "The results can be summarized in one sentence: If a product uses SSDT hooks or other kind of kernel mode hooks on similar level to implement security features it is vulnerable. In other words, 100% of the tested products were found vulnerable."
The researchers listed 34 products that they said were susceptible to the attack, but the list was limited by the amount of time they had for testing. "Otherwise, the list would be endless," they said.
The technique works even when Windows is running under an account with limited privileges.
Still, the exploit has its limitations. It requires a large amount of code to be loaded onto the targeted machine, making it impractical for shellcode-based attacks or attacks that rely on speed and stealth. It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC.
Still, the technique might be combined with an exploit of another piece of software, say, a vulnerable version of Adobe Reader or Oracle's Java Virtual Machine to install malware without arousing the suspicion of the any AV software the victim was using.
"Realistic scenario: someone uses McAfee or another affected product to secure their desktops," H D Moore, CSO and Chief Architect of the Metasploit project, told The Register in an instant message. "A malware developer abuses this race condition to bypass the system call hooks, allowing the malware to install itself and remove McAfee. In that case, all of the 'protection' offered by the product is basically moot."
A user without administrative rights could also use the attack to kill an installed and running AV, even though only admin accounts should be able to do this, Charlie Miller, principal security analyst at Independent Security Evaluators, said.
Matousec.com's research is here. ®
The Register
7th May 2010
Researchers say they've devised a way to bypass protections built in to dozens of the most popular desktop anti-virus products, including those offered by McAfee, Trend Micro, AVG, and BitDefender.
The method, developed by software security researchers at matousec.com, works by exploiting the driver hooks the anti-virus programs bury deep inside the Windows operating system. In essence, it works by sending them a sample of benign code that passes their security checks and then, before it's executed, swaps it out with a malicious payload.
The exploit has to be timed just right so the benign code isn't switched too soon or too late. But for systems running on multicore processors, matousec's "argument-switch" attack is fairly reliable because one thread is often unable to keep track of other simultaneously running threads. As a result, the vast majority of malware protection offered for Windows PCs can be tricked into allowing malicious code that under normal conditions would be blocked.
All that's required is that the AV software use SSDT, or System Service Descriptor Table, hooks to modify parts of the OS kernel.
"We have performed tests with [most of] today's Windows desktop security products," the researchers wrote. "The results can be summarized in one sentence: If a product uses SSDT hooks or other kind of kernel mode hooks on similar level to implement security features it is vulnerable. In other words, 100% of the tested products were found vulnerable."
The researchers listed 34 products that they said were susceptible to the attack, but the list was limited by the amount of time they had for testing. "Otherwise, the list would be endless," they said.
The technique works even when Windows is running under an account with limited privileges.
Still, the exploit has its limitations. It requires a large amount of code to be loaded onto the targeted machine, making it impractical for shellcode-based attacks or attacks that rely on speed and stealth. It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC.
Still, the technique might be combined with an exploit of another piece of software, say, a vulnerable version of Adobe Reader or Oracle's Java Virtual Machine to install malware without arousing the suspicion of the any AV software the victim was using.
"Realistic scenario: someone uses McAfee or another affected product to secure their desktops," H D Moore, CSO and Chief Architect of the Metasploit project, told The Register in an instant message. "A malware developer abuses this race condition to bypass the system call hooks, allowing the malware to install itself and remove McAfee. In that case, all of the 'protection' offered by the product is basically moot."
A user without administrative rights could also use the attack to kill an installed and running AV, even though only admin accounts should be able to do this, Charlie Miller, principal security analyst at Independent Security Evaluators, said.
Matousec.com's research is here. ®
Subscribe to:
Posts (Atom)