New paper on using kernel hooking to bypass AV
Matousec has released a new paper (http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php)detailing their proof of concept for using kernel hooking (specifically what they are calling an "argument switch attack") to bypass antivirus software. The concept isn't new, as they acknowledge but the paper is nicely detailed and the use of a race condition of sorts to bypass security checks made when a kernel hook is requested/handled is cool. It should be noted that PatchGuard should provide some protection against this attack though how much is uncertain.
Keywords:
2 comment(s)
×
Diary Archives
Comments
http://www.sophos.com/blogs/duck/g/2010/05/11/khobe-vulnerability-earth-shaker/
Bowlsey
May 11th 2010
1 decade ago
The scary part is that an executable run by an unprivileged user may gain system rights *thanks to* software that was intended to protect the PC as seems to have been confirmed by McAfee here: http://www.h-online.com/security/news/item/New-attack-bypasses-anti-virus-software-997621.html : "The argument switching attack would *only* allow it to escalate its privileges".
I know that most XP home users run as administrators anyway, but many companies have better policies, and they may be at risk because of this.
Bitwiper
May 11th 2010
1 decade ago