AV Bypass Attack

An attack that can bypass Anti-Virus defenses has been detailed in a research paper by matousec.com. Matousec developed an engine called KHOBE (Kernel HOok Bypassing Engine) that uses an “argument switch” strategy, or SSDT hooking, to convince the AV scanner that everything is okay.

KHOBE – 8.0 earthquake for Windows desktop security software – [matousec.com]

The goal of this paper

Most of security software perform their hooking on several well-known places. Some still base their protection mostly on user mode hooks which are, as reminded later in this document, faulty by design. Many vendors decided to alter the kernel part of system call mechanism implementation. They modify contents of System Service Descriptor Table (SSDT), which is often referred SSDT hooking. Other use different kind of kernel hooks for example by modifying the kernel code directly.

The main goal of this paper is to present an attack technique, called the argument-switch attack or KHOBE attack, that allows malicious code to bypass protection mechanisms of security applications. The attack is effective against user mode and kernel mode hooks. Because user mode hooks can be bypassed by simpler techniques, we focus on kernel mode hooks bypassing only. In the further text we demonstrate the attack techniques on SSDT hooks, which are the most common kernel hooks in today’s security software. However, the attack techniques need no change to succeed against the other kinds of vulnerable kernel or user mode hooks.

For testing purposes, we have developed an engine called KHOBE (Kernel HOok Bypassing Engine) which simplifies writing of the exploits. With KHOBE we were able, in relatively short time, to verify that the presented vulnerability is an issue for many known security products on the market.

…also

Table of vulnerable software

We have performed tests with today’s most Windows desktop security products. The results are presented in table below. The results can be summarized in one sentence: If a product uses SSDT hooks or other kind of kernel mode hooks on similar level to implement security features it is vulnerable. In other words, 100 % of the tested products were found vulnerable. The only reason there are not more products in the following table is our time limitation. Otherwise, the list would be endless.

Checking for Race Conditions in File Accesses – [ucdavis.edu]

Abstract
Flaws due to race conditions in which the binding of a name to an object changes between repeated references occur in many programs. We examine one type of this flaw in the UNIX operating system, and describe a semantic method for detecting possible instances of this problem. We present the results of one such analysis in which a previously undiscovered race condition flaw was found.


New attack bypasses virtually all AV protection
– [theregister.co.uk]

Researchers say they’ve devised a way to bypass protections built in to dozens of the most popular desktop anti-virus products, including those offered by McAfee, Trend Micro, AVG, and BitDefender.

The method, developed by software security researchers at matousec.com, works by exploiting the driver hooks the anti-virus programs bury deep inside the Windows operating system. In essence, it works by sending them a sample of benign code that passes their security checks and then, before it’s executed, swaps it out with a malicious payload.

continued…

“Realistic scenario: someone uses McAfee or another affected product to secure their desktops,” H D Moore, CSO and Chief Architect of the Metasploit project, told The Register in an instant message. “A malware developer abuses this race condition to bypass the system call hooks, allowing the malware to install itself and remove McAfee. In that case, all of the ‘protection’ offered by the product is basically moot.”

New attack tactic sidesteps Windows security software – [computerworld.com]

Huger confirmed that attackers would have to drop malware of some sort on the targeted machine in order to utilize the argument-switch strategy, and that there are “lots of easier ways to game antivirus” than Matousec’s technique.

“But that doesn’t lesson the impact,” Huger argued. “Actually, it would be really tricky to stop this, and gives attackers a strong opportunity to get around disk-based security.”

Huger’s greatest fear is that others take Matousec’s findings, weaponize the argument-switch attack, and add it to one of the numerous underground exploit kits. “If someone packages this into an easy-to-use library, I think it’ll be in play pretty quickly, with widespread adoption,” said Huger. “Why wouldn’t it?”

Comments are closed.