Home : Security : News

Researchers find way to bypass all Windows security software

Matousec has discovered a relatively simple loophole that could leave Windows PCs vulnerable to malicious code, with all commercial anti-virus packages powerless to prevent it.

By Martin James, 10 May 2010 at 11:33

gallery

Security analyst firm Matousec claims it has revealed a vulnerability in Windows PCs that could leave mainstream security software all but powerless to prevent an attack.

The flaw exploits the way anti-virus packages use System Service Descriptor Table (SSDT) hooks to access the Windows kernel. Because of the inability of multi-core systems to track threads running on other processing cores, a simple bait-and-switch attack stands no chance of being detected if the timing is right.

Once an anti-virus program is satisfied a given piece of code poses no threat, it will give the code the green light to be executed. However, at this point there is a short window where the innocent code can be replaced by malicious code without the security software being any the wiser.

Matousec said that because the technique relies on two threads effectively contending for the same resource simultaneously, its success will depend on the execution state of the SSDT hooks and, of course, the malicious code will need to be present somewhere on the system in the first place. But Matousec reported that all its tests were successful within the first few tries.

Since the vulnerability has nothing to do with the scanning process itself, but is instead related to the very nature of Windows security software, Matousec said the technique is effective on “100 per cent of the tested products”.

It provided a list of 34 security products it had confirmed as vulnerable, including popular packages from the likes of McAfee, Norton and Kaspersky, but said the list was only limited to 34 because its testers had run out of time.

The Matousec researchers claimed the attack is effective even from non-privileged accounts, and affects all versions of Windows.

However, the firm pointed out that while the exploit is simple in theory, it requires a large amount of code to be present on the system and so would only suit a very deliberate attack.

The team created a proof of concept labelled KHOBE (Kernel Hook Bypassing Engine) for internal testing purposes, and said thus far it has yet to discover any examples of the technique being used in the wild.

Email to a friend

Print this page

< Previous Security : News Next >

1 comments

You need to Login or Register to comment.

What am I missing here?

"... the malicious code will need to be present somewhere on the system in the first place..." i.e. in order to bypass the security software using this method, you must already have bypassed the security software...

By Ip_aingles65a3c9 on Friday May 14

Latest Security Analysis & Insight

Striving to solve the security skills crisis

The Cyber Security Challenge is doing a fine job, but flat registration growth and weak Government funding are cause for concern, Tom Brewster discovers.

More Security Analysis & Insight

Latest Security Reviews

Check Point 2210 Appliance review

Rating:

Check Point's new 2200 Appliances combined enterprise level network security with an SMB price tag. Its software blades provide a wealth of features, but do they complicate deployment? Read this exclusive review to find out.