[ISN] New attack bypasses virtually all AV protection

From: InfoSec News <alerts_at_private>
Date: Mon, 10 May 2010 00:22:56 -0500 (CDT)
http://www.theregister.co.uk/2010/05/07/argument_switch_av_bypass/

By Dan Goodin in San Francisco  
The Register
7th May 2010

Researchers say they've devised a way to bypass protections built in to 
dozens of the most popular desktop anti-virus products, including those 
offered by McAfee, Trend Micro, AVG, and BitDefender.

The method, developed by software security researchers at matousec.com, 
works by exploiting the driver hooks the anti-virus programs bury deep 
inside the Windows operating system. In essence, it works by sending 
them a sample of benign code that passes their security checks and then, 
before it's executed, swaps it out with a malicious payload.

The exploit has to be timed just right so the benign code isn't switched 
too soon or too late. But for systems running on multicore processors, 
matousec's "argument-switch" attack is fairly reliable because one 
thread is often unable to keep track of other simultaneously running 
threads. As a result, the vast majority of malware protection offered 
for Windows PCs can be tricked into allowing malicious code that under 
normal conditions would be blocked.

All that's required is that the AV software use SSDT, or System Service 
Descriptor Table, hooks to modify parts of the OS kernel.

[...]


_______________________________________________
Best Selling Security Books and More!
Shop InfoSec News
http://www.shopinfosecnews.org/ 
Received on Sun May 09 2010 - 22:22:56 PDT

This archive was generated by hypermail 2.2.0 : Sun May 09 2010 - 22:33:13 PDT