"<Major Computer Company> says it is the worst virus they've ever seen and currently no anti-virus software can detect it. Please don't open the file called I-am-Not-a-Virus.exe." Or some such malarkey!
Never mind that the company named in most such emails isn't in the anti-virus business to start with. In almost all such cases the email itself is the virus - after-all it used up a significant amount of your own resources to deal with it.
With that in mind, I read with some amusement ZDNet's rather strident reporting of the seemingly recently-discovered KHOBE (for Kernel HOok Bypassing Engine) vulnerability, suggesting in their title that this attack "bypasses EVERY Windows security product." However, ZDNet were far from alone in reporting this theme.
KHOBE is, according to ZDNet, a perfect bait-and-switch attack. In it, completely harmless code is passed to any scanning engine then upon the 'all clear,' the real payload is executed. Vulnerability is dependent upon avoiding AV software that makes use of Windows' System Service Descriptor Table (SSDT) - almost all do.
The ZDNet author goes on to identify a list of 35 anti-virus vendors who it claims are vulnerable to being duped by this technique. In fact, this is essentially a who's-who of those companies making use of the SSDT, nothing more.
Matousec, the security company who first launched this blight upon the world described it as an "8.0 earthquake for Windows desktop security software."
It is no such thing.
The sample "attack," describes a way in which the tamper protection implemented by some anti-malware products might potentially be bypassed. Assuming you can get your malicious code past the anti-malware product in the first place, of course.
The attack needs a multiprocessor CPU, a security product which is using SSDT hooks (to the old-timers, these are analagous to directly changing the Interrupt Vector Table under DOS), and a bit of luck. It also requires that you evade detection by the security product in the first place in order to launch your Khobe code.
So the Khobe "attack" boils down to this: if you can write malware which already gets past Sophos's on-access virus blocker, and past Sophos's HIPS, then you may be able to use the Khobe code to bypass Sophos's HIPS - which, of course, you just bypassed anyway. Oh, and only if you are using Windows XP.
In short: Sophos's on-access anti-virus scanner doesn't use SSDT hooks, so it's fair for us to say that this isn't a vulnerability for us at all. But what about other anti-virus software? Though I'm not usually an apologist for our competitors, I feel compelled to speak out in this case.
The fuss about Khobe is in my opinion unwarranted, and the claims that it "bypasses virtually all anti-virus software" is scaremongering.
A fairer assessment would be that Khobe amounts to little more that saying that malware which can already bypass anti-virus software may be able to bypass it again. But that isn't as exciting a headline as "8.0 earthquake for Windows desktop security software" or "New attack bypasses virtually all AV protection."
Sophos, of course, were named in ZDNet's list of 'naughty' vendors.
However, there is far more in this tale.
First of all, Matousec researchers are obviously unaware of previous works and terminology. What we have here is a specific example of TOCTTOU (time-of-check-to-time-of-use) attack - see https://nob.cs.ucdavis.edu/bishop/papers/1996-compsys/racecond.pdf or https://www.watson.org/~robert/2007woot/2007usenixwoot-exploitingconcurrency.pdf. But for an even better example, see https://seclists.org/bugtraq/2003/Dec/351, which pretty much describes the same thing as this innovative Matousec research.
This method has not been seen in the wild until today. As we can see, a similar (or pretty much the same) PoC was published almost over 6 years ago. Over the time, no malware misused this.
As already mentioned, the vulnerability is there, but its magnitude is more of a pin dropping on the floor than an 8.0 earthquake, when it comes to its impact on the overall security of our customers' PCs. However, we are looking into this to see how we can prevent these attacks in case we start to see them being misused.
However, if you don't want to trust the AV vendors protecting their turf, how about Microsoft's EMEA Chief Security Advisor, Roger Halbheer.
I was reading through the article and I definitely understand that if you are able to publish a table with almost all the AV-vendors being flagged as "vulnerable" you may drive some attention to your website and to your work. If we do not find one single AV-solution which is not vulnerable in the table, it is kind of strange to start with - oh, it just seems that they forgot to mention a few - but still you make a lot of noise which seems to be the goal here! [hint - Microsoft wasn't in the list of 35!]
Now, applying common sense to what they did: My understanding is that you have to own the box in order to run the attack - if I am not completely mistaken, you have to be admin to run the attack. Wow, now I am really scared of this: If somebody owns my box, is admin on my box, the most important thing they will do is to apply an attack, which involves having the right timing in place, to switch off my AV? Come on. You just switch off the AV by using a script or do it manually but for sure not with a complex attack.
This is simple risk management. If your biggest risk in your security model is that an attacker, who is already admin on a box applies this attack - I have to congratulate you. If not, well, let's go back to the real problems we have to address.
To ZDNet's credit, following the publication of Ducklin's (and others) comments, some attempt was made to ameliorate the situation, but they still seem to stand by their claims.
But, just between me and you, I'm with Halbheer, Ducklin and Harley. This is a total beat-up. Move along, nothing to see here.