Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Sunday, 16 May 2010 17:42

"It's the worst virus we've ever seen," and other such nonsense

By

Over the past few days, news outlets have been emulating those bogus virus warnings we regularly receive from well-meaning friends.  Here's the short answer: Khobe isn't a problem.

You know the kind of message, well-meaning (but technically illiterate) friends pass on warnings that including things like (and I paraphrase, with no reflection on any companies named in the emails):

"<Major Computer Company> says it is the worst virus they've ever seen and currently no anti-virus software can detect it.  Please don't open the file called I-am-Not-a-Virus.exe."  Or some such malarkey!

Never mind that the company named in most such emails isn't in the anti-virus business to start with.  In almost all such cases the email itself is the virus - after-all it used up a significant amount of your own resources to deal with it.

With that in mind, I read with some amusement ZDNet's rather strident reporting of the seemingly recently-discovered KHOBE (for Kernel HOok Bypassing Engine) vulnerability, suggesting in their title that this attack "bypasses EVERY Windows security product."  However, ZDNet were far from alone in reporting this theme.

KHOBE is, according to ZDNet, a perfect bait-and-switch attack.  In it, completely harmless code is passed to any scanning engine then upon the 'all clear,' the real payload is executed.  Vulnerability is dependent upon avoiding AV software that makes use of Windows' System Service Descriptor Table (SSDT) - almost all do.

The ZDNet author goes on to identify a list of 35 anti-virus vendors who it claims are vulnerable to being duped by this technique.  In fact, this is essentially a who's-who of those companies making use of the SSDT, nothing more.

Matousec, the security company who first launched this blight upon the world described it as an "8.0 earthquake for Windows desktop security software."

It is no such thing.


Sophos' Paul Ducklin, a security researcher well known to this writer had this to say about the issue.

The sample "attack," describes a way in which the tamper protection implemented by some anti-malware products might potentially be bypassed. Assuming you can get your malicious code past the anti-malware product in the first place, of course.

The attack needs a multiprocessor CPU, a security product which is using SSDT hooks (to the old-timers, these are analagous to directly changing the Interrupt Vector Table under DOS), and a bit of luck. It also requires that you evade detection by the security product in the first place in order to launch your Khobe code.


He continues:

So the Khobe "attack" boils down to this: if you can write malware which already gets past Sophos's on-access virus blocker, and past Sophos's HIPS, then you may be able to use the Khobe code to bypass Sophos's HIPS - which, of course, you just bypassed anyway. Oh, and only if you are using Windows XP.

In short: Sophos's on-access anti-virus scanner doesn't use SSDT hooks, so it's fair for us to say that this isn't a vulnerability for us at all. But what about other anti-virus software? Though I'm not usually an apologist for our competitors, I feel compelled to speak out in this case.

The fuss about Khobe is in my opinion unwarranted, and the claims that it "bypasses virtually all anti-virus software" is scaremongering.

A fairer assessment would be that Khobe amounts to little more that saying that malware which can already bypass anti-virus software may be able to bypass it again. But that isn't as exciting a headline as "8.0 earthquake for Windows desktop security software" or "New attack bypasses virtually all AV protection."


Sophos, of course, were named in ZDNet's  list of 'naughty' vendors.

However, there is far more in this tale.


In a post entitled "Khobe-Wan: These Aren't the Droids You're Looking For" David Harley of ESET (another AV company with ruffled feathers) summarises a few more "home truths" about the problem.

First of all, Matousec researchers are obviously unaware of previous works and terminology. What we have here is a specific example of TOCTTOU (time-of-check-to-time-of-use) attack - see https://nob.cs.ucdavis.edu/bishop/papers/1996-compsys/racecond.pdf or https://www.watson.org/~robert/2007woot/2007usenixwoot-exploitingconcurrency.pdf. But for an even better example, see https://seclists.org/bugtraq/2003/Dec/351, which pretty much describes the same thing as this innovative Matousec research.

This method has not been seen in the wild until today. As we can see, a similar (or pretty much the same) PoC was published almost over 6 years ago. Over the time, no malware misused this.

As already mentioned, the vulnerability is there, but its magnitude is more of a pin dropping on the floor than an 8.0 earthquake, when it comes to its impact on the overall security of our customers' PCs. However, we are looking into this to see how we can prevent these attacks in case we start to see them being misused.


However, if you don't want to trust the AV vendors protecting their turf, how about Microsoft's EMEA Chief Security Advisor, Roger Halbheer.

I was reading through the article and I definitely understand that if you are able to publish a table with almost all the AV-vendors being flagged as "vulnerable" you may drive some attention to your website and to your work. If we do not find one single AV-solution which is not vulnerable in the table, it is kind of strange to start with - oh, it just seems that they forgot to mention a few - but still you make a lot of noise which seems to be the goal here! [hint - Microsoft wasn't in the list of 35!]

Now, applying common sense to what they did: My understanding is that you have to own the box in order to run the attack - if I am not completely mistaken, you have to be admin to run the attack. Wow, now I am really scared of this: If somebody owns my box, is admin on my box, the most important thing they will do is to apply an attack, which involves having the right timing in place, to switch off my AV? Come on. You just switch off the AV by using a script or do it manually but for sure not with a complex attack.

This is simple risk management. If your biggest risk in your security model is that an attacker, who is already admin on a box applies this attack - I have to congratulate you. If not, well, let's go back to the real problems we have to address.


To ZDNet's credit, following the publication of Ducklin's (and others) comments, some attempt was made to ameliorate the situation, but they still seem to stand by their claims.

But, just between me and you, I'm with Halbheer, Ducklin and Harley.  This is a total beat-up.  Move along, nothing to see here.

 


Subscribe to ITWIRE UPDATE Newsletter here

GRAND OPENING OF THE ITWIRE SHOP

The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.

ENTER THE SHOP NOW!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
David Heath

David Heath has had a long and varied career in the IT industry having worked as a Pre-sales Network Engineer (remember Novell NetWare?), General Manager of IT&T for the TV Shopping Network, as a Technical manager in the Biometrics industry, and as a Technical Trainer and Instructional Designer in the industrial control sector. In all aspects, security has been a driving focus. Throughout his career, David has sought to inform and educate people and has done that through his writings and in more formal educational environments.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments