New attack tactic sidesteps Windows security software
'Very serious' says one antivirus exec, especially for Windows XP users
Computerworld - A just-published attack tactic that bypasses the security protections of most current antivirus software is a "very serious" problem, an executive at one unaffected company said today.
Last Wednesday, researchers at Matousec.com outlined how attackers could exploit the kernel driver hooks that most security software use to reroute Windows system calls through their software to check for potential malicious code before it's able to execute.
Calling the technique an "argument-switch attack," a Matousec-written paper spelled out in relatively specific terms how an attacker could swap out benign code for malicious code between the moments when the security software issues a green light and the code actually executes.
"This is definitely very serious," said Alfred Huger, vice president of engineering at Immunet, a Palo Alto, Calif.-based antivirus company. "Probably any security product running on Windows XP can be exploited this way." Huger added that Immunet's desktop client is not vulnerable to the argument-switch attacks because the company's software uses a different method to hook into the Windows kernel.
According to Matousec, nearly three-dozen Windows desktop security titles, including ones from Symantec, McAfee, Trend Micro, BitDefender, Sophos and others, can be exploited using the argument-switch tactic. Matousec said it had tested the technique on Windows XP SP3 and Vista SP1 on 32-bit machines.
Some security vendors agreed with Huger. "It's a serious issue and Matousec's technical findings are correct," said Mikko Hypponen, chief research officer at Finnish firm F-Secure, in an e-mail.
"Matousec's research is absolutely important and significant in the short term," echoed Rik Ferguson, a senior security advisor at Trend Micro, in a blog post earlier Monday.
Other antivirus companies downplayed the threat, however. "Based on our initial review of the public documentation, we believe this is a complicated attack with several mitigating factors that make it unlikely to be a viable, real world, widespread attack scenario," a McAfee spokesman said in an e-mail reply to a request for comment. "The attack would require some level of existing access to the target computer, as the attack described by Matousec does not on its own bypass security software or allow malware to run."
Kaspersky Lab had a similar reaction. "[We] have analyzed the published material and concluded that the issue is only linked to certain features of [our] products," Kaspersky said in an e-mailed statement. "Kaspersky Lab products implement not only [kernel] hooks, but a wide range of technologies, including secure sandboxing and other methods of restricting suspicious kernel mode activity."
Huger confirmed that attackers would have to drop malware of some sort on the targeted machine in order to utilize the argument-switch strategy, and that there are "lots of easier ways to game antivirus" than Matousec's technique.
"But that doesn't lesson the impact," Huger argued. "Actually, it would be really tricky to stop this, and gives attackers a strong opportunity to get around disk-based security."
Huger's greatest fear is that others take Matousec's findings, weaponize the argument-switch attack, and add it to one of the numerous underground exploit kits. "If someone packages this into an easy-to-use library, I think it'll be in play pretty quickly, with widespread adoption," said Huger. "Why wouldn't it?"
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts