New attack method 'bypasses' security software
TipsMake.com - A new attack method, said to be quite daring, dangerous and sophisticated, with the ability to 'bypass' many security programs for popular Windows today , works by chance Downloading drivers - drivers, has been infected deep inside the Windows system that is thoroughly protected. This type of attack was discovered and continued to be exploited by Matousec.com, in fact many security programs based on the System Service Descriptor Table (SSDT) system to monitor all programs and applications in the system Windows system.
If the user proceeds to call any specific system function - for example, downloading any driver, security programs will follow up to see which applications have been activated. attached or not. Otherwise, the program will automatically forward these actions to the actual function. According to Matousec, the functional transformation department during the testing process, would be the ideal time for malware programs to simultaneously bypass the security wall of the security program and the system, then they will automatically download this malicious driver deep into the system or continue to activate other hidden applications.
The secret of this ingenious step is that hackers know exactly when the security program completes the testing of calling methods, downloading or loading applications. And through this stage, hackers will still be able to access, change the names of the drivers to be downloaded, and specify which kernel sets do this. This requires complex skills and the ability to capture accurate time, many other complex stages. Matousec has listed about 34 security programs that are likely to be 'out of order' because these applications use SSDT mechanisms or other mechanisms to monitor the operation of the entire system. Matousec currently uses a developed framework called KHOBE - Kernel HOok Bypassing Engine to test.
Security program providers have received warnings from Matousec a few weeks ago, accompanied by an offer to buy the entire results of the inspection and evaluation process. But almost Matousec does not receive positive feedback. However, most security software providers are also struggling to rebuild the entire vulnerability exploitation process based on available information.
Security firm F-Secure gave an overview of this issue. The company notes that the problem only happens with fake malware that doesn't have reliable signature, but can be easily spotted by fully equipped and modern systems. All security software vendors are seriously addressing the problem with many solutions offered, but implementing those solutions is not easy. While Microsoft comments on the use of a special API to integrate new anti-virus software and operating systems like Windows 7 and Vista SP1, no API meets this requirement while the Great still works well in Windows XP platform. Moreover, according to information from security vendor Avira of Germany, most of the popular API functions in use are unable to meet these requirements. Therefore, it is imperative to apply the SSDT feature to monitor system activities, and still apply in Antivir 10. The older version - Antivir 9, is not capable of detecting behavior. on (with both Windows 7 and Vista SP1).
The above attack technique described by Matousec is not completely new, which has been around for 14 years and is known as the time-of-check-to-time-of-use problem (TOCTTOU). This problem was first described by Matt Bishop and Michael Dilger in 1996. And Andrey Kolishak discovered the implications and related conditions in the Windows environment in 2003.

The secret of this ingenious step is that hackers know exactly when the security program completes the testing of calling methods, downloading or loading applications. And through this stage, hackers will still be able to access, change the names of the drivers to be downloaded, and specify which kernel sets do this. This requires complex skills and the ability to capture accurate time, many other complex stages. Matousec has listed about 34 security programs that are likely to be 'out of order' because these applications use SSDT mechanisms or other mechanisms to monitor the operation of the entire system. Matousec currently uses a developed framework called KHOBE - Kernel HOok Bypassing Engine to test.
Security program providers have received warnings from Matousec a few weeks ago, accompanied by an offer to buy the entire results of the inspection and evaluation process. But almost Matousec does not receive positive feedback. However, most security software providers are also struggling to rebuild the entire vulnerability exploitation process based on available information.
Security firm F-Secure gave an overview of this issue. The company notes that the problem only happens with fake malware that doesn't have reliable signature, but can be easily spotted by fully equipped and modern systems. All security software vendors are seriously addressing the problem with many solutions offered, but implementing those solutions is not easy. While Microsoft comments on the use of a special API to integrate new anti-virus software and operating systems like Windows 7 and Vista SP1, no API meets this requirement while the Great still works well in Windows XP platform. Moreover, according to information from security vendor Avira of Germany, most of the popular API functions in use are unable to meet these requirements. Therefore, it is imperative to apply the SSDT feature to monitor system activities, and still apply in Antivir 10. The older version - Antivir 9, is not capable of detecting behavior. on (with both Windows 7 and Vista SP1).
The above attack technique described by Matousec is not completely new, which has been around for 14 years and is known as the time-of-check-to-time-of-use problem (TOCTTOU). This problem was first described by Matt Bishop and Michael Dilger in 1996. And Andrey Kolishak discovered the implications and related conditions in the Windows environment in 2003.
5 ★ | 2 Vote
You should read it
- 5 techniques commonly used by hackers when targeting the retail sector
- Some popular fake security software - Part 1
- Some popular fake security software - Part 3
- Find out about Ghidra - NSA's powerful cybersecurity tool
- 8 best Wifi analysis and hacking software
- Warning the emergence of ransomware DDoS attack, the scale can be up to 800Gbps
- Security vulnerabilities - basic insights
- How to change Snapchat password on phone and computer
May be interested
- The hacker 'World Cup' seasonthe upcoming def con capture-the-flag qualifier, this is the biggest hacking competition of the year for hackers worldwide.
- Tool to unlock data encryption sessions - CAPTCHASrecently, two researchers have released a tool that can be used to unlock encrypted data via the web server system contained in cookies and hidden characters in html pages.
- The world's largest Torrent sharing site was hackedthe biggest torrent sharing site the piratebay has been hacked by hackers. personal information of about 4 million users has been discovered by crooks.
- Fix error 'Steam is temporarily unavailable, please try later'the name steam is certainly no stranger to gamers worldwide, steam's technology is used to distribute and manage online games and is developed directly by valve.
- 3G hack 'as easy as porridge'?using 3g for a few minutes has lost nearly 100 thousand vnd or 3g access 'suddenly skyrocketed' ..., these are the 'bad crying' situations of victims who have hacked 3g accounts.
- Dissection attacks Pass the Hashin this article, i will show you how to attack pass the hash and demonstrate the process used to retrieve stolen password hashes and use them to attack.