New attack method 'bypasses' security software

TipsMake.com - A new attack method, said to be quite daring, dangerous and sophisticated, with the ability to 'bypass' many security programs for popular Windows today , works by chance Downloading drivers - drivers, has been infected deep inside the Windows system that is thoroughly protected. This type of attack was discovered and continued to be exploited by Matousec.com, in fact many security programs based on the System Service Descriptor Table (SSDT) ​​system to monitor all programs and applications in the system Windows system.

If the user proceeds to call any specific system function - for example, downloading any driver, security programs will follow up to see which applications have been activated. attached or not. Otherwise, the program will automatically forward these actions to the actual function. According to Matousec, the functional transformation department during the testing process, would be the ideal time for malware programs to simultaneously bypass the security wall of the security program and the system, then they will automatically download this malicious driver deep into the system or continue to activate other hidden applications.

The secret of this ingenious step is that hackers know exactly when the security program completes the testing of calling methods, downloading or loading applications. And through this stage, hackers will still be able to access, change the names of the drivers to be downloaded, and specify which kernel sets do this. This requires complex skills and the ability to capture accurate time, many other complex stages. Matousec has listed about 34 security programs that are likely to be 'out of order' because these applications use SSDT mechanisms or other mechanisms to monitor the operation of the entire system. Matousec currently uses a developed framework called KHOBE - Kernel HOok Bypassing Engine to test.

Security program providers have received warnings from Matousec a few weeks ago, accompanied by an offer to buy the entire results of the inspection and evaluation process. But almost Matousec does not receive positive feedback. However, most security software providers are also struggling to rebuild the entire vulnerability exploitation process based on available information.

Security firm F-Secure gave an overview of this issue. The company notes that the problem only happens with fake malware that doesn't have reliable signature, but can be easily spotted by fully equipped and modern systems. All security software vendors are seriously addressing the problem with many solutions offered, but implementing those solutions is not easy. While Microsoft comments on the use of a special API to integrate new anti-virus software and operating systems like Windows 7 and Vista SP1, no API meets this requirement while the Great still works well in Windows XP platform. Moreover, according to information from security vendor Avira of Germany, most of the popular API functions in use are unable to meet these requirements. Therefore, it is imperative to apply the SSDT feature to monitor system activities, and still apply in Antivir 10. The older version - Antivir 9, is not capable of detecting behavior. on (with both Windows 7 and Vista SP1).

The above attack technique described by Matousec is not completely new, which has been around for 14 years and is known as the time-of-check-to-time-of-use problem (TOCTTOU). This problem was first described by Matt Bishop and Michael Dilger in 1996. And Andrey Kolishak discovered the implications and related conditions in the Windows environment in 2003.