Home
Tech info
Technology
Science
Life
Application
Electric
Program
Mobile
Windows 10
Windows 11New attack method 'bypasses' security software
TipsMake.com - A new attack method, said to be quite daring, dangerous and sophisticated, with the ability to 'bypass' many security programs for popular Windows today , works by chance Downloading drivers - drivers, has been infected deep inside the Windows system that is thoroughly protected. This type of attack was discovered and continued to be exploited by Matousec.com, in fact many security programs based on the System Service Descriptor Table (SSDT) system to monitor all programs and applications in the system Windows system.
If the user proceeds to call any specific system function - for example, downloading any driver, security programs will follow up to see which applications have been activated. attached or not. Otherwise, the program will automatically forward these actions to the actual function. According to Matousec, the functional transformation department during the testing process, would be the ideal time for malware programs to simultaneously bypass the security wall of the security program and the system, then they will automatically download this malicious driver deep into the system or continue to activate other hidden applications.
The secret of this ingenious step is that hackers know exactly when the security program completes the testing of calling methods, downloading or loading applications. And through this stage, hackers will still be able to access, change the names of the drivers to be downloaded, and specify which kernel sets do this. This requires complex skills and the ability to capture accurate time, many other complex stages. Matousec has listed about 34 security programs that are likely to be 'out of order' because these applications use SSDT mechanisms or other mechanisms to monitor the operation of the entire system. Matousec currently uses a developed framework called KHOBE - Kernel HOok Bypassing Engine to test.
Security program providers have received warnings from Matousec a few weeks ago, accompanied by an offer to buy the entire results of the inspection and evaluation process. But almost Matousec does not receive positive feedback. However, most security software providers are also struggling to rebuild the entire vulnerability exploitation process based on available information.
Security firm F-Secure gave an overview of this issue. The company notes that the problem only happens with fake malware that doesn't have reliable signature, but can be easily spotted by fully equipped and modern systems. All security software vendors are seriously addressing the problem with many solutions offered, but implementing those solutions is not easy. While Microsoft comments on the use of a special API to integrate new anti-virus software and operating systems like Windows 7 and Vista SP1, no API meets this requirement while the Great still works well in Windows XP platform. Moreover, according to information from security vendor Avira of Germany, most of the popular API functions in use are unable to meet these requirements. Therefore, it is imperative to apply the SSDT feature to monitor system activities, and still apply in Antivir 10. The older version - Antivir 9, is not capable of detecting behavior. on (with both Windows 7 and Vista SP1).
The above attack technique described by Matousec is not completely new, which has been around for 14 years and is known as the time-of-check-to-time-of-use problem (TOCTTOU). This problem was first described by Matt Bishop and Michael Dilger in 1996. And Andrey Kolishak discovered the implications and related conditions in the Windows environment in 2003.
If the user proceeds to call any specific system function - for example, downloading any driver, security programs will follow up to see which applications have been activated. attached or not. Otherwise, the program will automatically forward these actions to the actual function. According to Matousec, the functional transformation department during the testing process, would be the ideal time for malware programs to simultaneously bypass the security wall of the security program and the system, then they will automatically download this malicious driver deep into the system or continue to activate other hidden applications. The secret of this ingenious step is that hackers know exactly when the security program completes the testing of calling methods, downloading or loading applications. And through this stage, hackers will still be able to access, change the names of the drivers to be downloaded, and specify which kernel sets do this. This requires complex skills and the ability to capture accurate time, many other complex stages. Matousec has listed about 34 security programs that are likely to be 'out of order' because these applications use SSDT mechanisms or other mechanisms to monitor the operation of the entire system. Matousec currently uses a developed framework called KHOBE - Kernel HOok Bypassing Engine to test.
Security program providers have received warnings from Matousec a few weeks ago, accompanied by an offer to buy the entire results of the inspection and evaluation process. But almost Matousec does not receive positive feedback. However, most security software providers are also struggling to rebuild the entire vulnerability exploitation process based on available information.
Security firm F-Secure gave an overview of this issue. The company notes that the problem only happens with fake malware that doesn't have reliable signature, but can be easily spotted by fully equipped and modern systems. All security software vendors are seriously addressing the problem with many solutions offered, but implementing those solutions is not easy. While Microsoft comments on the use of a special API to integrate new anti-virus software and operating systems like Windows 7 and Vista SP1, no API meets this requirement while the Great still works well in Windows XP platform. Moreover, according to information from security vendor Avira of Germany, most of the popular API functions in use are unable to meet these requirements. Therefore, it is imperative to apply the SSDT feature to monitor system activities, and still apply in Antivir 10. The older version - Antivir 9, is not capable of detecting behavior. on (with both Windows 7 and Vista SP1).
The above attack technique described by Matousec is not completely new, which has been around for 14 years and is known as the time-of-check-to-time-of-use problem (TOCTTOU). This problem was first described by Matt Bishop and Michael Dilger in 1996. And Andrey Kolishak discovered the implications and related conditions in the Windows environment in 2003.
5 ★ | 2 Vote
Marvin FryYou should read it
- 5 techniques commonly used by hackers when targeting the retail sector
- Some popular fake security software - Part 1
- Some popular fake security software - Part 3
- Find out about Ghidra - NSA's powerful cybersecurity tool
- 8 best Wifi analysis and hacking software
- Warning the emergence of ransomware DDoS attack, the scale can be up to 800Gbps
- Security vulnerabilities - basic insights
- How to change Snapchat password on phone and computer
May be interested
- What do you know about the first 'cyber attack' in the world?
temporarily restraining the 'contemplative' reality of today's global cyber security, we try to go back too much to the early days of the concept of 'cyber attack'. do you know when the world's first cyber attack occurred? - Learn about Gutmann data deletion methodthe gutmann method is one of several software-based data sanitization methods, used in some file shredder and data destruction programs, to overwrite existing information on a hard drive or other storage device.
- What is a Sybil Attack?a sybil attack is a type of security threat on an online system where a person tries to take over the network by creating multiple accounts, nodes, or computers.
- What is 51% attack? How does 51% attack work?the 51% attack refers to a potential attack on the integrity of the blockchain system, in which a single malicious actor or organization tries to control more than half of the network's total hash power, .
- Secure iCloud to minimize ransomware threats on Apple devicesin the past week, many apple users have felt very nervous when devices on the ios and mac platforms do not let their owners use them. most cases often require a 6-digit code or pay to restore access. the fact that the lock method comes from the user's own icloud account has caused the problem. hackers use this useful tool to attack the owner of compromised accounts.
- What is PetitPotam Attack? How to overcome PetitPotam attackpetitpotam is a new attack method with the ability to take control of a domain controller and then take over the entire windows domain.
- Phishing attack: The most common techniques used to attack your PCphishing attack is probably a term that is not unfamiliar to most internet users. in fact, it is also one of the most common forms of cyberattacks.
- The 3 most popular attacks targeting clouds todayboth the security capabilities of the cloud platforms are becoming more and more complete, but not without vulnerabilities.
- Solve the threat from the networkmore and more security tools offer new solutions to prevent the attack of malicious software. in addition to blocking each virus, these tools also control malware that affects your computer's 'health'.
- Ransomware LockerGoga is making a big corporation miserablenorsk hydro - one of the world's largest aluminum and renewable energy corporations based in oslo, norway, was forced to suspend most of its production lines and switch to manual operation. part of a network attack is said to be related to lockergoga malicious code.
The hacker 'World Cup' season
Tool to unlock data encryption sessions - CAPTCHAS
The world's largest Torrent sharing site was hacked
Fix error 'Steam is temporarily unavailable, please try later'
3G hack 'as easy as porridge'?
Dissection attacks Pass the Hash