Music, Personal Tech & Human Rights since 2005

Computers, Internet, NJN, Technology

New security risk can expose XP and Vista 32 bit

Multi-core illustration Ars Technica

Just when you thought it was safe to go back in the water…KHOBE attack

Multi-core illustration by Ars Technica

A new virus threat has been discovered by Massoutec.com that can expose multi-core computers running Windows XP and Vista 32-bit. According to the research, most of the standard anti-virus programs cannot detect the KHOBE malware.

Essentially what the virus does is present a clean file for the anti-virus program to check. Once passed, it swaps into another cpu core the malware program with the same name. Very tricky and so far no virus program, according to the researchers, has detected the infection.

Having personally just come from a Apache Linux infection on a major web hosting company, read about Google’s attack by the Chinese, it’s no time to relax.  

Not everyone agrees the threat is real. Sophos, for instance, says their anti-virus product is immune to the KHOBE attack.

Personally, I’m neurotic and run two different anti-virus programs simultaneously. It’s a trick I read about and it does seem to work since Avast catches threats that Norton misses and vice versa.

For Mac-head and Linux geeks, don’t look too smug. Macs are easily hacked since Mac users believe themselves invincible and don’t use anti-virus software. Unix and Linus are the land of hackers will well known holes and hacks, as Network Solutions demonstrated.

ComputerWorld – New attack tactic sidesteps Windows security software

‘Very serious’ says one antivirus exec, especially for Windows XP users

By Gregg Keizer,

Computerworld – A just-published attack tactic that bypasses the security protections of most current antivirus software is a “very serious” problem, an executive at one unaffected company said today.

Last Wednesday, researchers at Matousec.com outlined how attackers could exploit the kernel driver hooks that most security software use to reroute Windows system calls through their software to check for potential malicious code before it’s able to execute.

Calling the technique an “argument-switch attack,” a Matousec-written paper spelled out in relatively specific terms how an attacker could swap out benign code for malicious code between the moments when the security software issues a green light and the code actually executes.

“This is definitely very serious,” said Alfred Huger, vice president of engineering at Immunet, a Palo Alto, Calif.-based antivirus company. “Probably any security product running on Windows XP can be exploited this way.” Huger added that Immunet’s desktop client is not vulnerable to the argument-switch attacks because the company’s software uses a different method to hook into the Windows kernel.

According to Matousec, nearly three-dozen Windows desktop security titles, including ones from Symantec, McAfee, Trend Micro, BitDefender, Sophos and others, can be exploited using the argument-switch tactic. Matousec said it had tested the technique on Windows XP SP3 and Vista SP1 on 32-bit machines.

Some security vendors agreed with Huger. “It’s a serious issue and Matousec’s technical findings are correct,” said Mikko Hypponen, chief research officer at Finnish firm F-Secure, in an e-mail.

“Matousec’s research is absolutely important and significant in the short term,” echoed Rik Ferguson, a senior security advisor at Trend Micro, in a blog post earlier Monday.

Other antivirus companies downplayed the threat, however. “Based on our initial review of the public documentation, we believe this is a complicated attack with several mitigating factors that make it unlikely to be a viable, real world, widespread attack scenario,” a McAfee spokesman said in an e-mail reply to a request for comment. “The attack would require some level of existing access to the target computer, as the attack described by Matousec does not on its own bypass security software or allow malware to run.”

Kaspersky Lab had a similar reaction. “[We] have analyzed the published material and concluded that the issue is only linked to certain features of [our] products,” Kaspersky said in an e-mailed statement. “Kaspersky Lab products implement not only [kernel] hooks, but a wide range of technologies, including secure sandboxing and other methods of restricting suspicious kernel mode activity.”

Huger confirmed that attackers would have to drop malware of some sort on the targeted machine in order to utilize the argument-switch strategy, and that there are “lots of easier ways to game antivirus” than Matousec’s technique.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.