diggThe technique is unrelated to the actual scanning functions of anti-malware programs. Such programs also attempt to block live attacks by software running on the system. In order to perform this monitoring on Windows security software "hooks" entries in the SSDT (System Service Descriptor Table), a table of handles for operating system calls. Calls to those operating system calls are dispatched to the security software which hooks it; that software examines the caller and parameters, looking for whatever problems it's looking for and dealing with them as need be; then it directly calls the operating system service that the application attempted to call.
By using multiple threads, the matousec technique can modify the parameters to the system call while the hooked process is executing, thus causing it to allow execution of a call with parameters different from those it tested. The nature of the attack is such that it can be executed purely from user-mode code, lowering the bar for getting running the attack on the system.
This sort of bug, not uncommon in multithreaded programming, is called a race condition, in which two threads contend for access to a shared resource and program logic breaks down as a result. Because the attack is sensitive to the execution state of the SSDT hooks, it doesn't work all the time. But the authors say that it often does work the first time and will work after a few tries in any event. They also say it is more reliable on multi-core processors.
The list of products found vulnerable is as follows:
3D EQSecure Professional Edition 4.2
avast! Internet Security 5.0.462
AVG Internet Security 9.0.791
Avira Premium Security Suite 10.0.0.536
BitDefender Total Security 2010 13.0.20.347
Blink Professional 4.6.1
CA Internet Security Suite Plus 2010 6.0.0.272
Comodo Internet Security Free 4.0.138377.779
DefenseWall Personal Firewall 3.00
Dr.Web Security Space Pro 6.0.0.03100
ESET Smart Security 4.2.35.3
F-Secure Internet Security 2010 10.00 build 246
G DATA TotalCare 2010
Kaspersky Internet Security 2010 9.0.0.736
KingSoft Personal Firewall 9 Plus 2009.05.07.70
Malware Defender 2.6.0
McAfee Total Protection 2010 10.0.580
Norman Security Suite PRO 8.0
Norton Internet Security 2010 17.5.0.127
Online Armor Premium 4.0.0.35
Online Solutions Security Suite 1.5.14905.0
Outpost Security Suite Pro 6.7.3.3063.452.0726
Outpost Security Suite Pro 7.0.3330.505.1221 BETA VERSION
Panda Internet Security 2010 15.01.00
PC Tools Firewall Plus 6.0.0.88
PrivateFirewall 7.0.20.37
Security Shield 2010 13.0.16.313
Sophos Endpoint Security and Control 9.0.5
ThreatFire 4.7.0.17
Trend Micro Internet Security Pro 2010 17.50.1647.0000
Vba32 Personal 3.12.12.4
VIPRE Antivirus Premium 4.0.3272
VirusBuster Internet Security Suite 3.2
Webroot Internet Security Essentials 6.1.0.145
ZoneAlarm Extreme Security 9.1.507.000
Perhaps Microsoft had problems like this in mind when they attempted to ban all kernel patching in 64-bit versions of Windows several years ago. The feature which enforces this rule, called Kernel Patch Protection or PatchGuard, was objected to strongly by security software vendors, so Microsoft developed undocumented APIs to allow ISVs to get past PatchGuard and a policy for releasing the documentation.
pcmag
Posts
No comments:
Post a Comment