Wednesday, May 12, 2010

Thirty-Five Antivirus Programs Share Common Hole

A new attack technique has been described by matousec.com (a project of Different Internet Experience Ltd.) which could allow a program to bypass the host intrusion detection and certain other protections provided by common Windows security software. Their report lists 35 security products on which they tested the technique; it worked on all of them.

diggThe technique is unrelated to the actual scanning functions of anti-malware programs. Such programs also attempt to block live attacks by software running on the system. In order to perform this monitoring on Windows security software "hooks" entries in the SSDT (System Service Descriptor Table), a table of handles for operating system calls. Calls to those operating system calls are dispatched to the security software which hooks it; that software examines the caller and parameters, looking for whatever problems it's looking for and dealing with them as need be; then it directly calls the operating system service that the application attempted to call.

By using multiple threads, the matousec technique can modify the parameters to the system call while the hooked process is executing, thus causing it to allow execution of a call with parameters different from those it tested. The nature of the attack is such that it can be executed purely from user-mode code, lowering the bar for getting running the attack on the system.

This sort of bug, not uncommon in multithreaded programming, is called a race condition, in which two threads contend for access to a shared resource and program logic breaks down as a result. Because the attack is sensitive to the execution state of the SSDT hooks, it doesn't work all the time. But the authors say that it often does work the first time and will work after a few tries in any event. They also say it is more reliable on multi-core processors.

The list of products found vulnerable is as follows:

3D EQSecure Professional Edition 4.2

avast! Internet Security 5.0.462

AVG Internet Security 9.0.791

Avira Premium Security Suite 10.0.0.536

BitDefender Total Security 2010 13.0.20.347

Blink Professional 4.6.1

CA Internet Security Suite Plus 2010 6.0.0.272

Comodo Internet Security Free 4.0.138377.779

DefenseWall Personal Firewall 3.00

Dr.Web Security Space Pro 6.0.0.03100

ESET Smart Security 4.2.35.3

F-Secure Internet Security 2010 10.00 build 246

G DATA TotalCare 2010

Kaspersky Internet Security 2010 9.0.0.736

KingSoft Personal Firewall 9 Plus 2009.05.07.70

Malware Defender 2.6.0

McAfee Total Protection 2010 10.0.580

Norman Security Suite PRO 8.0

Norton Internet Security 2010 17.5.0.127

Online Armor Premium 4.0.0.35

Online Solutions Security Suite 1.5.14905.0

Outpost Security Suite Pro 6.7.3.3063.452.0726

Outpost Security Suite Pro 7.0.3330.505.1221 BETA VERSION

Panda Internet Security 2010 15.01.00

PC Tools Firewall Plus 6.0.0.88

PrivateFirewall 7.0.20.37

Security Shield 2010 13.0.16.313

Sophos Endpoint Security and Control 9.0.5

ThreatFire 4.7.0.17

Trend Micro Internet Security Pro 2010 17.50.1647.0000

Vba32 Personal 3.12.12.4

VIPRE Antivirus Premium 4.0.3272

VirusBuster Internet Security Suite 3.2

Webroot Internet Security Essentials 6.1.0.145

ZoneAlarm Extreme Security 9.1.507.000

Perhaps Microsoft had problems like this in mind when they attempted to ban all kernel patching in 64-bit versions of Windows several years ago. The feature which enforces this rule, called Kernel Patch Protection or PatchGuard, was objected to strongly by security software vendors, so Microsoft developed undocumented APIs to allow ISVs to get past PatchGuard and a policy for releasing the documentation.
pcmag

No comments:

Post a Comment