New Attack Bypasses Virtually all AV Protection

J

John_Keck

Limp Gawd
Joined
May 3, 2010
Messages
379
Researchers have devised a way to bypass anti-virus software using the ol’ bait and switch. It sends a sample of clean code which passes security checks, then swaps it out afterwards with the malicious payload. It also is more effective on mulicore systems due to one thread often being incapable of overseeing other simultaneous threads.
"We have performed tests with [most of] today's Windows desktop security products," the researchers wrote. "The results can be summarized in one sentence: If a product uses SSDT hooks or other kind of kernel mode hooks on similar level to implement security features it is vulnerable. In other words, 100% of the tested products were found vulnerable."
Click to expand...
 
I love it, simple and effective! Maybe now someone will finally develop a whitelisting software package instead of persisting with slow and unreliable blacklisting antivirus software.
 
Return of the single core CPU~~ :p Viruses get by all the time. Update/fix and round and round we go.
 
I still vote for the idea of sandboxing applications and only allowing a specific set of things that an application inside that sandbox can do to the global system.
 
WhiteZero said:
Apparently, this "new report" aint so new.
http://www.wilderssecurity.com/showpost.php?p=1673813&postcount=75
Click to expand...

Nice reply and link, sounds like someone needs to be taken to court for trying to profit from plaigurism.

Am I getting this right: This guy David M. just suddenly found information that he can use to cause mass hysteria by re-publishing something that has been published 7 years ago and charge for the full details. Then he claims that he alone can provide the technical details to thwart it for a price...although that information has been available for free the whole time on wiki.

Gotta love the internet.
 
niconx said:
I love it, simple and effective! Maybe now someone will finally develop a whitelisting software package instead of persisting with slow and unreliable blacklisting antivirus software.
Click to expand...

The new Norton Security suite does this.
 
What a load of BS. This bypasses AV products... If you can get on the system and get the user to run it. That is normally not the place where AV software stops viruses. Yes, they do have behavioral detection (the good ones at least) so that when something malicious happens they try and stop it. However, the major protection is scanning files as they come in. If there's nasty shit, they block it. The code never gets the chance to run and do something tricky as it isn't allowed to be accessed.

These research firms really need to STFU with the "Oh we've bypassed all protections with this!" crap. Because they never have. I'm not saying they shouldn't be researching in to vulnerabilities, but I get tired of seeing the shit oversold. What they've discovered is a vulnerability with a single layer of security. Ok, great, this is not at all a catastrophe, nor does it make AV scanners useless. Keep your shit up to date and scanning inbound files and it will stop something like this before it gets to try its tricks.
 
niconx said:
I love it, simple and effective! Maybe now someone will finally develop a whitelisting software package instead of persisting with slow and unreliable blacklisting antivirus software.
Click to expand...

You can do that now with some of them them. Actually this has been used for years to replace definition based AV programs for some places. You blacklist everything and then go through and say which programs can and can't run on the sytem.

Its a pain in the ass for everyone for a few days till you get all normal programs listed to be ok to run. Then after that you just have to watch for new programs being blocked and allow them as needed.

Symantec has had this feature in their endpoint protection since the release of SEP 11.
 
since when do av only look at sample code, and not all of the code coming to the pc?

seems a bit of BS to me unless its all browser based...

even then Microsoft security essentials would hopefully catch it since it screens out most web content. i'm not sure about mcafee+antispyware plugin, but this just seems like a silly article.
 
That is what i was thinking.

Code comes in - scans it then ignores any code after that?
 
Nice of the company to put all that effort into finding this out, so are they now going to hold the AV and software people to ransom?
 
All applications should run in sandboxed environments and only have access to pre-defined memory and variables none of which consist of the OS itself.
 
Jabroni31169 said:
When have AV scanners ever been useful?
Click to expand...
QFT

All applications should run in sandboxed environments and only have access to pre-defined memory and variables none of which consist of the OS itself.
Click to expand...
It would only be good until they figure out how to get around a setup like this.. then we're really fucked.
 
Exavior said:
You can do that now with some of them them. Actually this has been used for years to replace definition based AV programs for some places. You blacklist everything and then go through and say which programs can and can't run on the sytem.

Its a pain in the ass for everyone for a few days till you get all normal programs listed to be ok to run. Then after that you just have to watch for new programs being blocked and allow them as needed.

Symantec has had this feature in their endpoint protection since the release of SEP 11.
Click to expand...

The only problem with white listing is low level trojans such as rootkits...the AV scanner could care less about them because they operate on a lower level than the OS itself.
 
You must log in or register to reply here.
Back
Top