Archive for May, 2010

New attack bypasses anti-virus softwares

Posted in IT Security on May 18, 2010 by cobra

A (nearly) new attack method is reportedly able to bypass anti-virus software for Windows in order to, for example, load infected drivers, despite protection mechanisms. The attack, developed by Matousec.com, makes use of the fact that many anti-virus programs hook into the kernel’s System Service Descriptor Table (SSDT) in order to monitor program behaviour.
If a user calls a particular system function – to load a driver for example – the anti-virus software checks to see if the call could conceal nefarious intent. If it doesn’t, the software forwards the call to the actual function. According to Matousec, argument switching during an anti-virus software context switch (switching between two processes) allows malware to pass the checks carried out by the anti-virus software and then load an infected driver or call a forbidden function.

The trick involves making deft use of timing to find the point at which the anti-virus software process has finished checking the call, but the attacker is still able to retrospectively change – the name of the driver to be loaded, the pointer or the kernel handle. The degree of skill required to achieve this feat and the reliability of the method are a matter of some dispute. Matousec lists 34 products from well-known anti-virus software vendors as being vulnerable to argument switching because they use SSDT or other kernel hooks for their functions. Matousec used an internally developed framework named KHOBE (Kernel HOok Bypassing Engine) for its tests.

Please access the following links for information about:

Full Article on this subject
– Matousec.com’s research on this Threat
– F-secure’s Lab news

ciao 😀

Advertisements

Understanding Man-In-The-Middle Attacks – DNS Spoofing

Posted in IT Security on May 3, 2010 by cobra

DNS spoofing is a MITM technique used to supply false DNS information to a host so that when they attempt to browse, for example, http://www.bankofamerica.com at the IP address XXX.XX.XX.XX they are actually sent to a fake http://www.bankofamerica.com residing at IP address YYY.YY.YY.YY which an attacker has created in order to steal online banking credentials and account information from unsuspecting users.

This is actually done quite easily and here you will see how it works, how it is done, and how to defend against it.

IronKey launches secure online banking USB stick

Posted in IT Security on May 1, 2010 by cobra

IronKey has launched its Trusted Access for Banking USB stick at InfoSec 2010 in London. The IronKey TAB uses an isolated virtual machine launched from the stick and a intermediate server accessed through a VPN like connection to create a secure channel from the user to IronKey’s servers, and from there to the bank’s web servers.

The solution is aimed at commercial banks and their customers who have found that malware using keyloggers on host PCs have made techniques such as two factor authentication vulnerable. IronKey say that already, in some cases, key-logging malware is monitored live for user access; the entry of security tokens can be listened in on and replicated while the token is still valid. The IronKey TAB runs a Linux based operating system which in turn runs a dedicated Firefox based browser. It takes a number of steps to prevent key-loggers from intercepting passwords and has an optional virtual keyboard for non-keyboard password entry. It also makes use of the IronKey’s integrated RSA SecurID to provide login tokens, but adds an extra, variable obfuscation to ensure that any malware spies will see an invalid token.

In some ways, the IronKey TAB is similar in intent to the process of booting a Live CD of Linux and performing banking from the read only Live CD environment, but without the need to reboot the host system and activated only when the stick is plugged in and the stick itself is not compromised. IronKey goes further than a dedicated machine or LiveCD solution by taking control of the connection to the banks servers, using a VPN like wrapper for network traffic and handling DNS requests through IronKey’s server, to avoid man in the middle or DNS manipulation based attacks. The bank can configure the device to only allow access to its own websites and those of trusted partners. The server can also block access based on IP addresses, time of day or location, a capability based on IronKey’s secure USB flash drive offerings. The system also offers remote kill or lock-out capabilities to disable lost or stolen sticks.

Unlike other IronKey products, the user has no write access to the TAB stick, but it can be updated remotely by the server. It also only runs on Windows based systems.