New attack bypasses anti-virus softwares

A (nearly) new attack method is reportedly able to bypass anti-virus software for Windows in order to, for example, load infected drivers, despite protection mechanisms. The attack, developed by, makes use of the fact that many anti-virus programs hook into the kernel’s System Service Descriptor Table (SSDT) in order to monitor program behaviour.
If a user calls a particular system function – to load a driver for example – the anti-virus software checks to see if the call could conceal nefarious intent. If it doesn’t, the software forwards the call to the actual function. According to Matousec, argument switching during an anti-virus software context switch (switching between two processes) allows malware to pass the checks carried out by the anti-virus software and then load an infected driver or call a forbidden function.

The trick involves making deft use of timing to find the point at which the anti-virus software process has finished checking the call, but the attacker is still able to retrospectively change – the name of the driver to be loaded, the pointer or the kernel handle. The degree of skill required to achieve this feat and the reliability of the method are a matter of some dispute. Matousec lists 34 products from well-known anti-virus software vendors as being vulnerable to argument switching because they use SSDT or other kernel hooks for their functions. Matousec used an internally developed framework named KHOBE (Kernel HOok Bypassing Engine) for its tests.

Please access the following links for information about:

Full Article on this subject
–’s research on this Threat
– F-secure’s Lab news

ciao 😀


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: