Researchers Demonstrate Attack Method Immune to all AV Apps

Paul Lilly

Software security researchers at matousec.com say they've devised a way to bypass protection built into several of the most popular desktop antivirus products, including those offered by Avast, AVG, Avira, BitDefender, Comodo, Kaspersky, McAfee, Norton, Trend Micro,and several others. The way it works is by exploiting the driver hooks AV apps bury inside Windows. By sending a sample of benign code, they're able to bypass security checks, but before code is executed, it's replaced with malicious data.

"We have performed tests with [most of] today's Windows desktop security products," the researchers wrote. "The results can be summarized in one sentence: If a product uses SSDT hooks or other kind of kernel mode hooks on similar level to implement security features it is vulnerable. In other words, 100 percent of the tested products were found vulnerable."

So far the researchers have tested their method on 34 security products, all of which were found vulnerable. Time permitting for more tests, "the list would be endless," the researchers say. If that wasn't frightening enough, the exploit apparently works just as well on accounts with limited privileges.

The question is, should you be concerned? Not yet. The exploit requires a large amount of code to be loaded onto the victim's PC, rendering it all but useless for shellcode-based attacks or those which rely on speed and stealth. In addition, the attacker must already have the ability to run a binary on the target PC for this exploit to work.

Full breakdown here .

Around the web

by CPMStar (Sponsored) Free to play

Comments