Via The Houston Chronicle
A group of computer-security researchers may have just made all of your Windows antivirus software obsolete.
Matousec.com issued an advisory last week that chronicles a process by which malware could circumvent just about every security product out there. We’re talking McAfee, Norton, BitDefender … the works. The researchers devised a mock-up piece of malicious software that morphs itself at exactly the right time. Just after an antivirus program scans an excerpt of code, the malware can swap that benign code for malicious code before it’s executed.
It’s being called an "argument-switch attack." From a good description by The Register:
The exploit has to be timed just right so the benign code isn’t switched too soon or too late. But for systems running on multi-core processors, matousec’s "argument-switch" attack is fairly reliable because one thread is often unable to keep track of other simultaneously running threads. As a result, the vast majority of malware protection offered for Windows PCs can be tricked into allowing malicious code that under normal conditions would be blocked. …
Still, the exploit has its limitations. It requires a large amount of code to be loaded onto the targeted machine, making it impractical for shellcode-based attacks or attacks that rely on speed and stealth. It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC.
The argument-switch attack exploits the System Service Descriptor Table (SSDT) used by antivirus software – well, any software – which provides a "hook" to the Windows kernel. If you’re technical enough to know what that means, there’s plenty of more in-depth information in a report by Matousec.
"The research was done on Windows XP Service Pack 3 and Windows Vista Service Pack 1 on 32-bit hardware," the report states. "However, it is valid for all Windows versions including Windows 7. Even the 64-bit platform is not a limitation for the attack."
Lucian Constantin, of Softpedia, notes on a company blog that the underlying vulnerability has been known for years. And there have been no widespread exploits using the tactic.
"On the other hand, it is also true that multi-core processors, which drastically increase the success rate of this attack, have since become widespread in desktop computers," Constantin wrote. "Nevertheless, from information we received in confidence, some antivirus vendors were already planning to stop using SSDT hooks in the next version of their products, since before this research came out."
So, maybe we’ll all be safe. I guess we’ll see how the security companies play this one.
Once again, being vigilant about what sites you surf, and what emails you open will usually prevent an infection in the first place. It is also important to scan your machine with anti-virus AND anti-malware software at least once a week.
If you have any further questions, please contact the CCS Retail Systems Support Department @ 800-672-4806 or email us. We will be more than happy to answer and resolve your concerns
-Bryan 