This is shocking!!
Security folks at Matousec.com have come up with an ingenious attack that can bypass every Windows security product tested and lets malicious code into your system!
This is incredible as the list of Windows security products tested is huge!!
The attack uses a ‘bait and switch’ tactic by sending a piece of harmless code for scanning and as soon as it is okayed by the security software, it gets swapped with the malicious code.
The attack is dubbed KHOBE – Kernel HOok Bypassing Engine (no known relation to Kobe Bryant) uses a Windows module called System Service Descriptor Table or SSDT to hook up to the Windows kernel.
This attack doesn’t even admin rights so even if you are working as a standard user, you are vulnerable.
Khobe seems to work more reliably on the newer multi-core systems as the different process threads don’t lkeep track of what the other threads are doing making the switch to malicious code easier.
Here’s what Sopho’s Head of Technology has to say about it
So the Khobe "attack" boils down to this: if you can write malware which already gets past Sophos’s on-access virus blocker, and past Sophos’s HIPS, then you may be able to use the Khobe code to bypass Sophos’s HIPS – which, of course, you just bypassed anyway. Oh, and only if you are using Windows XP.
In short: Sophos’s on-access anti-virus scanner doesn’t uses SSDT hooks, so it’s fair for us to say that this isn’t a vulnerabilty for us at all. But what about other anti-virus software? Though I’m not usually an apologist for our competitors, I feel compelled to speak out in this case.
The fuss about Khobe is in my opinion unwarranted, and the claims that it "bypasses virtually all anti-virus software" is scaremongering.
Even though he is underplaying the seriousness of it, a lot of Windows computers in the world are still running XP. This is even more true in the corporate world who haven’t switched to Vista or Windows 7.
Windows is looking less and less attractive in terms of security. Even with all the security software out there!
If you use Mac or Linux, it’s time to give yourself a high-five.