11 May 2010, 13:07

New attack bypasses anti-virus software

A (nearly) new attack method is reportedly able to bypass anti-virus software for Windows in order to, for example, load infected drivers, despite protection mechanisms. The attack, developed by Matousec.com, makes use of the fact that many anti-virus programs hook into the kernel's System Service Descriptor Table (SSDT) in order to monitor program behaviour.

If a user calls a particular system function – to load a driver for example – the anti-virus software checks to see if the call could conceal nefarious intent. If it doesn't, the software forwards the call to the actual function. According to Matousec, argument switching during an anti-virus software context switch (switching between two processes) allows malware to pass the checks carried out by the anti-virus software and then load an infected driver or call a forbidden function.

The trick involves making deft use of timing to find the point at which the anti-virus software process has finished checking the call, but the attacker is still able to retrospectively change – the name of the driver to be loaded, the pointer or the kernel handle. The degree of skill required to achieve this feat and the reliability of the method are a matter of some dispute. Matousec lists 34 products from well-known anti-virus software vendors as being vulnerable to argument switching because they use SSDT or other kernel hooks for their functions. Matousec used an internally developed framework named KHOBE (Kernel HOok Bypassing Engine) for its tests.

The anti-virus software vendors in question were informed of the problem by Matousec several weeks ago and were offered the opportunity to purchase test exploits. The response of many of them is unknown. Most, however, appear to be having difficulty reconstructing the vulnerability based on the information available – although they have confirmed the problem in principle.

McAfee has told The H's associates at heise Security that it considers a successful attack to be unlikely in practice. Effectively manipulating an argument during a context switch would require a great many attempts, which would likely result in a blue screen of death. Furthermore, malware has to have already penetrated a system in order to be able to carry out this attack. The argument switching attack would only allow it to escalate its privileges – that's if it doesn't already have administrator privileges due to the unfortunate habit of users working as administrators.

F-Secure consequently takes a relaxed view of the issue. It notes that the problem only arises for malware for which no signature is available, but that this would be made good by other detection systems. All vendors appear to be taking the problem seriously and mulling over solutions, but implementing a solution is by no means straightforward. While Microsoft recommends the use of a special API for integrating anti-virus software in its more recent operating systems such as Windows 7 and Vista SP1, no such API is available for the still widely used Windows XP. Furthermore, according to German anti-virus vendor Avira, the official API does not support all the required functions. It was still forced to use SSDT hooks to implement behavioural detection in its Antivir 10 product. The older Antivir 9, which does not have behavioural detection, was (at least for Windows 7 and Vista SP1) implemented without the use of hooks.

The technique described by Matousec is not entirely new – it's been around for 14 years and is known as the time-of-check-to-time-of-use problem (TOCTTOU). The problem was first described PDF by Matt Bishop and Michael Dilger in 1996 in the context of race conditions in file accesses. Andrey Kolishak explored its implications for Windows hooks in 2003.