Skip to content

Bit9

Enterprise Application Whitelisting

Current Articles | RSS Feed RSS Feed

Khobe: Final Nail in the Antivirus Coffin?

Posted by Kate Munro on Tue, May 18, 2010
  
  
  
  
  

 

Called an "8.0 earthquake for Windows desktop security software" by its creators (Matousec.com) the KHOBE (Kernel Hook Bypassing Engine) or the argument-switch attack has been recently presented as a technique that can bypass most antivirus software.

 

Last week, researchers at Matousec.com showed how attackers could exploit kernel driver hooks that most Antivirus security software  use to reroute Windows system calls through their software to check for potential malicious code before it's able to execute. The Matousec-written paper described how an attacker could swap out benign code for malicious code between the moments when the security software issues a green light and the code actually executes.


This is yet another example of why enterprises cannot place all their eggs in the AV basket. Today's malware writers and hackers are skilled enough to penetrate even the most up-to-date and expensive antivirus/anti-spyware software. This latest finding by Matousec shows that this is an industry problem and not the failed attentions of a particular vendor.  35 of the most popular anti-virus software programs have been identified as being vulnerable to this "argument-switch" attack.  Perhaps this is finally the final nail in the coffin - at least in the eyes of its user base.

 

Right now the best advice being provided to computer users is that they are being advised to avoid opening email from unknown sources and to avoid clicking on suspicious pop-up ads.  Why leave it to chance? Controlling applications at the endpoint - in a more positive approach - makes more sense.

Tags: 

COMMENTS

Not all protection software was reported as being vunereble to this attack. This "hook" method is not used by Immunet "Cloud" Protect or by Microsoft Security Essentials... Not all hope is lost. Maybe some of these others will adapt and change. The spammers and malware creators sure are...

posted @ Wednesday, May 19, 2010 5:18 AM by SimplyNotSureRU

History has shown that people tolerate being infected even though they have up-to-date Antivirus Software. This vulnerability only shows there is yet another vector for Antivirus software not to work using current approaches to threat response technology. It is time for end users to think about additional and alternative technologies when considering how to deal with today’s Malware threats.

posted @ Wednesday, May 19, 2010 11:33 AM by Securater

so let me see if i have this straight. an attack that requires the malware to already be running supposedly bypasses a bunch of av products (even though what's getting bypassed isn't what most people think of as av technology) and you're going to call it the final nail in av's coffin? 
 
i wonder, how well does application whitelisting fair in the same situation - you know, after the malware is already running.

posted @ Wednesday, May 19, 2010 2:11 PM by kurt wismer

>> after the malware is already running 
 
 
 
That's the problem with security solutions that are only reactive: You need to know something is "bad" in advance in order to stop it from running. 
 
Application whitelisting is a proactive approach. It does not depend on such foresight. If the code is not marked as "good", then it is not allowed to run in the first place.  
 
 
 
Harry Sverdlove, CTO, Bit9 
 

posted @ Wednesday, May 19, 2010 2:54 PM by Harry Sverdlove

@Harry Sverdlove: 
"If the code is not marked as "good", then it is not allowed to run in the first place." 
 
but you need to know not to mark it as good. how does an end user come upon this knowledge? how does bit9? certainly not be reverse engineering billions of programs and verifying each one as safe. 
 
the problem av has in keeping bad things from executing is the same problem whitelisting has in keeping bad things off the whitelist. without knowledge of what is bad you can't make good decisions in either circumstance. 
 

posted @ Wednesday, May 19, 2010 3:16 PM by kurt wismer

Indeed that is the challenge and purpose of an advanced whitelisting solution.  
 
Bir9 Parity offers many techniques for marking programs as "good", including approving by publisher (digital certificates), trusted user, trusted source, approved distribution methods (e.g. SMS, Altiris, ...), trusted updaters and processes, hash values, and more. 
 
In addition, we have one of the largest catalogs of known software (Global Software Registry), providing both trust and threat information to Parity to help make these approval decisions. 
 
It is true that maintaining a whitelist is conceptually a similar challenge as maintaining a blacklist. But in practice, the list of things you dont want on your endpoint is a siginificantly larger set than the things you do want. With our advanced policies, in almost all deployment scenarios, only a few dozen rules is enough to cover the "whitelist". 
 
For the exception case, where something is not on the list, which is the preferred security posture: let it run and worry about whether it is malicious after, or prevent it from running until you can make that determination? You can choose either posture, even with Parity, but at least you are in control of that decision. 
 
There is no silver bullet in security, nor am I suggesting one. But I do think the traditional approaches could benefit from a fresh perspective.

posted @ Wednesday, May 19, 2010 4:07 PM by Harry Sverdlove

Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics

Subscribe by Email

Your email:

Latest Posts

Posts by Month