A new attack method–Kernel HOok Bypassing Engine ?

Almost all of the AntiViruses uses for their operations kernel mode drivers, more specifically modify the SSDTs. SSDT stands for System Service Descriptor Table and contain addresses of routines (known as system services) that user mode code can invoke indirectly as a result of the special system call instruction. Controlling the SSDTs, results in controlling every  transition from User Mode to Kernel Mode, and this is why they are preffered by AntiViruses for real time protection or self-defense operations .

By modifying the adresses stored in the tables to point to their own routines called “hook functions” , the AntiViruses are able to perform various checks on calls made by a program to find out if it’s a threat to the system or to the AntiVirus itself–you remember the self-defense feature.

If the calling is considered safe, it invokes the  system service passing  the original parameters that it got from the user mode application.

The attack method called KHOBE (Kernel HOok Bypassing Engine)  it’s effective against against User Mode and Kernel Mode hooks.

Firstly, an application can use the system call instruction directly without calling of  Windows API (Application Programming Interface–contained in various system DLLs), in this way bypassing entirely the hooks installed by AntiViruses at User Mode level.

Secondly, at Kernel level, harmless code can be passed to the AntiVirus through the hooks functions for analysis and as soon as it bypass the security checks, the system switch the execution to the malicious code, which is never subject for analysis. This is made because of Multi-Threading technology of processors and the main role is played by the processor scheduler. That’s it, if another thread of application is scheduled onto the processor, immediately after the hook function security checks, it might change the original argument–string stored in User Mode portion of address space and passed to the hook function as “the original” without the hook handler to detect any modification because is too far advanced in the checks routine. The pointer for instructions can not be modified because it is copied to the kernel stack, but can be modified the region of memory at which pointer refers to that one beeing accesible from within User Mode. When the processor scheduler switch back the execution to the hook function and the original system service is invoked, will be loaded a portion of code which was never been scanned, respectively the malicious code.

In a word, it’s like buying oranges and receiving apples instead.

However this is a scenario attack tested by the researchers from  TOCTTOU research and made public available at  Matousec.com and can be applied to the Winows based systems all versions including 7, it does not matter 32 or 64 bits. and using multi-core processors as it is in many modern computers made the attack to be more effective because several threads of the same application can run simultaneously, and the processor scheduler switch at the crucial moment is not “a must”.

The list of AntiViruses susceptible for this type of attack is very long :

-3D EQSecure Professional Edition 4.2
-avast! Internet Security 5.0.462
-AVG Internet Security 9.0.791
-Avira Premium Security Suite 10.0.0.536
-BitDefender Total Security 2010 13.0.20.347
-Blink Professional 4.6.1
-CA Internet Security Suite Plus 2010 6.0.0.272
-Comodo Internet Security Free 4.0.138377.779
-DefenseWall Personal Firewall 3.00
-Dr.Web Security Space Pro 6.0.0.03100
-ESET Smart Security 4.2.35.3
-F-Secure Internet Security 2010 10.00 build 246
-G DATA TotalCare 2010
-Kaspersky Internet Security 2010 9.0.0.736
-KingSoft Personal Firewall 9 Plus 2009.05.07.70
-Malware Defender 2.6.0
-McAfee Total Protection 2010 10.0.580
-Norman Security Suite PRO 8.0
-Norton Internet Security 2010 17.5.0.127
-Online Armor Premium 4.0.0.35
-Online Solutions Security Suite 1.5.14905.0
-Outpost Security Suite Pro 6.7.3.3063.452.0726
-Outpost Security Suite Pro 7.0.3330.505.1221 BETA VERSION
-Panda Internet Security 2010 15.01.00
-PC Tools Firewall Plus 6.0.0.88
-PrivateFirewall 7.0.20.37
-Security Shield 2010 13.0.16.313
-Sophos Endpoint Security and Control 9.0.5
-ThreatFire 4.7.0.17
-Trend Micro Internet Security Pro 2010 17.50.1647.0000
-Vba32 Personal 3.12.12.4
-VIPRE Antivirus Premium 4.0.3272
-VirusBuster Internet Security Suite 3.2
-Webroot Internet Security Essentials 6.1.0.145
-ZoneAlarm Extreme Security 9.1.507.000

As I said always, thinking you are 100% protected by an AntiVirus is the worst conception you can have, you can better  prevent computer infections only by knowledge. A lot of developers or researchers even from the Security software companies recognise that in our days, the traditional methods for defending against the new threats simply does not work or has a lot of vulnerabilities.

Posted in Thoughts.

Leave a Reply

Your email address will not be published. Required fields are marked *