Jump to content
alltomwindows.se fyller 20 år! ×

New attack bypasses EVERY Windows security product

singlemalt
 Share

Recommended Posts

Cecilia

Cecilia

Posted
Posted

Samt att det är en storm i ett vattenglas, som framgår av uppdateringarna i Zdnet-artikeln.

1. Det är många säkerhetskontroller som måste passeras på vägen till att det som matousec tar upp inträffar.

2. Det finns ju redan i dag många skadliga program som kan installera sig trots att det finns ett antivirusprogram i datorn.

Finns även en lång diskussion här: http://www.wilderssecurity.com/showthread.php?t=271968

Link to comment
Share on other sites
JoWa

JoWa

Posted
Posted

Sophos:

Oh, and only if you are using Windows XP.

Matousec:

The research was done on Windows XP Service Pack 3 and Windows Vista Service Pack 1 on 32-bit hardware. However, it is valid for all Windows versions including Windows 7. Even the 64-bit platform is not a limitation for the attack. It will work there against all user mode hooks and it will also work against the kernel mode hooks if they are installed, for example after disabling the PatchGuard.

Artikeln uppmärksammas även här:

http://www.theregister.co.uk/2010/05/07/argument_switch_av_bypass/

http://blogs.pcmag.com/securitywatch/2010/05/new_attack_bypasses_anti-malwa.php

Link to comment
Share on other sites
Cecilia

Cecilia

Posted
Posted

Anledningen till att Sophos skrev att det gällde bara Windows XP är att Sophos inte använder SSDT-hooks på nyare Windows-versioner:

For what it's worth, only the optional Host Intrusion Prevention System component (HIPS) in Sophos's anti-malware software uses SSDT hooks. This is the behavioural part of our software, used for monitoring processes which we have already allowed to run. And HIPS doesn't even use SSDT hooks on Windows versions after XP, because Vista and Windows 7 include Microsoft's Kernel Patch Protection, which precludes the use of SSDT hooking.
http://www.sophos.com/blogs/duck/g/2010/05/11/khobe-vulnerability-earth-shaker/

Man undrar ju vad matousec egentligen har gjort för tester.

Link to comment
Share on other sites
JoWa

JoWa

Posted
Posted
And HIPS doesn't even use SSDT hooks on Windows versions after XP, because Vista and Windows 7 include Microsoft's Kernel Patch Protection, which precludes the use of SSDT hooking.

(Strictly speaking, Kernel Patch Protection was introduced in Vista Service Pack 1. If you are running Vista without SP1, you have plenty of security problems ahead of Khobe in the queue!)

http://www.sophos.com/blogs/duck/g/2010/05/11/khobe-vulnerability-earth-shaker/

Kernel Patch Protection (KPP), informally known as PatchGuard, is a feature of x64 editions of Microsoft Windows that prevents patching the kernel. It was first introduced in 2005 with the x64 editions of Windows XP and Windows Server 2003 Service Pack 1.

http://en.wikipedia.org/wiki/Kernel_Patch_Protection

Undrar hur Sophos produkter för 32 bitars Vista och 7 fungerar :rolleyes:

Link to comment
Share on other sites
Cecilia

Cecilia

Posted
Posted

Det verkar som att Wikipedia inte är korrekt:

Microsoft's new APIs support not just 64-bit Windows, but 32-bit as well on Windows Vista SP1+ and Windows 7. Vendors I spoke to say that they prefer to use the new APIs and think Patchguard is a good thing, even if SSDT patching is more powerful from their point of view. Microsoft clearly built a lot of good will when they worked closely with the security industry in building the new interfaces.
http://blogs.pcmag.com/securitywatch/2010/05/new_attack_bypasses_anti-malwa.php
Link to comment
Share on other sites
Cecilia

Cecilia

Posted
Posted

Använd en säker webbläsare, och installera/kör inga program som du inte vet är säkra. :)

Kan ju tilläggas, använd ett bra antivirusprogram som har detekterat det skadliga program innan de har kommit ner på SSDT-nivå. Dvs, det är ingen skillnad mot eventuella skadliga program som skulle försöka utnyttja det här problemet jämfört med de massa befintliga skadliga program som redan finns.

Idag behöver man ju inte skydda sig alls mot det som tråden handlar om eftersom det inte finns några skadliga program som utnyttjar det som matousec har testat.

Link to comment
Share on other sites
JoWa

JoWa

Posted
Posted

Vad är inte korrekt? KPP används endast i Windows x64, och lanserades med XP x64.

Vista SP1 inkluderade nya API:er, som är avsedda att ge säkerhetsprogram samma möjligheter som de har genom att patcha kärnan på 32 bitarssystem.

Service Pack 1 includes supported APIs by which third-party security and malicious software detection applications can work alongside Kernel Patch Protection on 64-bit versions of Windows Vista. These APIs have been designed to help security and non-security ISVs develop software that extends the functionality of the Windows kernel on 64-bit systems, in a documented and supported manner, and without disabling or weakening the protection offered by Kernel Patch Protection.

http://technet.microsoft.com/en-us/library/cc709618(WS.10).aspx

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...