Khobe-Wan: These Aren’t the Droids You’re Looking for.

While I've been at the iAWACS and EICAR conferences with somewhat erratic connectivity, it seems that Matousec have discovered The End of Antivirus As We Know It. Actually, a lot of people have been doing that this week, but that's a topic for a later blog. Fortunately, while I was trying to get a connection for long enough to comment without making sarcastic remarks about Matousec's web page and the invitation to flirt with nubile young ladies, Juraj Malcho, our Head of Lab in Bratislava, put something together for us.

Sometimes catchy headlines make news even if there’s absolutely no news. I guess they usually call it marketing. Or hype. Like here.

There’s been a great amount of discussion about the recent article from Matousec at http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php. So what’s the 8.0 earthquake problem? What did they really find out? Not much new really.

First of all, Matousec researchers are obviously unaware of previous works and terminology. What we have here is a specific example of TOCTTOU (time-of-check-to-time-of-use) attack – see http://nob.cs.ucdavis.edu/bishop/papers/1996-compsys/racecond.pdf or http://www.watson.org/~robert/2007woot/2007usenixwoot-exploitingconcurrency.pdf. But for an even better example, see http://seclists.org/bugtraq/2003/Dec/351, which pretty much describes the same thing as this innovative Matousec research.

Anyway, there is a vulnerability. And what is vulnerable is our SelfDefense module, which, speaking non-techie language, under certain circumstances could probably be bypassed, thus allowing software (malware) which would otherwise be blocked  to perform some activities. What does that mean to our users? If your machine were to be infected by such hypothetical malware, there's a possibility that the scanner wouldn't see it. This has a number of implications:

  1.  Our standard scanner protecting your PC is not affected by this.
  2. Should Khobe attack be performed on your PC, it has been infected already – so, this vulnerability is trying to compromise a PC that has already been compromised.
  3. The Khobe attack can, effectively, be used (not altogether reliably) to cloak malware already running on the system. This ‘uncertainty cloaking’ is far from what is being seen as a significant trend in current modern professional malware – if you want to stay under the radar, you’re not taking chances. There are other ways to implement self concealment from antivirus (rootkits, in particular) – irrespective of whether we’re talking about massive attacks, or targeted ones.
  4. This method has not been seen in the wild until today. As we can see, a similar (or pretty much the same) PoC was published almost over 6 years ago. Over the time, no malware misused this.

As already mentioned, the vulnerability is there, but its magnitude is more of a pin dropping on the floor than an 8.0 earthquake, when it comes to its impact on the overall security of our customers’ PCs. However, we are looking into this to see how we can prevent these attacks in case we start to see them being misused.

To which I can only add, as I did to the press yesterday, that to suggest that "today's most popular security solutions simply do not work" on the strength of a long-known race condition issue in the operating is more than a little overstated.

David Harley FBCS CITP CISSP
ESET Research Fellow & Director of Malware Intelligence

Author David Harley, ESET

  • RJ

    If someone were to download software they thought was genuine (freeware of some sort) and it had this code embedded into it, could the system be compromised?
    For Example, I download a free PDF convertor that I think is 100% legit…but the software has the mentioned code embedded into it. What would happen when I start to install the "legit" pdf convertor?

  • Luke O’Connor

    great title, nice rebuttal

  • Jim bob

    You come across as a pompous bunch of (expletive deleted, but I think he meant jerks). I saw that NOD32 wasn't on the list of av products susceptible to KHOBE so came here with
    a view to swapping over to your av program.
    I'm sorrt to say that after reading your arrogant blog I will never buy NOD32 as I don't want to be associated or fund sych a bunch of people.
    Time you guys grew up.

  • GNH

    Self Defense – ESET NOD32 Antivirus has built-in technology to prevent malicious software from corrupting or disabling it, so you can rest assured your system is always protected. 
    No problem, here. I will depend upon your written guarantee.

    • David Harley

      I think it would be a rash developer who made an unconditional guarantee of perpetual 100% security. But we do work pretty hard at trying to hit that target.

  • Helgin

    Force have a strong influence on the weak minds….

  • Leo Davidson

    Why can't NOD32 use the same mechanism which MSE uses?
    MSE seems to be the only thing not vulnerable to this and it appears to be because it is the only anti-virus tool where the vendor (Microsoft) has bothered to use the new filtering APIs.
    Of course, you may need to fall back on the old method on older versions of Windows, but that doesn't mean people on modern versions should have this extra risk when it could be avoided.

    • Randy Abrams

      I think you are assuming that the use of other methods does not build in different vulnerabilities. You are talking about something that has been known of for years and has not been demonstrated to be in use at any time. The fact is that by the time you get to using the khobe attack, there are a number of other much easier ways to compromise the computer.

  • Leo Davidson

    "I think you are assuming that the use of other methods does not build in different vulnerabilities"
    I guess I am. Are you saying there actually are different vulnerabilities with the other method or are you just assuming things the same as me?
    My question was *why* the other method isn't used. "It *might* be worse" isn't a serious answer to that question.
    If the question, and the technologies involved, have been properly considered then it should be possible for someone to provide an explicit list of trade-offs so that we can all understand the decision to use one thing over the other.
    Right now, all we know is that the method most things use has a flaw while the method MSE uses does not have that flaw.
    So I ask again: Why not use the MSE method? Is there something wrong with it? Is it just too much effort? Something else?
    The A/V industry fought hard with their lawyers to force Microsoft to allow them to continue using the old method, instead of the new one which Microsoft chose to use with their own A/V product, so the A/V industry must have strong reasons for preferring the old method. What are those reasons? It should be easy to list them.
    Explaining the pros and cons of each method would go a lot further than saying we should ignore a flaw that allows code to disable A/V. I don't expect 100% security as I know that is impossible (without turning off the computer and setting fire to it :)) but I also don't like being told to ignore additional, avoidable risk (however small) without understanding the trade-offs involved.

  • Randy Abrams

    Hi Leo,
    "It might be worse" was not my answer. I just mentioned that it is possible that the other method could also have vulnerabilities. Sometimes the known evil is less than the unknown. In this case the so-called" vulnerability is something that security professionals have known about for several years, has not been seen to be exploited because only n idiot would use that method. You see, in order to exploit the vulnerability, the attacker has already compromised the machine and there are far easier attacks to pull off at that point. The criminals behind today's malware are in it for a business. They are not looking to spend more money on esoteric attacks when they can spend less on quicker, more generally successful attacks. In the case of a targeted attack, any anti-virus solution will be beaten when the attacker knows what he/she needs to beat and dedicates the resources.
    I have asked our virus lab is they can provide information about the choice of the method used vs the alternative, but I can't guarantee they will have time to answer as they are working very hard to deal with the real attacks out there.
    You might check out

    Also, at

    Steve Regan so much as notes "

    If a business were to be targeted by an attack like KHOBE, then they had larger issues in the first place, and it is game over."
     
    There is little reason to dedicate resources to fixing a problem that is only a problem once it is too late to make a difference.
     
    I'll follow up if I get some more information from the lab. As a former Microsoft employee I would bet that the reason MSE uses their method is that the developers didn't have a choice… at Microsoft you have to "eat the dogfood". Many of the MS anti-malware experts came from companies that developed using the "vulnerable" methods and I bet they have no problems with it either.
     
    The Khobe report is not a research project, it is simply a Matousec marketing press release that some believe borders on plagiarism.

     
    Like I said, I'll see if I can get some comments from the virus lab. Bear in mind, using APIs is a very limiting option as often much information that a researcher requires will not be returned by the API. Going to the system level allows for much richer reporting and allows for the development of far broader heuristic approaches.

    Randy Abrams
    Director of Technical Education
     

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

4 articles related to:
Hot Topic
11 May 2010
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.