While I've been at the iAWACS and EICAR conferences with somewhat erratic connectivity, it seems that Matousec have discovered The End of Antivirus As We Know It. Actually, a lot of people have been doing that this week, but that's a topic for a later blog. Fortunately, while I was trying to get a connection
While I've been at the iAWACS and EICAR conferences with somewhat erratic connectivity, it seems that Matousec have discovered The End of Antivirus As We Know It. Actually, a lot of people have been doing that this week, but that's a topic for a later blog. Fortunately, while I was trying to get a connection for long enough to comment without making sarcastic remarks about Matousec's web page and the invitation to flirt with nubile young ladies, Juraj Malcho, our Head of Lab in Bratislava, put something together for us.
Sometimes catchy headlines make news even if there’s absolutely no news. I guess they usually call it marketing. Or hype. Like here.
There’s been a great amount of discussion about the recent article from Matousec at http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php. So what’s the 8.0 earthquake problem? What did they really find out? Not much new really.
First of all, Matousec researchers are obviously unaware of previous works and terminology. What we have here is a specific example of TOCTTOU (time-of-check-to-time-of-use) attack – see http://nob.cs.ucdavis.edu/bishop/papers/1996-compsys/racecond.pdf or http://www.watson.org/~robert/2007woot/2007usenixwoot-exploitingconcurrency.pdf. But for an even better example, see http://seclists.org/bugtraq/2003/Dec/351, which pretty much describes the same thing as this innovative Matousec research.
Anyway, there is a vulnerability. And what is vulnerable is our SelfDefense module, which, speaking non-techie language, under certain circumstances could probably be bypassed, thus allowing software (malware) which would otherwise be blocked to perform some activities. What does that mean to our users? If your machine were to be infected by such hypothetical malware, there's a possibility that the scanner wouldn't see it. This has a number of implications:
- Our standard scanner protecting your PC is not affected by this.
- Should Khobe attack be performed on your PC, it has been infected already – so, this vulnerability is trying to compromise a PC that has already been compromised.
- The Khobe attack can, effectively, be used (not altogether reliably) to cloak malware already running on the system. This ‘uncertainty cloaking’ is far from what is being seen as a significant trend in current modern professional malware – if you want to stay under the radar, you’re not taking chances. There are other ways to implement self concealment from antivirus (rootkits, in particular) – irrespective of whether we’re talking about massive attacks, or targeted ones.
- This method has not been seen in the wild until today. As we can see, a similar (or pretty much the same) PoC was published almost over 6 years ago. Over the time, no malware misused this.
As already mentioned, the vulnerability is there, but its magnitude is more of a pin dropping on the floor than an 8.0 earthquake, when it comes to its impact on the overall security of our customers’ PCs. However, we are looking into this to see how we can prevent these attacks in case we start to see them being misused.
To which I can only add, as I did to the press yesterday, that to suggest that "today's most popular security solutions simply do not work" on the strength of a long-known race condition issue in the operating is more than a little overstated.
David Harley FBCS CITP CISSP
ESET Research Fellow & Director of Malware Intelligence