Will KHOBE Be The End of Windows?

It was a dark and stormy night, May 5th; it was intense, my dog was hiding in the bathtub, the wind was blowing like a child with a new kazoo, the rain was coming down in sheets (11 x 17), and my PC was left to fend for itself.  Suddenly, the ground shook and my home felt epileptic.  The phone rings, the same quake is hitting China, the U.K, Japan, Canada… this is a worldwide earthquake? This wasn’t a typical earthquake, this was a digital earthquake; at least that’s how Matousec.com describes it.  They named it KHOBE!

KHOBE (Kernel HOok Bypassing Engine) is a new exploit that the researchers at Matousec.com have discovered/developed.  This method of infection utilizes an argument-switch attack or KHOBE attack and allows malicious code to circumvent conventional detection by submitting values that will certainly pass as safe through security software. When the “fake” thread passes, a very well timed parallel thread is executed, thus allowing the malicious code to pass through.  If this happens properly, the threat is successful.

• The process does not need to be run as a privileged user in order to be passed.
• Works through SSDT Hooks (System Service Descriptor Table) and other hooks.
• Valid for ALL Windows Versions, including Windows 7 (64 and 32-bit)

Part of the issue here is that they have tested many of the “popular” security software packages for the ability to pass this threat and ALL of them allowed this process to complete.

• 3D EQSecure Professional Edition 4.2    VULNERABLE
• avast! Internet Security 5.0.462    VULNERABLE
• AVG Internet Security 9.0.791    VULNERABLE
• Avira Premium Security Suite 10.0.0.536    VULNERABLE
• BitDefender Total Security 2010 13.0.20.347    VULNERABLE
• Blink Professional 4.6.1    VULNERABLE
• CA Internet Security Suite Plus 2010 6.0.0.272    VULNERABLE
• Comodo Internet Security Free 4.0.138377.779    VULNERABLE
• DefenseWall Personal Firewall 3.00    VULNERABLE
• Dr.Web Security Space Pro 6.0.0.03100    VULNERABLE
• ESET Smart Security 4.2.35.3    VULNERABLE
• F-Secure Internet Security 2010 10.00 build 246    VULNERABLE
• G DATA TotalCare 2010    VULNERABLE
• Kaspersky Internet Security 2010 9.0.0.736    VULNERABLE
• KingSoft Personal Firewall 9 Plus 2009.05.07.70    VULNERABLE
• Malware Defender 2.6.0    VULNERABLE
• McAfee Total Protection 2010 10.0.580    VULNERABLE
• Norman Security Suite PRO 8.0    VULNERABLE
• Norton Internet Security 2010 17.5.0.127    VULNERABLE
• Online Armor Premium 4.0.0.35    VULNERABLE
• Online Solutions Security Suite 1.5.14905.0    VULNERABLE
• Outpost Security Suite Pro 6.7.3.3063.452.0726    VULNERABLE
• Outpost Security Suite Pro 7.0.3330.505.1221 BETA VERSION    VULNERABLE
• Panda Internet Security 2010 15.01.00    VULNERABLE
• PC Tools Firewall Plus 6.0.0.88    VULNERABLE
• PrivateFirewall 7.0.20.37    VULNERABLE
• Security Shield 2010 13.0.16.313    VULNERABLE
• Sophos Endpoint Security and Control 9.0.5    VULNERABLE
• ThreatFire 4.7.0.17    VULNERABLE
• Trend Micro Internet Security Pro 2010 17.50.1647.0000    VULNERABLE
• Vba32 Personal 3.12.12.4    VULNERABLE
• VIPRE Antivirus Premium 4.0.3272    VULNERABLE
• VirusBuster Internet Security Suite 3.2    VULNERABLE
• Webroot Internet Security Essentials 6.1.0.145    VULNERABLE
• ZoneAlarm Extreme Security 9.1.507.000    VULNERABLE