Will KHOBE Be The End of Windows?

The Matousec.com group summarized their paper as such:

Summary

This paper presents attack pattern called the argument-switch attack which shows that common implementations of kernel mode hooks are not secure. This attack represents serious threat because many security software vendors base their security features on hooking. We tested the most widely used security applications and found out that all of them are vulnerable. Today’s most popular security solutions simply do not work.

A quick search on “a popular” search engine yielded some more information and responses from some Vendors regarding KHOBE.

F-Secure’s Response released yesterday:

Researchers at Matousec  have announced a new vulnerability that affects several Internet security products. This is generating some media coverage: see “New attack bypasses virtually all AV protection” in The Register.

This is a serious issue and Matousec’s technical findings are correct. However, this attack does not “break” all antivirus systems forever. Far from it.

First of all, any malware that we detect by our antivirus will still be blocked, just like it always was.

So the issue only affects new, unknown malware that we do not have signature detection for.

To protect our customers against such unknown malware, we have several layers of sensors and generic detection engines. Matousec’s discovery is able to bypass only a few of these sensors.

We believe our multi-layer approach will provide sufficient protection level even if malicious code were to attempt use of Matousec’s technique.

And if we would see such an attack, we would simply add signature detection for it, stopping it in its tracks. We haven’t seen any attacks using this technique in the wild.

In a nutshell: We believe in defense in depth.

Personally, I prefer the response from Sophos:

So the Khobe “attack” boils down to this: if you can write malware which already gets past Sophos’s on-access virus blocker, and past Sophos’s HIPS, then you may be able to use the Khobe code to bypass Sophos’s HIPS – which, of course, you just bypassed anyway. Oh, and only if you are using Windows XP.

In short: Sophos’s on-access anti-virus scanner doesn’t uses SSDT hooks, so it’s fair for us to say that this isn’t a vulnerabilty for us at all. But what about other anti-virus software? Though I’m not usually an apologist for our competitors, I feel compelled to speak out in this case.

The fuss about Khobe is in my opinion unwarranted, and the claims that it “bypasses virtually all anti-virus software” is scaremongering.

A fairer assessment would be that Khobe amounts to little more that saying that malware which can already bypass anti-virus software may be able to bypass it again. But that isn’t as exciting a headline as “8.0 earthquake for Windows desktop security software” or “New attack bypasses virtually all AV protection.”

My opinion is and always has been that new security threats are constantly discovered or revisited.  This is nothing new and will never change as long as we are using computers, regardless of their OS or hardware.  Taking a layered approach to security and practicing “safe” computing is what will keep you safer.  Nothing is 100% effective nor is 100% safe.  We will rely on those that create security software to digest things like this and regurgitate solutions.  After all, the world as we know it will end in 2012 anyway! 🙂

About Joe D

I have always had a passion for everything computing. In early 2000, I decided to take my passion to the web. Thus, C.O.D. was born. Through the years we have made many great friends at C.O.D. and hope to continue our journey for years to come.

Check Also

How to Install Nextcloud on Ubuntu Server

There are a lot of things Windows Server does well. However, coming off of the NAS environment, there are a lot of things that it doesn't. One of these is a simple method for web access to various files and folders, along with the ability to share them via user login or simple url. Until recently, there had been only one real player in this space, OwnCloud. I had fiddled with the product for some time, but features were slow to show and it just didn't work the way I had been hoping it would.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.