Will KHOBE Be The End of Windows?

It was a dark and stormy night, May 5th; it was intense, my dog was hiding in the bathtub, the wind was blowing like a child with a new kazoo, the rain was coming down in sheets (11 x 17), and my PC was left to fend for itself.  Suddenly, the ground shook and my home felt epileptic.  The phone rings, the same quake is hitting China, the U.K, Japan, Canada… this is a worldwide earthquake? This wasn’t a typical earthquake, this was a digital earthquake; at least that’s how Matousec.com describes it.  They named it KHOBE!

KHOBE (Kernel HOok Bypassing Engine) is a new exploit that the researchers at Matousec.com have discovered/developed.  This method of infection utilizes an argument-switch attack or KHOBE attack and allows malicious code to circumvent conventional detection by submitting values that will certainly pass as safe through security software. When the “fake” thread passes, a very well timed parallel thread is executed, thus allowing the malicious code to pass through.  If this happens properly, the threat is successful.

  • The process does not need to be run as a privileged user in order to be passed.
  • Works through SSDT Hooks (System Service Descriptor Table) and other hooks.
  • Valid for ALL Windows Versions, including Windows 7 (64 and 32-bit)

Part of the issue here is that they have tested many of the “popular” security software packages for the ability to pass this threat and ALL of them allowed this process to complete.

  • 3D EQSecure Professional Edition 4.2    VULNERABLE
  • avast! Internet Security 5.0.462    VULNERABLE
  • AVG Internet Security 9.0.791    VULNERABLE
  • Avira Premium Security Suite    VULNERABLE
  • BitDefender Total Security 2010    VULNERABLE
  • Blink Professional 4.6.1    VULNERABLE
  • CA Internet Security Suite Plus 2010    VULNERABLE
  • Comodo Internet Security Free 4.0.138377.779    VULNERABLE
  • DefenseWall Personal Firewall 3.00    VULNERABLE
  • Dr.Web Security Space Pro    VULNERABLE
  • ESET Smart Security    VULNERABLE
  • F-Secure Internet Security 2010 10.00 build 246    VULNERABLE
  • G DATA TotalCare 2010    VULNERABLE
  • Kaspersky Internet Security 2010    VULNERABLE
  • KingSoft Personal Firewall 9 Plus 2009.05.07.70    VULNERABLE
  • Malware Defender 2.6.0    VULNERABLE
  • McAfee Total Protection 2010 10.0.580    VULNERABLE
  • Norman Security Suite PRO 8.0    VULNERABLE
  • Norton Internet Security 2010    VULNERABLE
  • Online Armor Premium    VULNERABLE
  • Online Solutions Security Suite 1.5.14905.0    VULNERABLE
  • Outpost Security Suite Pro    VULNERABLE
  • Outpost Security Suite Pro 7.0.3330.505.1221 BETA VERSION    VULNERABLE
  • Panda Internet Security 2010 15.01.00    VULNERABLE
  • PC Tools Firewall Plus    VULNERABLE
  • PrivateFirewall    VULNERABLE
  • Security Shield 2010    VULNERABLE
  • Sophos Endpoint Security and Control 9.0.5    VULNERABLE
  • ThreatFire    VULNERABLE
  • Trend Micro Internet Security Pro 2010 17.50.1647.0000    VULNERABLE
  • Vba32 Personal    VULNERABLE
  • VIPRE Antivirus Premium 4.0.3272    VULNERABLE
  • VirusBuster Internet Security Suite 3.2    VULNERABLE
  • Webroot Internet Security Essentials    VULNERABLE
  • ZoneAlarm Extreme Security 9.1.507.000    VULNERABLE

About Joe D

I have always had a passion for everything computing. In early 2000, I decided to take my passion to the web. Thus, C.O.D. was born. Through the years we have made many great friends at C.O.D. and hope to continue our journey for years to come.

Check Also

How to Install Nextcloud on Ubuntu Server

There are a lot of things Windows Server does well. However, coming off of the NAS environment, there are a lot of things that it doesn't. One of these is a simple method for web access to various files and folders, along with the ability to share them via user login or simple url. Until recently, there had been only one real player in this space, OwnCloud. I had fiddled with the product for some time, but features were slow to show and it just didn't work the way I had been hoping it would.