The Matousec.com group summarized their paper as such:
This paper presents attack pattern called the argument-switch attack which shows that common implementations of kernel mode hooks are not secure. This attack represents serious threat because many security software vendors base their security features on hooking. We tested the most widely used security applications and found out that all of them are vulnerable. Today’s most popular security solutions simply do not work.
A quick search on “a popular” search engine yielded some more information and responses from some Vendors regarding KHOBE.
F-Secure’s Response released yesterday:
Researchers at Matousec have announced a new vulnerability that affects several Internet security products. This is generating some media coverage: see “New attack bypasses virtually all AV protection” in The Register.
This is a serious issue and Matousec’s technical findings are correct. However, this attack does not “break” all antivirus systems forever. Far from it.
First of all, any malware that we detect by our antivirus will still be blocked, just like it always was.
So the issue only affects new, unknown malware that we do not have signature detection for.
To protect our customers against such unknown malware, we have several layers of sensors and generic detection engines. Matousec’s discovery is able to bypass only a few of these sensors.
We believe our multi-layer approach will provide sufficient protection level even if malicious code were to attempt use of Matousec’s technique.
And if we would see such an attack, we would simply add signature detection for it, stopping it in its tracks. We haven’t seen any attacks using this technique in the wild.
In a nutshell: We believe in defense in depth.
Personally, I prefer the response from Sophos:
So the Khobe “attack” boils down to this: if you can write malware which already gets past Sophos’s on-access virus blocker, and past Sophos’s HIPS, then you may be able to use the Khobe code to bypass Sophos’s HIPS – which, of course, you just bypassed anyway. Oh, and only if you are using Windows XP.
In short: Sophos’s on-access anti-virus scanner doesn’t uses SSDT hooks, so it’s fair for us to say that this isn’t a vulnerabilty for us at all. But what about other anti-virus software? Though I’m not usually an apologist for our competitors, I feel compelled to speak out in this case.
The fuss about Khobe is in my opinion unwarranted, and the claims that it “bypasses virtually all anti-virus software” is scaremongering.
A fairer assessment would be that Khobe amounts to little more that saying that malware which can already bypass anti-virus software may be able to bypass it again. But that isn’t as exciting a headline as “8.0 earthquake for Windows desktop security software” or “New attack bypasses virtually all AV protection.”
My opinion is and always has been that new security threats are constantly discovered or revisited. This is nothing new and will never change as long as we are using computers, regardless of their OS or hardware. Taking a layered approach to security and practicing “safe” computing is what will keep you safer. Nothing is 100% effective nor is 100% safe. We will rely on those that create security software to digest things like this and regurgitate solutions. After all, the world as we know it will end in 2012 anyway! 🙂