Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New attack bypasses virtually all AV protection


  • Please log in to reply
7 replies to this topic

#1 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:07 AM

Posted 10 May 2010 - 08:44 AM

Researchers say they've devised a way to bypass protections built in to dozens of the most popular desktop anti-virus products...The method, developed by software security researchers at matousec.com, works by exploiting the driver hooks the anti-virus programs bury deep inside the Windows operating system. In essence, it works by sending them a sample of benign code that passes their security checks and then, before it's executed, swaps it out with a malicious payload...

theregister.co.uk
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

BC AdBot (Login to Remove)

 


#2 QQQQ

QQQQ

  • Members
  • 377 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 AM

Posted 11 May 2010 - 08:10 AM

My first thought was will Malwarebytes let it through too? (full paid for version) Anyone know?

#3 marktreg

marktreg

  • Members
  • 403 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 11 May 2010 - 10:06 AM

MBAM realtime protection is only meant to be used as extra protection in conjunction with an existing antivirus program, not as a standalone solution. But, saying that, MBAM doesn't use SSDT hooks, so it's not one of the applications which is vulnerable to this attack. Also, MBAM's realtime protection module works when an application is attempting to load something into memory. It doesn't scan every file access like antivirus programs do.

So, whilst not being totally confident of my answer, I would say that MBAM has a very good chance of intercepting an attack like this. Either by it's actual malware definitions database or it's heuristic detection capability.

Hopefully though, someone with more knowledge of this kind of stuff than me will be able to give you better information. :thumbsup:

Edited by marktreg, 11 May 2010 - 10:10 AM.


#4 tinyfighters

tinyfighters

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 12 May 2010 - 05:27 PM

Hey marktreg how did you change your group to Malware Study Hall Sophomore

Edited by tinyfighters, 12 May 2010 - 05:28 PM.


#5 Eyesee

Eyesee

    Bleepin Teck Shop


  • BC Advisor
  • 3,539 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:In the middle of Kansas
  • Local time:02:07 AM

Posted 12 May 2010 - 05:56 PM

Tinyfighters - The group signifies someones status at BC and cannot be changed by a user.
Only a mod can do that and it is by invitation. We are part of BC staff

Marktreg is part of the malware team and above that post, Quietman7 is a global mod, just like I am and advisor etc.

You can see a list of the staff categories from the main BC page down at the bottom of the list. They are color coordinated. The group color corresponds to the color of the staff currently logged in, if that makes sense.
In the beginning there was the command line.

#6 sh4rkbyt3

sh4rkbyt3

  • Members
  • 394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 AM

Posted 01 June 2010 - 12:55 PM

Didn't they also say later in the same article that on average it was virtually impossible to implement with any consistency? I agree the threat warrants reporting but I also think an accurate account of the whole article is necessary for people to make informed decisions.

#7 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:03:07 AM

Posted 01 July 2010 - 07:58 PM

But my question is, guys, why on earth did they manage to do that anyway? What in the world was their point? Did they just do it for proof of concept/ Was it so that malware authors can get ahold of it (which I know that's what will happen) and take as many as possible down? I can see security researchers doing that so that they can learn, but if they want to publish it, then they really need to be careful. Anyone can read that information. You never know who's sitting behind the desk or the capabilities of the laptop sitting on one's lap!

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#8 sh4rkbyt3

sh4rkbyt3

  • Members
  • 394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 AM

Posted 20 May 2011 - 08:02 PM

Valid points chromebuster but this is what's changed in the last 12-15 years. POC (proof of concept) papers/documents are normally put out to the specific companies first by credible white and grey hat hackers for the intent of improvement of defense systems. Normally if a company refuses to respond (which I'm not suggesting happened here) those POC documents are then put out into the public domain in order to shame some companies (like Adobe) to force their personnel or program developers into submission.
It's sad that things even have to be done like this but in the real world ever since program development was first implemented, Security has always been an after thought. Bruce Schneir, one of the best security developers in the computer world, has discussed this many times and pointed out the lack of care by these developers to focus on what should have been job number one in every program thats been created since day one. Instead, most companies worry about delivering as quick as possible, a program that meets the customers demand or need and in return reaping the rewards in a fast chaning market. Security is almost of no concern at all to most copanies to be honest. What then happens is we as customers suffer data breaches that we may or may not be able to recover from. Until the mindset is changed though, all of our information will always remain only one crack away from becoming public knowledge for the world to see or for the highest bidder to buy.

By hiding the information it simply waits for the next discovery. If the issue doesn't become resolved then it will always remain a hole in some system that could be catastrophic. Ignoring a problem never fixes it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users