KHOBE 8.0 attack bypasses top Windows security products

11 May 2010

Security researchers Matousec Labs have discovered a serious problem in Windows desktop security products from all major security software vendors which allows attackers to bypass defences.

Matousec performed tests with today’s most popular Windows desktop security products and found that 100pc of the testbed products were found vulnerable, including top brands like McAfee, CA, AVG, Norton, Sophos, Trend Micro and Kapersky.

Matousec revealed that the protection implemented by kernel mode drivers of today’s security products can be bypassed effectively by a code running on an unprivileged user account.

In a paper presenting an attack technique called the KHOBE (Kernel Hook Bypassing Engine), Matousec has developed a technique that allows malicious code to bypass protection mechanisms in security applications.

Various security apps place their hooks on the beginning of Windows API routines to stop malicious code working.

However, according to Matousec, all dynamic link libraries belonging to Windows API reside in the user mode portion of the process address space, hence the application code might avoid calling them, which effectively bypasses hooks made by most known security software makers.

If the application needs to communicate with the kernel, it can use the system call instruction directly.

And, Matousec claims, this action cannot be caught or prevented by any type of user mode hooking.

By John Kennedy

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years