Security software firm rubbishes claims on KHOBE 8.0 attack

18 May 2010

IT software player ESET has downplayed claims by IT researchers Matousec Labs that all major Windows security software vendors’ packages are vulnerable to the KHOBE 8.0 attack which allows attackers to bypass defences.

Last week, Matousec revealed it performed tests with today’s most popular Windows desktop security products and found that 100pc of the testbed products were found vulnerable, including top brands like McAfee, CA, AVG, Norton, Sophos, Trend Micro and Kapersky.

Matousec revealed that the protection implemented by kernel mode drivers of today’s security products can be bypassed effectively by a code running on an unprivileged user account.

Urban Schrott, IT security and cybercrime analyst with ESET in Ireland, accepted the KHOBE 8.0 attack exists but said in the IT security world it is a theory in the same way as the earth is likely to be hit by comets.

“KHOBE 8.0 exists for any anti-virus in existence, but for six years hasn’t been used in any malware concept yet. It also requires a computer to be already infected and an uninfected computer is invulnerable.”

Overstatement of claims

Schrott said that overstating claims like KHOBE 8.0’s impact on the IT world would suggest that a massive malware infection could hit computer users any moment now, rendering them completely helpless.

“The fact is nothing could be further from the truth! Despite the acknowledgement that this attack scenario has been known about for more than six years (arguably even more than 10), to date it hasn’t materialised in the wild. ESET’s security specialists have been following the threat all along and would like to assure its customers that they don’t need to be worried about their security. But while the overall danger remains low, ESET isn’t careless about this or any other threat.

“Under certain circumstances, the self-defence protection of any antivirus product could be bypassed, thus allowing otherwise blocked malicious software (malware) to perform some activities.

“The vulnerability potentially targets only the self-defence mechanism in the antivirus scanner, with no effect on the standard functionality of the scanner. However, in order for a full-fledged attack to be carried out, the machine needs to have been previously compromised (infected), which it can’t be if the security software and system is set up, updated and patched regularly. So what this threat actually poses is for a computer that is already infected, to get even more infected.

“Well, with or without this attack, that is usually the case anyhow, as statistics show, that any infected computer usually runs at least three different families of malware.

Schrott said that the ESET development team is still keeping a close watch on the KHOBE vulnerability and looking into possible solutions, should these types of attacks become pursued by malware writers.

More dangerous threats

“There are currently many much more dangerous threats that are actually infecting people’s computers, that need proper attention by both antivirus vendors and users themselves, than some highly improbable scenario, so far only carried out in laboratory conditions.

“For instance, in spite of freely downloadable Windows patches available to prevent it, the years-old Conficker virus is still the fastest spreading virus on Irish and global computers. In spite numerous warnings for people to disable the Autorun feature on their computers, which launches CD and USB key contents automatically, the Autorun exploiting family of malware is second in infecting Irish and global computers.

Schrott advises users to update their security suites or antivirus solutions regularly and stay vigilant while online, because of all other threats there.

For the full list of prevalent actual malware that has been most active in the previous month, see the full Global Threat Report.

By John Kennedy

Photo: IT security and cybercrime analyst with ESET in Ireland Urban Schrott has accepted that the KHOBE 8.0 attack exists but said in the IT security world it’s a theory in the same way as Earth is likely to be hit by comets

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years