The KHOBE attack: Are all AV solutions vulnerable?

Dubbed an “8.0 earthquake for Windows desktop security software” by its creators, the KHOBE (Kernel Hook Bypassing Engine) or the argument-switch attack has been recently presented as a technique that can bypass most – if not all! – security software.

The following software is considered vulnerable:

• 3D EQSecure Professional Edition 4.2
• avast! Internet Security 5.0.462
• AVG Internet Security 9.0.791
• Avira Premium Security Suite 10.0.0.536
• BitDefender Total Security 2010 13.0.20.347
• Blink Professional 4.6.1
• CA Internet Security Suite Plus 2010 6.0.0.272
• Comodo Internet Security Free 4.0.138377.779
• DefenseWall Personal Firewall 3.00
• Dr.Web Security Space Pro 6.0.0.03100
• ESET Smart Security 4.2.35.3
• F-Secure Internet Security 2010 10.00 build 246
• G DATA TotalCare 2010
• Kaspersky Internet Security 2010 9.0.0.736
• KingSoft Personal Firewall 9 Plus 2009.05.07.70
• Malware Defender 2.6.0
• McAfee Total Protection 2010 10.0.580
• Norman Security Suite PRO 8.0
• Norton Internet Security 2010 17.5.0.127
• Online Armor Premium 4.0.0.35
• Online Solutions Security Suite 1.5.14905.0
• Outpost Security Suite Pro 6.7.3.3063.452.0726
• Outpost Security Suite Pro 7.0.3330.505.1221 BETA VERSION
• Panda Internet Security 2010 15.01.00
• PC Tools Firewall Plus 6.0.0.88
• PrivateFirewall 7.0.20.37
• Security Shield 2010 13.0.16.313
• Sophos Endpoint Security and Control 9.0.5
• ThreatFire 4.7.0.17
• Trend Micro Internet Security Pro 2010 17.50.1647.0000
• Vba32 Personal 3.12.12.4
• VIPRE Antivirus Premium 4.0.3272
• VirusBuster Internet Security Suite 3.2
• Webroot Internet Security Essentials 6.1.0.145
• ZoneAlarm Extreme Security 9.1.507.000
• probably other versions of above mentioned software
• possibly many other software products that use kernel hooks to implement security features.

As the researchers explain in their paper, the attack is so successful because the great majority of these solutions modify the user and kernel code and data structures. These modifications – colloquially dubbed hooks – are often poorly implemented and create holes in the system.

The most common kernel hooks in modern-day security solutions are SSDT hooks, and those are precisely the ones that the researchers took advantage of execute the attacks. Basically, the software is fed with with values that will pass the checks, only to be interchanged with malicious code after they do. Also, the attack is supposedly even more likely to succeed when the system has multiple cores (and a lot of computers do), and can be executed even if the attacker has access only to a restricted user account.

Some security security firms have published their view of the matter already. Not surprisingly, they dispute the effectiveness of the attack. Sophos’ Paul Ducklin says that “Sophos’s on-access anti-virus scanner doesn’t uses SSDT hooks, so it’s fair for us to say that this isn’t a vulnerability for us at all.”

F-Secure researchers admit that Matousec’s technical findings are correct, but that their solution has “several layers of sensors and generic detection engines. Matousec’s discovery is able to bypass only a few of these sensors.”

According to The Register, the attack has its limitations: “It requires a large amount of code to be loaded onto the targeted machine, making it impractical for shellcode-based attacks or attacks that rely on speed and stealth. It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC,” so there is no need to panic. Even if the attack is possible, it doesn’t mean it is likely.