12 May 2010 | 8,466 views

New Argument Switch Attack Bypasses Windows Security Software

Prevent Network Security Leaks with Acunetix

There’s been a lot of highly technical and most theoretical attacks lately, academic season really is in full swing. This is a very neat attack which is being labeled somewhere between catastrophic and mildly annoying depending on who you ask.

It effects most of the major Anti-virus vendors, it’s called an argument-switch attack and leverages on the way in which most anti-viral suites interact with the Windows kernel.

It seems to be most critical on Windows XP which is an operating system near the end of life anyway, so it shouldn’t be too widespread – that’s even assuming the bad guys can work it out and spread it in the wild (I would safely assume they can). Although the research does indicate it also works on Vista SP1.

A just-published attack tactic that bypasses the security protections of most current antivirus software is a “very serious” problem, an executive at one unaffected company said today.

Last Wednesday, researchers at Matousec.com outlined how attackers could exploit the kernel driver hooks that most security software use to reroute Windows system calls through their software to check for potential malicious code before it’s able to execute. Calling the technique an “argument-switch attack,” a Matousec-written paper spelled out in relatively specific terms how an attacker could swap out benign code for malicious code between the moments when the security software issues a green light and the code actually executes.

“This is definitely very serious,” said Alfred Huger, vice president of engineering at Immunet, a Palo Alto, Calif.-based antivirus company. “Probably any security product running on Windows XP can be exploited this way.” Huger added that Immunet’s desktop client is not vulnerable to the argument-switch attacks because the company’s software uses a different method to hook into the Windows kernel.

Some of the AV vendors are using different methods to communicate with the Windows kernel, so aren’t vulnerable to this attack – such as Immunet. I hope the collective AV companies pull their fingers out and do some real testing on this attack to see if it can really impact consumers or not.

What we really don’t need is “Oh it’s really complex and unlikely, it’s not a big deal” – then later 200,000 machines get owned using the technique. At least they know about and can perhaps address the sloppy methods they are using to implement kernel hooks.

According to Matousec, nearly three-dozen Windows desktop security titles, including ones from Symantec, McAfee, Trend Micro, BitDefender, Sophos and others, can be exploited using the argument-switch tactic. Matousec said it had tested the technique on Windows XP SP3 and Vista SP1 on 32-bit machines.

Some security vendors agreed with Huger. “It’s a serious issue and Matousec’s technical findings are correct,” said Mikko Hypponen, chief research officer at Finnish firm F-Secure, in an e-mail.

“Matousec’s research is absolutely important and significant in the short term,” echoed Rik Ferguson, a senior security advisor at Trend Micro, in a blog post earlier Monday.

Other antivirus companies downplayed the threat, however. “Based on our initial review of the public documentation, we believe this is a complicated attack with several mitigating factors that make it unlikely to be a viable, real world, widespread attack scenario,” a McAfee spokesman said in an e-mail reply to a request for comment. “The attack would require some level of existing access to the target computer, as the attack described by Matousec does not on its own bypass security software or allow malware to run.”

Kaspersky Lab had a similar reaction. “[We] have analyzed the published material and concluded that the issue is only linked to certain features of [our] products,” Kaspersky said in an e-mailed statement. “Kaspersky Lab products implement not only [kernel] hooks, but a wide range of technologies, including secure sandboxing and other methods of restricting suspicious kernel mode activity.”

I guess most AV companies don’t go that deep into system security, to the point of exploring how they implement kernel addressing and hooks to enable their software to function. Either way the research is now published, is picking up quite a bit of press and that itself is likely to force some action.

The full paper is available with details of the attack from Matousec here:

KHOBE – 8.0 earthquake for Windows desktop security software

Source: Network World



Recent in Exploits/Vulnerabilities:
- XML Quadratic Blowup Attack Blows Up WordPress & Drupal
- Password Manager Security – LastPass, RoboForm Etc Are Not That Safe
- Hacking Your Fridge – Internet of Things Security

Related Posts:
- Pass-The-Hash Toolkit v1.4 Released for Download
- Windows 7 UAC Vulnerable – User Mode Program Can Disable User Access Control
- Microsoft Confirms Windows Zero Day Bug In Shortcut Files

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 227,333 views
- AJAX: Is your application secure enough? - 119,087 views
- eEye Launches 0-Day Exploit Tracker - 85,051 views

Low-cost VPS Hosting

3 Responses to “New Argument Switch Attack Bypasses Windows Security Software”

  1. Keane Matthews 13 May 2010 at 3:21 pm Permalink

    KHOBE (Matousec) article indicates this is attack vector is valid for all versions of Windows, up to and including Windows 7 for both 32- and 64-bit OSs.

    The research was done on Windows XP Service Pack 3 and Windows Vista Service Pack 1 on 32-bit hardware. However, it is valid for all Windows versions including Windows 7. Even the 64-bit platform is not a limitation for the attack. It will work there against all user mode hooks and it will also work against the kernel mode hooks if they are installed, for example after disabling the PatchGuard.

  2. bews 14 May 2010 at 2:23 am Permalink

    Does this not mean that the malware or whatever has to be able to bypass the AV client to disable the AV client??

    To me that means that their job was already done before they disabled the AV client with the kernel hook stuff anyway *shrugs*

  3. Morgan Storey 26 May 2010 at 7:47 am Permalink

    @bews: I take it as they can actually look like legit code and the Av app will let it past. So it may not disable the AV just simply bypass it.