Schneier on Security
A blog covering security and security technology.
« Fifth Annual Movie-Plot Threat Contest Semi-Finalists |
| I Won a CSO Compass Award »
May 14, 2010
New Windows Attack
It's still only in the lab, but nothing detects it right now:
The attack is a clever "bait-and-switch" style move. Harmless code is passed to the security software for scanning, but as soon as it's given the green light, it's swapped for the malicious code. The attack works even more reliably on multi-core systems because one thread doesn't keep an eye on other threads that are running simultaneously, making the switch easier.
The attack, called KHOBE (Kernel HOok Bypassing Engine), leverages a Windows module called the System Service Descriptor Table, or SSDT, which is hooked up to the Windows kernel. Unfortunately, SSDT is utilized by antivirus software.
Posted on May 14, 2010 at 11:50 AM
• 43 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"Nothing detects it right now"--not quite true. Most antivirus software uses kernel hooks, but not all. Those that do not would be able to detect anything using this attack. One example of antivirus software that doesn't use kernel hooks is Microsoft's own Security Essentials.
Nevertheless, this is still a huge deal.
re: "Nothing detects it right now"
The exact same phrase can be applied to "malware" almost every single day.
Which is why "anti-virus" signatures are released almost every single day.
WTF @ KHOBE? What's next? TYGERWOOD? OURKELLY?
I'm surprised, this almost seems like you're giving in to the fearmongering.
The reality of this theoretical attack is a bit more ho-hum. Here's a response from Paul Ducklin at Sophos:
Yes, it is from an AV company. But still, don't believe all the hype being spewed by threat researchers...
@Michael Argast: "I'm surprised, this almost seems like you're giving in to the fearmongering."
I didn't get that from the post. To me it seemed he posted it because it was clever and interesting.
@HJohn: "because it was clever and interesting"
and apparently not particularly new or well informed. see:
it also represents, once again, 'security' researchers advancing the state of the black arts - which is not a particularly positive contribution.
The difference is that security researchers publish their results so people can take those results into account when assessing threats. The "black arts" aren't particularly black when everyone knows about them.
I agree with Michael Argast. I read about this on Ars:
It doesn't apply to security products that don't use the SSDT like Microsoft Security Essentials. It also requires malware to have already skipped past your detection and be running code on your machine.
"it also represents, once again, 'security' researchers advancing the state of the black arts - which is not a particularly positive contribution."
Easily one of the most ignorant statements I've ever read here.
This looks like a small modification of a very old class of attacks. There used to be (and perhaps still is) a similar way to get around CRC checks for programs (have the real one, perform the CRC check on the real program, but execute the other one).
The only surprising thing is that someone figured out a way to make anti-virus even less effective than it already is. That's quite an accomplishment.
The matousec guys had a point, but they grossly oversold it. First, it's only really an issue on Windows XP. On Vista and Win7 there are APIs which make it unnecessary to hook the SSDT, so the attack is irrelevant. Second, it appears that they didn't actually exploit all 35 of those products, they just verified that they hook the SSDT and presumed that they were vulnerable. Some vendors have denied that their own products are actually vulnerable, even on XP.
@larry seltzer: "it's only really an issue on Windows XP"
The matousec article disagrees with you:
"The research was done on Windows XP Service Pack 3 and Windows Vista Service Pack 1 on 32-bit hardware. However, it is valid for all Windows versions including Windows 7."
@John Jenkins: "The difference is that security researchers publish their results so people can take those results into account when assessing threats."
what one intends to happen and what actually happens are often not the same. the anti-malware field is rife with examples of researchers presenting attack-related research that then goes on to be used in actual attacks.
It is not known that any malicious software uses this technique, but it's perfectly possible that some does. Security researchers demonstrating this provide users knowledge of which AV products to avoid, thus enhancing security.
There are enough similar strategies for root kits that this doesn't change anything: a good root kit can only be removed from a different system.
The attacks that escalate the threat potential of root kits in an interesting way are virtualization jailbreaks and BIOS attacks - anything that can infect the "clean" system while it's being used to remove a root kit, if the "clean" system shares the physical hardware of the infected system.
Giving it a new name doesn't make it a new attack.
it is basically a time-of-check-to-time-of-use (TOCTTOU) flaw as described 14 years ago by Matt Bishop and Michael Dilger
Andrey Kolishak showed 7 years ago that Windows hooks are vunerable to TOCTTOU
So not only the method is old, but even using it on Windows hooks is old.
The AV vendors say it's not a problem because you have to have the virus on the computer in order to bypass the virus check.
What if the malware is on a read-only file system (e.g. CD-ROM)?
@Grymoire: "What if the malware is on a read-only file system (e.g. CD-ROM)?"
Well, it obviously can't delete or heal the source file(s) of the malware, but it certainly can prevent it from executing. As long as CDs have been around, I can't imagine any AV worth a nickel that would not be able to handle CDs.
Why would cyber criminals be bothered going to the trouble of using this exploit if the detection rate of new malware in only 20%?
Anti-virus is reactive security that's always playing catchup. But criminals are adapting faster and only need a small window of opportunity. So by the time anti-virus has caught up with the latest malware the credentials and money have already gone and there's new malware in place.
Anti-virus is to computer security what the TSA is to airport security. They are always responding to what just happened.
There is quite a bit of disinformation and hype on this particular "exploit".
As many have stated, the exploit requires malware to get on your machine and execute first. This is not some exploit that you can get by visting some website. In this context, I don't really see how it's theoretically different than the many current methods that malware uses to disable antivirus products.
To Larry Seltzer's point, SSDT hooking is not needed in newer OSs like Vista and Windows 7, but on older OSs like Windows XP. Some antivirus products may still use SSDT, but they don't need to.
Matousec grossly exaggerates:
"We have performed tests with [most of] today's Windows desktop security products...The results can be summarized in one sentence: If a product uses SSDT hooks or other kind of kernel mode hooks on similar level to implement security features it is vulnerable. In other words, 100% of the tested products were found vulnerable."
So basically he installed the products and checked to see if they hooked SSDT and really did not care why the product hooked SSDT, and then called them vulnerable. His own write up he says only some parameters can be swapped out for new stuff (pointers to data, some handles), not all parameters.
Yes the technique is a viable attack but that does not mean all security products that hook SSDT or other kernel objects are vulnerable. It heavily depends on how the hooks are being used by the security software, how the software blocks bad stuff, and which parameters of the hook functions the software cares about.
@AlanS “Anti-virus is to computer security what the TSA is to airport security. They are always responding to what just happened”
Yes, AV software is reactive and everybody’s favorite whipping boy. But it does do the job for the 99.9% of the users who haven’t been infected yet with the new malware before they get the updates.
There seems to be a tendency to slam security processes and systems that don’t work with 100% efficiency, but I think many people, especially those that are not in the trenches struggling to keep a corporate network running on a day-to-day basis, are much too quick to “let the perfect be the enemy of the good”. (I would venture to say the same is true for airport security.)
If 100% of the users on the Internet would have up-to-date AV software, the Internet would be a safer place, despite AV’s shortcomings. If you want to run your network on the Internet without malware protection, be my guest.
Um this is 3 year old research, _and_ the only reason Msft security essentials is absent from the list is because they don't implement tamper resistance.
Last year Trusteer estimated detection rates for Zeus at 23%. Some one at Cisco just did some tests and found the initial detection of new malware samples around 20%. That's a very long way from 100% efficiency.
I am not slamming anti-virus as much as the perception of what anti-virus can accomplish. The seriousness of this 'new exploit' plays on it accomplishing much more than it does. I run antivirus; the free products don't have to accomplish much to have a good cost/benefit.
And as far as doing the "job for the 99.9% of the users who haven’t been infected yet" that ignores targeting. If you have something worth defending (e.g. you work in your company's accounting department) you are much more likely to be in that initial 0.1%.
"The "Earthquake" exploit is largely overblown hype, and has been around for many years.
First, in order for this particular "exploit" to actually work, malware has to already be ON THE PERSON'S MACHINE (in other words, the person's PC is already pwned). In addition, it's a big piece of code that has to be used to make this thing work.
Secondly, it would affect antivirus programs that use SSDT. Sunbelt doesn't use SSDT in VIPRE for Windows Server 2008, Vista and Windows 7. We do use it for older operating systems, like Windows XP.
Third, there are no exploit kits available that we know of that use this exploit.
Finally, actually getting this exploit to really work in the real world is not trivial. Antivirus vendors have understandably been a little peeved by this artificial firestorm. We wrote about it here in our blog:"
Other vendor responses:
@AlanS: "I am not slamming anti-virus as much as the perception of what anti-virus can accomplish. The seriousness of this 'new exploit' plays on it accomplishing much more than it does. I run antivirus; the free products don't have to accomplish much to have a good cost/benefit. "
I totally agree with you. There is no holy grail in security.
I too run anti-virus to protect against what we know is a risk, especially if its a quality free product, there is little reason not to. (especially when I share my home computer with non-tech-savvy users). I also use its heuristics engine to give a bit of protection for what isn't known.
I also take some reasonable steps against unknown threats. My computer is behind two firewalls set as high as they'll work. I have to give a program permission to use the Internet. I don't run web facing apps as Admin (save for security updates), I block new programs from being added to startup, use a decent web browser configured as secureity as I can.
Probably most importantly, i backup frequently. That doesn't prevent malware exploits, but if my system is every compromised I have the option of reformating it without losing everything.
Perfect? No, but I'm probably in good shape.
@ AlanS, Rookie, HJohn,
The big problem with AV is not that it detects less than 20% of even quite old attacks, but the amount of bandwidth it consumes.
It uses a rather broken business model to distribute it's wares and because of this it is stuck in a 1980's mindset.
If we had an outbound internet charge, I think you would find AV software would rather rapidly evolve for the better (likewise several major software vendors code).
It is getting to the point where a substantial % of internet traffic is taken up with AV and security updates "freeloading" at others expense and actually remaininnng stuck in an outmoded thought model.
@ Clive Robinson
Actually, the AV industry uses a very good business model. It's why they are still in business after peddling crap for so long. The real problem is the security model. The mainstream OS's don't enforce POLA well and basically act like an admin/kernel mode interpreter for malicious apps in many ways.
A better security model would use a strong kernel, layered/modular design, and execute-only as the default TCB mode (controlled updates via different, restrictive mode). At the very least, the security-critical functions must be non-bypassable and resist being disabled/overwritten. This defeats malware attacking at the OS level and allows other applications to leverage OS security to achieve application security. This sort of assurance exists in defense platforms like XTS-400/STOP or INTEGRITY Workstation, but not in mainstream OS's.
The short version: instead of closing doors and requiring credentials to get in, mainstream OS's leave them open while relying on hungover, sleep-deprived security guards to identify malice by gut instinct. The results are predictable.
You are quite correct the AV / security model used is crap and that is the visable problem.
However I contend it's the busniess model that stops them evolving a new security model.
Look at it this way, if say MS had to pay outbound data charges for "patch Tuesday" how much would it cost them?
Currently "patch Tuesday" is a less costly business model for MS than supplying a secure OS, so there is no direct financial consideration to make them jump out of the mindset.
It's not just MS but all the big industry players.
If they had to pay for their mistakes via outbound data charges then they would fairly quickly develop a less costly business model. One of which would be to actually fix the problems.
Other models would include making the end user pay a download subscription charge to cover the data charges, however you would fairly rapidly hear a scream of discontent by the end users as this anual charge could be more than the OS costs retail...
The AV business model is likewise broken and mobile broadband is beginning to show this to users as they seen not just their limited bandwidth but limited data alowance get chewed up daily by AV updates and MS and others "mega patches".
We are getting close to a tipping point where the amount of AV and mega patch traffic on the Internet is larger than the traffic from malware etc. to the point it is not sustainable.
And people will fairly soon see the likes of MS & Co as being "good for nothing freeloaders" rather than being a "responsable and profesional organisation".
The evolutionary step that was QA was forced on FMCE manufactures by the asymetric costs of warranty returns obliterating profits.
It is time we saw the same costs being bourn not by the end user but by the manufacturer in an obvious manner not the way it is currently hidden away.
However I'm not sugesting outbound data charges are a good thing, because they would criticaly effect FOSS.
I think you will find that MS do have to pay data charges for Patch Tuesday, as well as run a lot of servers and a large security team.
I agree that AV, being based on enumerating badness, is fundamentally incapable of providing a complete solution.
Unfortunately it is no more possible to enumerate goodness.
Another big issue with anti-virus is that users with unreasonable expectations of the protection it offers have an excuse for being lazy and not doing all the stuff they should be doing: keeping up with OS and application patches, not running as admin unless necessary, turning on DEP for all applications, configuring apps like Adobe Reader to run securely, not doing crazy user things, etc.
'As many have stated, the exploit requires malware to get on your machine and execute first. This is not some exploit that you can get by visting some website'
Just one word: ActiveX.
@ Nostromo on ActiveX
"Listen to me Bobby! You stay away from that technology! That technology is the Devil!!!" (source: possibly Waterboy)
Ref outbound data charges: I'm fairly sure anyone who handles the amount of traffick we're speaking about here is certainly paying for the outbound data in multitude of ways.
1. Staff and equipment
2. If they're big enough they have peering agreements if not they will pay through the proverbial nose for the bandwidth (these are not you 500% oversubscribed "best effort" consumer lines but proper guaranteed bandwidth, priced accordingly...), it's possible to negotiate all kinds of peak and average transfer packages (either "flat rate" for a certain guaranteed bandwidth [which is priced on the assumption that it *will* be run at almost saturation *all the time*], or per GB charge and a guaranteed minimum and available peak bandwidth, or a combination...).
Even my "home" (I run some devel servers here) line, a measly 4/4mbit (but proper, dedicated bandwidth), costs 8-10 times more than "10/1mbit" consumer offerings. If I was running it at full throttle 24/7 both ways I would get a decent price of ~12eurocents/GB (I have no idea what the per GB costs for my ISP are but propably not less than 5eurocents). At the moment I'm not saturating the line 24/7 so my ISP gets better than expected profit out of me. OTOH I like the predictable price, besides I'm not sure they'd be willing to negotiate a good per/GB price for such small volume.
Ref signatures: I'm fairly sure all the major AV producers have used (also) heuristics-based engines for 15 years now (at least F-Secure has...) and in the last 5 years behaviour-based engines are becoming more common (again, at least FSC has one).
Full disclosure: I used to work for F-Secure 10 years ago (hell, it's been a while), before joining a friends startup (still in that company), I try to keep at least somewhat up-to-date on the malware field still.
As mentioned one of the best protection measures is having a back up of your system, and if compromised reinstallation, annoying but effective.
Clive: While the points you raise are valid, I've never seen a study suggesting that update traffic is anything more than a tiny blip on the radar of overall internet traffic.
Heck, my daily AV updates are a few kilobytes in size. The picture of Bruce's book on this page is worth a month's worth of AV updates by itself.
Ugh, how is this any deal at all and how does hooking into SSDT not require admin rights? I guess either me or everybody else is missing the point - it requires the machine to be infected first... hello??? if I manage to have infected your machine already, why bother evading the AV, I'm already in!
The author of the article clear does not understand how security works.
Just a thought,
If this attack is dependent on "malware" being present on the machine...
How about a decapitated botnet.
When you take out the control node by altering the DNS etc (ie a take down) you leave all the infected machines out there...
Now let's assume the Zeus net writer decides to put the next release of the bot net code in a format that allows this attack as a secondary attack vector...
It has been shown that Zeus is capable of infecting millions of machines quite easily most of which have not been cleaned up...
Thus potentialy there are a large number of targets already out there...
As I said just a thought.
Whilst I might agree that you cannot enumerate goodness you can certainly see badness in many cases. Thus the two are not logiical inverses of each other.
For many years AV worked on examining data V code against known signatures, however malware writers worked out how to hide by making what are random signitures for each instance.
There is a solution to this which is putting the code in a restricted environment where calls to I/O etc are checked by a hypervisor etc.
whilst far from perfect is still way better than just pattern matching. However it also has attendant risks in that you have passed control of the CPU to the rouge code and it may have exploit tricks the hypervisor might not detect. This is effectivly the same as code with out a known matching pattern so is not realy any more dangerous than existing AV systems.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.