New Windows Attack
It’s still only in the lab, but nothing detects it right now:
The attack is a clever “bait-and-switch” style move. Harmless code is passed to the security software for scanning, but as soon as it’s given the green light, it’s swapped for the malicious code. The attack works even more reliably on multi-core systems because one thread doesn’t keep an eye on other threads that are running simultaneously, making the switch easier.
The attack, called KHOBE (Kernel HOok Bypassing Engine), leverages a Windows module called the System Service Descriptor Table, or SSDT, which is hooked up to the Windows kernel. Unfortunately, SSDT is utilized by antivirus software.
ac • May 14, 2010 12:03 PM
“Nothing detects it right now”–not quite true. Most antivirus software uses kernel hooks, but not all. Those that do not would be able to detect anything using this attack. One example of antivirus software that doesn’t use kernel hooks is Microsoft’s own Security Essentials.
Nevertheless, this is still a huge deal.