Printed from http://www.electronista.com

New Windows malware bypasses most current antivirus apps

updated 10:15 am EDT, Tue May 11, 2010

KHOBE could infect any Windows XP system

Researchers at Matousec have found malware that could potentially compromise nearly every Windows XP system using current antivirus software. KHOBE (Kernel Hook Bypassing Engine) takes advantage of the vulnerable System Service Descriptor Table to trick Microsoft's OS into accepting rogue code. It allows a safe code thread to be scanned by antivirus apps but immediately swaps in a thread containing a virus or other attack, giving the malware free rein.

Few antivirus programs today can protect against an attempt since they can't stop the switch after they've already examined what was believed to be the original code. Tools can screen for the content before it reaches the system and can block known malware, but any unknown viruses will automatically get access. Administrator rights also aren't necessary and could expose even limited Windows accounts to the threat.

The attacks won't work properly on Windows Vista or 7 systems, but as these are still in the minority, most computers worldwide are susceptible to a KHOBE virus. Modern, multi-core processors are actually more vulnerable since the hostile thread can be more readily kept separate from any inspection by antivirus tools.

Software developers like F-Secure and Sophos have pledged themselves to identifying the attacks and minimizing the risk, but the new vulnerability is currently a blow to the Windows environment, especially in developing countries where Windows 7 is still rare or unfeasible for the systems users can afford. Linux and Mac OS X systems aren't known to be vulnerable to this kind of attempt. [via ZDNet]


Share



By Electronista Staff
toggle

Comments

  1. BelugaShark

    Fresh-Faced Recruit

    Joined: Aug 2007

    0

    Windows 7 is vulnerable

    The link to the article you posted stated the following:
    "The research was done on Windows XP Service Pack 3 and Windows Vista Service Pack 1 on 32-bit hardware. However, it is valid for all Windows versions including Windows 7. Even the 64-bit platform is not a limitation for the attack. It will work there against all user mode hooks and it will also work against the kernel mode hooks if they are installed, for example after disabling the PatchGuard."

    PatchGuard prevents patching the kernel and it's only for the 64bit version of windows.

    Am I missing something? Why does your article imply that Vista and Windows 7 are safe?

  1. DeezNutts

    Fresh-Faced Recruit

    Joined: Apr 2008

    +5

    not the only one


    This thing is no bigger threat than the other root kits rolling around right now that are immune to antivirus software.

    I'm not even sure what the news is, that another one showed up on the scene?

  1. testudo

    Forum Regular

    Joined: Aug 2001

    0

    and...

    It assumes these people aren't just making another one of those "mountain out of a mole hill" sky is falling type of things.

    But, no, can't imagine that. I'm sure the title of their paper " 8.0 earthquake for Windows desktop security software" is perfectly objective and staid.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

Dell AD211 Bluetooth speaker

For all of the high-priced, over-engineered Bluetooth speakers in the electronics market, there is still room for mass-market solution ...

VisionTek 128GB USB Pocket SSD

USB flash drives dealt the death blow to both the floppy and Zip drives. While still faster than either of the old removable media, sp ...

Kodak PixPro SL10 Smart Lens Camera

Smartphone imagery still widely varies. Large Megapixel counts don't make for a good image, and the optics in some devices are lacking ...

Sponsor

toggle

Most Commented

 
toggle

Popular News