What's with the "Earthquake" Exploit, KHOBE?


« Trojan in So-Called Windows 7 Compatibility Checker | Main | Scareware Sellers Facing Hefty Charges »

05/20/2010



What's with the "Earthquake" Exploit, KHOBE?

Kevin R. Smith
Co-Editor


Earlier this month, security researchers at Matousec released details of research they've done that, they claim, bypasses 100% of antivirus software.

As you might imagine, there's quite a bit of concern about this, particularly among business users, particularly because mainstream media has started discussing the so-called, KHOBE attack.

Let's dig into this a bit and see what's behind the hype.

What is KHOBE

It's an acronym for:

Kernel
HOOK
Bypassing
Engine

Put another way, it's a way for attackers to trick antivirus software. ZDNet's writer, Adrian Kingsley-Hughes, does a great job describing how this works here,

The attack is a clever 'bait-and-switch' style move.

"Harmless code is passed to the security software for scanning, but as soon as it's given the green light, it's swapped for the malicious code.

"The attack works even more reliably on multi-core systems because one thread doesn't keep an eye on other threads that are running simultaneously, making the switch easier.

Kingsley-Hughes goes on to say, Oh, and don't think that just because you are running as a standard user that you're safe, you're not. This attack doesn't need admin rights.

OK, now this is starting to sound like a pretty big deal.

Mitigating Factors with KHOBE

Here's where things *do* start to become more positive though:

  Mitigating Factor What It Means
1. Requires a lot of code. Makes it less-than-ideal for most attacks to work.

Since this code has to somehow be transferred to your machine, its current size makes it more difficult to use as a mechanism to bypass security software.
2. The software has to already be on your computer.

Wha? Yes, that's right. From what the antivirus software vendors can tell thus far, the software doesn't actually bypass their software (at least the ones we've heard from) unless it's already there to begin with.

This could be because you're installing their software after you've been infected with this code or because you disabled your antivirus program.
3. There aren't any known exploits--or exploit kits--that rely on this technique.

(At least not yet.)		 The chances of encountering this in the real world are still very, very minimal.
4. It only affects antivirus software that uses the System Service Descriptor Table (SSDT), which is being used less-and-less frequently than it once was. Antivirus companies are moving (or have already moved) away from the use of the SSDT since Windows Vista. Windows XP seems to be the last Microsoft Windows OS where the security vendors commonly relied on the SSDT for their antivirus software.

This means if you're running Windows Vista or 7, chances are your antivirus or Internet security software is already immune to this exploit.

Antivirus maker Sophos says, Sophos's on-access anti-virus scanner doesn't uses SSDT hooks, so it's fair for us to say that this isn't a vulnerabilty for us at all.

VIPRE Antivirus' maker, Sunbelt Software, says, ...it would affect antivirus programs that use SSDT. We don't use SSDT in VIPRE for Windows Server 2008, Vista and Windows 7. We do use it for older operating systems, like Windows XP.
5. It's difficult to make work. The code works, yes, but given the many things that are required for it to work, even if you were to encounter it "in the wild," there's still no guarantee your computer will be infected.

Antivirus Vendor Responses

Sophos and Sunbelt aren't the only antivirus companies refuting the claims, security company F-Secure says,

We believe our multi-layer approach will provide sufficient protection level even if malicious code were to attempt use of Matousec's technique.

"And if we would see such an attack, we would simply add signature detection for it, stopping it in its tracks. We haven't seen any attacks using this technique in the wild.

Our Take on KHOBE

This is true not just for F-Secure, but for all Internet security software vendors.

If there were real-world exploits using this attack that they'd encountered, adding signatures for those attacks should be able to defeat the attack pretty easily.

Regardless of the outcome of the debate about this particular exploit, there are still a couple of take-away points as far as we're concerned,

  1. Run the best antivirus software you can afford.
  2. Keep it updated--frequently.
  3. Even if you're updated and protected against known threats, it's critical to regularly backup your system so that if something does get by your defenses, at least you can restore your system to a point before the infection.

Posted by Kevin R. Smith at 12:00:00 AM in Antivirus Testing , F-Secure , Sophos , VIPRE , Web/Tech

Comments

You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.