Did A Google Earth Mistake Cause A Couple's Brutal Murder?
Tumblr 101: Tips And Tricks To Get Started
Matousec report says your antivirus app is way too easy to exploit
Regardless, it's generally regarded as a bad idea to use a computer without antivirus and malware protection. But according to a report from Matousec, there's a very good chance your software isn't all that hard to exploit and cripple.
In the report, Matousec outlines a bait-and-switch style attack which works via the kernel mode drivers used by almost all Windows antivirus programs. 34 are listed in the report, including favorites like Avast 5, AVG 9, Avira 10, Eset Smart Security, and just about every other big name you can think of.
The post states that the list could easily have included pretty well all Windows antivirus apps, but they only had time to test so many. Interestingly enough, two very popular apps -- Microsoft Security Essentials and Live OneCare -- were not on the list. The post seems to indicate that every app they tested failed, but those are certainly big omissions. I'm much more interested to know how Microsoft's products would have fared than relatively obscure apps like Online Armor, PC Tools, Threatfire, and Security Shield.
Immunet's Alfred Huger informed me that their product does not use SSDT and operates outside the kernel -- so it's not vulnerable in this way.
Matousec's test systems were running Windows XP SP3 and Vista SP1, though they claim that the technique should work on all versions of Windows (including 7) and that x64 software is no safer than x86. However, Huger also told me "This attack [..] will not work (or should not work) under non-XP systems." BSODhook -- the tools Matousec developed to automatically find vulnerabilities -- failed to run on my Windows 7 x64 system, even with administrator permissions.
Comments
7
Subscribe to commentsGrammar NaziMay 9th 2010 11:56AM
"..there's a very good your software.."
"..included pretty well Windows antivirus apps.."
Grammar fix please
delete2endMay 9th 2010 12:02PM
hey download squad... i would love to see reviews of Online Armor, PC Tools, Threatfire, and Security Shield.
hmmMay 9th 2010 3:49PM
They are in general HIPS(also called firewalls since they are usually bundled with firewalls), not antiviruses so its expected that they would work better. They usually work by intercepting (figuratively speaking) every system action and asking whether you want to allow it or not.(much worse than UAC even though they include remember action.) . Of course near perfect security can be ensured that way because you'd have to approve of every action, bad or worse but I don't want that kind of security. I'd much prefer Linux because even Linux is less demanding and more secure because there are fewer malware.
mahMay 9th 2010 3:10PM
Right... and what is matousec selling to fix this "problem"?
It's also funny that suddenly operating outside the kernel at a much higher level is supposedly a better idea than being at a lower level than the viruses. Nice try Immunet, I'm sticking with Comodo.
jfjbMay 10th 2010 8:58PM
if anyone understood the source code at Matousec, that person may have a valid opinion here and now.
So far, I've heard only thoughts, not opinions.
Anyone?
if (NT_SUCCESS(status))
status=OldNtTerminateProcess(ProcessHandle,ExitStatus);
return status;
This is simple.
jfjbMay 10th 2010 9:00PM
P.S. My two-cents, of course, after years between ASM and C##.
Surfs up, dudes and dudettes.
jfjbMay 10th 2010 9:03PM
@ lee mathews,
i agree: most problems occur between the chair and the keyboard, of the user.