AV front-and-center...
FYI...
- http://www.theregister.co.uk/2010/05/07/argument_switch_av_bypass/
7th May 2010 - "... the technique might be combined with an exploit of another piece of software, say, a vulnerable version of Adobe Reader or Oracle's Java Virtual Machine to install malware without arousing the suspicion of the any AV software the victim was using. "Realistic scenario: someone uses McAfee or another affected product to secure their desktops," H D Moore, CSO and Chief Architect of the Metasploit project, told The Register in an instant message. "A malware developer abuses this race condition to bypass the system call hooks, allowing the malware to install itself and remove McAfee. In that case, all of the 'protection' offered by the product is basically moot." A user without administrative rights could also use the attack to kill an installed and running AV..."
- http://www.matousec.com/info/articl...ity-software.php#table-of-vulnerable-software
Published: 2010/05/05
Last update: 2010/05/07 - paragraph about which platforms are affected added to Final observations and notes...
- http://www.f-secure.com/weblog/archives/00001949.html
May 10, 2010 - "... this attack does not "break" all antivirus systems forever. Far from it. First of all, any malware that we detect by our antivirus will still be blocked, just like it always was. So the issue only affects new, unknown malware that we do not have signature detection for... We believe our multi-layer approach will provide sufficient protection level even if malicious code were to attempt use of Matousec's technique. And if we would see such an attack, we would simply add signature detection for it, stopping it in its tracks. We haven't seen any attacks using this technique in the wild. In a nutshell: We believe in defense in depth."
- http://www.darkreading.com/blog/archives/2010/05/is_khobe_an_ear.html
May 11, 2010 Graham Cluley, Sophos - "... describes a way in which the tamper protection implemented by some anti-malware products might be potentially bypassed. That's assuming, of course, you can get your malicious code past the anti-malware product in the first place. Hang on a minute. That means KHOBE is not really a way that hackers can avoid detection and get their malware installed on your computer. What Matousec is describing is a way of "doing something extra" if the malicious code manages to get past your antivirus software in the first place. In other words, KHOBE is only an issue if antivirus products miss the malware. And that's one of the reasons, of course, why vendors offer a layered approach using a variety of protection technologies..."
:fear:
FYI...
- http://www.theregister.co.uk/2010/05/07/argument_switch_av_bypass/
7th May 2010 - "... the technique might be combined with an exploit of another piece of software, say, a vulnerable version of Adobe Reader or Oracle's Java Virtual Machine to install malware without arousing the suspicion of the any AV software the victim was using. "Realistic scenario: someone uses McAfee or another affected product to secure their desktops," H D Moore, CSO and Chief Architect of the Metasploit project, told The Register in an instant message. "A malware developer abuses this race condition to bypass the system call hooks, allowing the malware to install itself and remove McAfee. In that case, all of the 'protection' offered by the product is basically moot." A user without administrative rights could also use the attack to kill an installed and running AV..."
- http://www.matousec.com/info/articl...ity-software.php#table-of-vulnerable-software
Published: 2010/05/05
Last update: 2010/05/07 - paragraph about which platforms are affected added to Final observations and notes...
- http://www.f-secure.com/weblog/archives/00001949.html
May 10, 2010 - "... this attack does not "break" all antivirus systems forever. Far from it. First of all, any malware that we detect by our antivirus will still be blocked, just like it always was. So the issue only affects new, unknown malware that we do not have signature detection for... We believe our multi-layer approach will provide sufficient protection level even if malicious code were to attempt use of Matousec's technique. And if we would see such an attack, we would simply add signature detection for it, stopping it in its tracks. We haven't seen any attacks using this technique in the wild. In a nutshell: We believe in defense in depth."
- http://www.darkreading.com/blog/archives/2010/05/is_khobe_an_ear.html
May 11, 2010 Graham Cluley, Sophos - "... describes a way in which the tamper protection implemented by some anti-malware products might be potentially bypassed. That's assuming, of course, you can get your malicious code past the anti-malware product in the first place. Hang on a minute. That means KHOBE is not really a way that hackers can avoid detection and get their malware installed on your computer. What Matousec is describing is a way of "doing something extra" if the malicious code manages to get past your antivirus software in the first place. In other words, KHOBE is only an issue if antivirus products miss the malware. And that's one of the reasons, of course, why vendors offer a layered approach using a variety of protection technologies..."
:fear:
Last edited:
:scratch: