How do you get a malware exploit to bypass antivirus protection? By making it work the same way the antivirus software does.
A new exploit outlined this week is so effective, say researchers, that it can slip by “virtually all” antivirus protection undetected.
It works the same way an antivirus app does, by hooking directly into Windows and masquerading as harmless software. It tricks Windows by sending sample code to the OS, like any antivirus app that looks completely benign, then at the last microsecond it swaps in malicious code, which is then executed.
If an antivirus application uses the traditional method of interacting with Windows — a system called SSDT — then it will be vulnerable to attack via this method. And they all use SSDT. As the researchers at matousec.com noted during their investigation, “100 percent of the tested products were found vulnerable.” It didn’t matter if the user had administrator rights or not, the exploit was able to sneak through.
The good news is that the attack isn’t completely realistic, since the size of the code required would have to be large to work. A quickie download wouldn’t be possible, so the attack would likely have to find its way onto a target computer by other means. But that also worries researchers, since commonly downloaded software could be intentionally infected with the malware and during installation your antivirus software wouldn’t bat an eyelash. The malware could actually uninstall your antivirus application in its initial volley, leaving you wide open to attack.
Antivirus software companies have yet to respond to the threat, and it may take some time for them to do so, eventually requiring a full reworking of everything we know about the way antimalware software works.
Source: news.yahoo.com
Tuesday, May 11, 2010
Subscribe to:
Post Comments (Atom)
1 comment:
So far, I really like dedicated hosting services of serverwala. Thank you so much serverwala.org team for giving me such infos I need before getting my hosting plan. :)
Post a Comment