New malware can bypass any anti-virus protection

Posted: May 12, 2010 in Anti-virus, Computer
Tags: ,

A new malware is so effective that it can bypass protections provided by anti-virus products like those offered by McAfee, Trend Micro, AVG, and BitDefender, according to researchers.

A method developed by software security researchers at, works the same way an antivirus app functions, by hooking directly into Windows and masquerading as harmless software. It tricks Windows by sending sample code to the OS, like any antivirus app that looks completely caring, and then at the last microsecond it swaps in malicious code, which is then executed.

If an anti-virus application uses the traditional method of interacting with Windows-a system called SSDT-then it will be vulnerable to attack via this method. most of the anti-virus products use SSDT. The researchers have noted during their investigation that “100 percent of the tested products were found vulnerable.” It didn’t matter if the user had administrator rights or not, the exploit was able to sneak through. Researchers have claimed that they have performed tests with most of today’s Windows desktop security products.

The exploit has to be timed just right so the benign code isn’t switched too soon or too late. But for systems running on multicore processors, matousec’s “argument-switch” attack is fairly reliable because one thread is often unable to keep track of other simultaneously running threads. As a result, the vast majority of malware protection offered for Windows PCs can be tricked into allowing malicious code that under normal conditions would be blocked.

The researchers listed 34 products that they said were susceptible to the attack, but the list was limited by the amount of time they had for testing. “Otherwise, the list would be endless,” they said.
The technique works even when Windows is running under an account with limited privileges.

The exploit has some limitations. It requires a large amount of code to be loaded onto the targeted machine, making it impractical for shellcode-based attacks or attacks that rely on speed and stealth. It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC.

H D Moore, CSO and Chief Architect of the Metasploit project, told The Register, “A malware developer abuses this race condition to bypass the system call hooks, allowing the malware to install itself and remove McAfee. In that case, all of the ‘protection’ offered by the product is basically moot.”

The good news is that the attack is not completely realistic, since the size of the code required would have to be large to work. A quickie download wouldn’t be possible, so the attack would likely have to find its way onto a target computer by other means. But that also worries researchers, since commonly downloaded software could be intentionally infected with the malware

Right now the attack is primarily theoretical and hasn’t sprung up in the real world, so there’s no need to panic. Antivirus software companies have yet to respond to the threat, and it may take some time for them to do so.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s