Poor Hook Implementations Leave Most Antivirus Products Vulnerable

Researchers claim low-level protection mechanisms can easily be bypassed

By Lucian Constantin on May 8th, 2010 08:20 GMT
According to a new research paper published by the matousec project, critical protection mechanisms are poorly implemented and can be easily bypassed for the majority of desktop antivirus programs. The problem stems from an unreliable and insecure use of kernel and user mode hooks to get the job done.

The research starts from the premise that malware writers are able at any time to write malicious code that evades traditional methods of detection, a theory that has been proven true over and over again. In order to compensate for this, antivirus products employ additional protection layers like Host-based Intrusion Detection Systems (HIPS), which monitor applications' behavior and block any actions deemed suspicious.

However, according to matousec, when creating these complex systems, most antivirus developers choose to rely on a programming technique called hooking for intercepting system calls from other applications. The research touches on both user mode hooks, which researchers claim are inherently insecure, as well as kernel mode ones.

The so-called "argument-switch attack" developed by matousec targets kernel mode hooks that alter the System Service Descriptor Table (SSDT) in particular. These SSDT hooks are currently the most common method of implementing low-level protection in security software. However, it is noted that other types of hooks can also be vulnerable if certain conditions are met.

"We have performed tests with today's most Windows desktop security products. [...] The results can be summarized in one sentence: If a product uses SSDT hooks or other kind of kernel mode hooks on similar level to implement security features it is vulnerable. In other words, 100% of the tested products [see the list in the image to the left] were found vulnerable," matousec researchers write.

One interesting aspect of this attack is that it does not require special privileges on a system and can function even from a limited account. The only obstacle for attackers is that they need to bypass the primary levels of protection and execute malicious code on the system, something that, as we previously mentioned, is well within their capabilities.

"Realistic scenario: someone uses McAfee or another affected product to secure their desktops. A malware developer abuses this race condition to bypass the system call hooks, allowing the malware to install itself and remove McAfee. In that case, all of the 'protection' offered by the product is basically moot,"  H D Moore, chief architect of the world's number one penetration testing framework, Metasploit, commented for The Register, after reviewing matousec's research.

There is still a debate about the impact of this vulnerability, especially since the underlying problem has been known for years, yet no practical attack has been detected in the wild. On the other hand, it is also true that multi-core processors, which drastically increase the success rate of this attack, have since become widespread in desktop computers. Nevertheless, from information we received in confidence, some antivirus vendors were already planning to stop using SSDT hooks in the next version of their products, since before this research came out.
Researchers claim AV protection implemented through SSDT hooking is unreliable
2 photos
   Researchers claim AV protection implemented through SSDT hooking is unreliable

Photo Gallery (2 Images)

Gallery Image
01
Gallery Image
02
MORE ON THIS TOPIC
LATEST NEWS
HOT RIGHT NOW

4 Comments