Khobe "vulnerability" – no earth shaker

Filed Under: Malware, Vulnerability

The security panic of the week is the widely-reported story of a "vulnerability" called Khobe. One news headline goes so far as to announce that this "new attack bypasses virtually all AV protection".

I disagree.

The sample "attack", which claims to be an 8.0 earthquake for desktop security software, describes a way in which the tamper protection implemented by some anti-malware products might potentially be bypassed. Assuming you can get your malicious code past the anti-malware product in the first place, of course.

The attack needs a multiprocessor CPU, a security product which is using SSDT hooks (to the old-timers, these are analagous to directly changing the Interrupt Vector Table under DOS), and a bit of luck. It also requires that you evade detection by the security product in the first place in order to launch your Khobe code.

For what it's worth, only the optional Host Intrusion Prevention System component (HIPS) in Sophos's anti-malware software uses SSDT hooks. This is the behavioural part of our software, used for monitoring processes which we have already allowed to run. And HIPS doesn't even use SSDT hooks on Windows versions after XP, because Vista and Windows 7 include Microsoft's Kernel Patch Protection, which precludes the use of SSDT hooking.

(Strictly speaking, Kernel Patch Protection was introduced in Vista Service Pack 1. If you are running Vista without SP1, you have plenty of security problems ahead of Khobe in the queue!)

Sophos's HIPS is designed to provide an additional level of proactive protection against unknown malicious code. It can help to identify malware which wasn't detected early enough to block it altogether.

So the Khobe "attack" boils down to this: if you can write malware which already gets past Sophos's on-access virus blocker, and past Sophos's HIPS, then you may be able to use the Khobe code to bypass Sophos's HIPS – which, of course, you just bypassed anyway. Oh, and only if you are using Windows XP.

In short: Sophos's on-access anti-virus scanner doesn't use SSDT hooks, so it's fair for us to say that this isn't a vulnerabilty for us at all. But what about other anti-virus software? Though I'm not usually an apologist for our competitors, I feel compelled to speak out in this case.

The fuss about Khobe is in my opinion unwarranted, and the claims that it "bypasses virtually all anti-virus software" is scaremongering.

A fairer assessment would be that Khobe amounts to little more that saying that malware which can already bypass anti-virus software may be able to bypass it again. But that isn't as exciting a headline as "8.0 earthquake for Windows desktop security software" or "New attack bypasses virtually all AV protection."

Don't Panic image from wallpaper by ~juggernautical.

, , , , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog