New attack bypasses virtually all AV protection

- M
- Monty Solomon
  
  Contact options for registered users
posted
13 years ago

Mon, May 10, 2010 3:20 AM

New attack bypasses virtually all AV protection Bait, switch, exploit!

By Dan Goodin in San Francisco

Posted in Security, 7th May 2010 18:17 GMT

Researchers say they've devised a way to bypass protections built in to dozens of the most popular desktop anti-virus products, including those offered by McAfee, Trend Micro, AVG, and BitDefender.

The method, developed by software security researchers at matousec.com

formatting link

works by exploiting the driver hooks the anti-virus programs bury deep inside the Windows operating system. In essence, it works by sending them a sample of benign code that passes their security checks and then, before it's executed, swaps it out with a malicious payload.

The exploit has to be timed just right so the benign code isn't switched too soon or too late. But for systems running on multicore processors, matousec's "argument-switch" attack is fairly reliable because one thread is often unable to keep track of other simultaneously running threads. As a result, the vast majority of malware protection offered for Windows PCs can be tricked into allowing malicious code that under normal conditions would be blocked.

...

formatting link

- T
- T
  
  Contact options for registered users
Vote on answer
posted
13 years ago

Fri, May 14, 2010 3:44 PM

So does this mean the older single core machines will be all the rage again?

- S
- Stephen
  
  Contact options for registered users
Vote on answer
posted
13 years ago

Sun, May 16, 2010 10:05 AM

or run as a non admin account?

or turn off all but 1 core + hyperthreading in the BIOS?

or can you "lock" a virtual machine to a single processor and avoid the risk that way?