I was very interested to read an article on The Register yesterday and then try to wrap my brain around the associated research paper from matuosec.com.
The research paper details a method by which the researchers claim to be able to bypass every anti-malware product they tested against and the list of the 34 products they tested is impressive; covering every major vendor.
The method as described in the research paper involves something called an “argument switch” attack which they have dubbed KHOBE, an acronym for Kernel Hook Bypassing Engine. The paper details how; because of the way that security software hooks into the Windows operating system, an anti-malware program can be asked to check “innocent” code before being fooled into passing malicious code off for execution; this is the so-called “argument switch”. The attack relies on this switch happening at exactly the right time, after the “innocent” code has been checked and before the responsibility is handed to the Operating System, this is what is known as a race condition.
The research is certainly interesting and I’m sure will be very widely referenced in the anti-malware industry as they re-engineer to overcome the issue. However for me, it sheds more light on a wider and maybe more concerning issue. Simply that in standard endpoint security architecture, protection engines run in the same context as the malware they try to protect against.
If the title and content of the matsuosec.com research article “Earthquake for Windows desktop security software” have you worried, then it is worth noting that this problem of context is not something that Trend Micro have been ignoring. In fact we have been developing different technologies to overcome just such an issue.
One important outcome of this is manifested in work that Trend Micro have been doing with VMware which will allow us to offer agentless anti-malware to virtual machines; protection which operates in an entirely different context to the malware itself and which could not be subverted by an attack such as the one described by matsuosec.com. Another manifestation of a response to this same issue, this time in the non-virtualised world, is Threat Management Services in which all detection operates out-of-band and pattern-free cleanup happens at the endpoint.
So while matsuosec.com’s research is absolutely important and significant in the short term; longer term solutions need to build on increasing the possibility of moving effective protection off-box. After all, the drunk guy is always going to tell you he’s OK.