| Submit your comments on this article | |
| Science & Technology | |
| Proof of Concept Exploit Bypasses AV Programs | |
| 2010-05-09 | |
| This "virus" has not yet been released into the wild and it appears it is based on a very old general vulnerability. The difference is that this new exploit uses the a multiprocessor scheduler to switch good software with malware between running threads. IIUC, virus programs do not check for these kinds of swaps in pagable memory before allowing code to execute. The kernal does, but then it does it to regulate which memory space gets written to and it does not distinguish between the two types of software.
The method, developed by software security researchers at matousec.com, works by exploiting the driver hooks the anti-virus programs bury deep inside the Windows operating system. In essence, it works by sending them a sample of benign code that passes their security checks and then, before it's executed, swaps it out with a malicious payload. | |
| Posted by:badanov |
| #6 All that stuff is easy for ya'll who know stuff about computers. For the rest of us.... :-( |
| Posted by: Barbara Skolaut 2010-05-09 17:41 |
| #5 I use a Mac :-) Though I'm thinking of firing up Ubuntu inside VirtualBox inside the Mac, and then using Firefox from inside that. Kill it when I'm done, as you say. |
| Posted by: Steve White 2010-05-09 15:26 |
| #4 eYep. A VM allowed no physical resources. Start it up, start the browser. Shut down the browser, destroy the VM. |
| Posted by: Skidmark 2010-05-09 13:30 |
| #3 Vista on a 64 bit VM, running on my Linux workstation. I have no worries at all, I simply restore the last saved VM session and any damage is gone. Even then, I use Firefox with NoScript & Ghostery (2 must-haves for security) and MSLive for AV+malware blocking. If you want to be safe, simple: run Firefox with the 2 addons I mentioned (plus AdBlockPlus), keep the OS up to date with patches from MS, and use MSLive AV+firewall (free and works well enough - scan & update the AV daily, deep scan weekly via automated scheduler), and don't run binaries or click on links given by someone you don't personally know, and scan EVERYTHING. IF you aren't stupid, its not easy to be compromised. |
| Posted by: OldSpook 2010-05-09 11:36 |
| #2 So what are we end-users to do about it? Short answer: Nothing. Long answer: It's just a concept right now, and as it was demonstrated, the malware is a one-two punch. The concept as it is now requires the machine to already be vulnerable to malware in order to use this method. |
| Posted by: badanov 2010-05-09 11:08 |
| #1 Just tie the AV software to a single processor. BTW. I don't run ANY AV software. 1/ I use Firefox. 2/ I use a hardware firewall. 3/ I use adblock. Nasties count = 0. |
| Posted by: Bright Pebbles 2010-05-09 07:40 |