• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

New attack bypasses virtually all AV protection

"A user without administrative rights could also use the attack to kill an installed and running AV, even though only admin accounts should be able to do this, Charlie Miller, principal security analyst at Independent Security Evaluators, said"

Sounds like a load of BS to me. Non-admin accounts, being able to modify SSDTs and take down installed AVs? If that's possible, it's a serious flaw in the OS kernel, etc.
 
rasczak said:
windows right?
Click to expand...

Not strictly a windows problem, but a anti-virus software one.

The attack is fairly simple:

Under normal conditions it works like this:
1. Anti-virus software intercepts OS system functions from application software (e.g. start program 'Virus.exe')
2. AV software scans the request (e.g. scans the file)
3. If request is malicious, the AV software fakes an OS error (e.g. Access denied)
4. If the request is legit, the request is passed onto the OS for normal processing.

The attack works like this:
1. Malicious software sends benign request (e.g. start progam 'hello world.exe')
2. AV software scans the request
2b. Simultaneously, a 2nd thread in the malicious program (running on another CPU core) accesses changes the reference to 'hello world.exe' to 'virus.exe'
3. AV software finishes scanning 'hello world.exe' and it passes. It then takes the request (which now contains 'virus.exe') and sends it to the OS for normal processing.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top