New attack bypasses EVERY Windows security product, KHOBE and SSDT
QUOTE (Adrian Kingsley-Hughes)
The attack is a clever “bait-and-switch” style move. Harmless code is passed to the security software for scanning, but as soon as it’s given the green light, it’s swapped for the malicious code. The attack works even more reliably on multi-core systems because one thread doesn’t keep an eye on other threads that are running simultaneously, making the switch easier.
The attack, called KHOBE (Kernel HOok Bypassing Engine), leverages a Windows module called the System Service Descriptor Table, or SSDT, which is hooked up to the Windows kernel. Unfortunately, SSDT is utilized by antivirus software.
Oh, and don’t think that just because you are running as a standard user that you’re safe, you’re not. This attack doesn’t need admin rights
No comments:
Post a Comment