Software Security Researchers at matousec.com has developed a method which can bypass protections built in to many of the most popular anti-virus products like McAfee, Trend Micro, AVG, and BitDefender.

The attack, called KHOBE (Kernel HOok Bypassing Engine) works like “bait-and-switch” style by sending a file which contains Harmless code that passes the user’s System Check and as soon as it get passed the code is swapped with malicious code. This attack works more efficiently on Multi-Core systems as in Multi-Core System one thread doesn’t monitors on other threads that are running simultaneously which makes the switch/swapping easier. As a result, the vast majority of malware protection offered for Windows PCs can be tricked into allowing malicious code that under normal conditions would be blocked.

“We have performed tests with [most of] today’s Windows desktop security products,” the researchers wrote. “The results can be summarized in one sentence: If a product uses SSDT hooks or other kind of kernel mode hooks on similar level to implement security features it is vulnerable. In other words, 100% of the tested products were found vulnerable.”

List of Antivirus solutions which was tested by matousec.com and found vulnerable

  • 3D EQSecure Professional Edition 4.2
  • avast! Internet Security 5.0.462
  • AVG Internet Security 9.0.791
  • Avira Premium Security Suite 10.0.0.536
  • BitDefender Total Security 2010 13.0.20.347
  • Blink Professional 4.6.1
  • CA Internet Security Suite Plus 2010 6.0.0.272
  • Comodo Internet Security Free 4.0.138377.779
  • DefenseWall Personal Firewall 3.00
  • Dr.Web Security Space Pro 6.0.0.03100
  • ESET Smart Security 4.2.35.3
  • F-Secure Internet Security 2010 10.00 build 246
  • G DATA TotalCare 2010
  • Kaspersky Internet Security 2010 9.0.0.736
  • KingSoft Personal Firewall 9 Plus 2009.05.07.70
  • Malware Defender 2.6.0
  • McAfee Total Protection 2010 10.0.580
  • Norman Security Suite PRO 8.0
  • Norton Internet Security 2010 17.5.0.127
  • Online Armor Premium 4.0.0.35
  • Online Solutions Security Suite 1.5.14905.0
  • Outpost Security Suite Pro 6.7.3.3063.452.0726
  • Outpost Security Suite Pro 7.0.3330.505.1221 BETA VERSION
  • Panda Internet Security 2010 15.01.00
  • PC Tools Firewall Plus 6.0.0.88
  • PrivateFirewall 7.0.20.37
  • Security Shield 2010 13.0.16.313
  • Sophos Endpoint Security and Control 9.0.5
  • ThreatFire 4.7.0.17
  • Trend Micro Internet Security Pro 2010 17.50.1647.0000
  • Vba32 Personal 3.12.12.4
  • VIPRE Antivirus Premium 4.0.3272
  • VirusBuster Internet Security Suite 3.2
  • Webroot Internet Security Essentials 6.1.0.145
  • ZoneAlarm Extreme Security 9.1.507.000
  • probably other versions of above mentioned software
  • possibly many other software products that use kernel hooks to implement security features

KHOBE can be loaded/initiated under standard user or account having limited access as this attack doesn’t requires Administrator Access to the System. As it requires a large amount of code/Script to be loaded on the targeted System, making it impractical for shellcode-based attacks that rely on speed and stealth. It can also be initiated only when an attacker already has the ability to run a binary on the system. The technique might be combined with an exploit of another piece of software, like a vulnerable version of Adobe Reader or Oracle’s Java Virtual Machine to install malware without rising the suspicion of the any Anti-Virus software the victim is using.