KHOBE: Say hello to my little friend(*)

Guess what? You personal firewall/IDS/Anti Virus/(insert next month’s buzzword here) isn’t going to save you from an attacker successfully executing code remotely on your machine:

So no, it’s not the doomsday weapon, but definitely worthy of the Scarface quote in the title.
This isn’t surprising, researchers find ways to bypass security defenses almost as soon as those defenses are implemented (remember non-executable stack?). Eliminating vulnerabilities in the first place is the way to go, guys, not trying to block attacks hoping your ‘shields’ hold up.

(*) If you’re reading this out loud you need to do so in a thick cuban accent

  • alex eckelberry

    The exploit requires malware to get on your machine and execute first. This is not some exploit that you can get by visting some website. In this context, how is it theoretically different than the many current methods that malware uses to disable antivirus products?

    Also, SSDT hooking is not needed in newer OSs like Vista and Windows 7, but on older OSs like Windows XP. Some antivirus products may still use SSDT, but they don’t need to.

    Matousec grossly exaggerates: “We have performed tests with [most of] today’s Windows desktop security products…The results can be summarized in one sentence: If a product uses SSDT hooks or other kind of kernel mode hooks on similar level to implement security features it is vulnerable. In other words, 100% of the tested products were found vulnerable.”

    So basically he installed the products and checked to see if they hooked SSDT and really did not care why the product hooked SSDT, and then called them vulnerable. His own write up he says only some parameters can be swapped out for new stuff (pointers to data, some handles), not all parameters.

    Yes the technique is a viable attack but that does not mean all security products that hook SSDT or other kernel objects are vulnerable. It heavily depends on how the hooks are being used by the security software, how the software blocks bad stuff, and which parameters of the hook functions the software cares about.

  • sidereal

    isn’t going to save you from an attacker successfully executing code remotely on your machine if you’re running XP


    Sheesh with the chicken littling.

  • Aviram


    You’re right in all your points, but I don’t think you should be dismissing it that easily.
    This is a way to execute malicious code in a way that many (most?) security products have missed. That’s a big deal. It’s an attack vector we haven’t considered before.

    Sure, it won’t always work, but that’s what they said about heap overflow. And especially when it comes to attacking desktops, you just need it to work often enough and the huge number of potential targets make the attack worthwhile.