[a_d_13]

Here are a couple of responses to the findings from various Antivirus companies:

• http://www.f-secure.com/weblog/archives/00001949.html
• http://www.sophos.com/blogs/duck/g/2010 ... th-shaker/
• http://www.eset.com/blog/2010/05/11/kho ... ooking-for

Thanks,
--AD

[EP_X0FF]

I like this one from Sophos

For what it's worth, only the optional Host Intrusion Prevention System component (HIPS) in Sophos's anti-malware software uses SSDT hooks. This is the behavioural part of our software, used for monitoring processes which we have already allowed to run. And HIPS doesn't even use SSDT hooks on Windows versions after XP, because Vista and Windows 7 include Microsoft's Kernel Patch Protection, which precludes the use of SSDT hooking.

Brilliant statement. They forget to say on x64 Windows versions after XP. Without this correction statement is dramatically laughable.

[cjbi]

Response from Norman
Antivirus SSDT hook bypass vulnerability

[Evilcry]

Funny they edited the article and increased the density of stupid things written :D

Our research is also quite innovative. For the first time the attack on Windows systems is presented not only for the pointer-typed arguments but also for input HANDLE-typed arguments, which has not been seen in previous works

Wrong! HANDLE-Typed arguments was already demonstrated in CCC 2007:

http://events.ccc.de/congress/2007/Fahr ... o-UID-Zero

Regards,
Evilcry

[EP_X0FF]

note: this URL in previous post is pdf file without extension :)

Matousec should stop lying and spawning BS. Obviously KHOBE is typical bucks-sucking attempt, which is FAILED.

[Alex]

I think that both Matousec and the media they created something more of this vulnerability then it really is. In all honesty, it is impossible to protect users working on Administrator account against all malware especially new and un signatured ones. This specific attack is only one of many ways to bypass security software if they are working on privileged account. The gross fact is that security companies don't care about quality and security of their code. They stress that issue is nothing new, but if so, why they didn't fix it few years ago? In all these statements they should explain how it is possible that they don't know how to write such code correctly, instead of ensure their products have more layers and only this one layer can be defeated if some conditions will be carried out.

- KHOBE - no problem (G Data)
- Ignore the nonsense: Anti-virus software is as good as ever

Alex