“Researchers say they’ve devised a way to bypass protections built in to dozens of the most popular desktop anti-virus products, including those offered by McAfee, Trend Micro, AVG, and BitDefender.
The method, developed by software security researchers at matousec.com, works by exploiting the driver hooks the anti-virus programs bury deep inside the Windows operating system. In essence, it works by sending them a sample of benign code that passes their security checks and then, before it’s executed, swaps it out with a malicious payload.”
Here is some more Tech News from around the web:
- Microsoft’s Free, Online Version of Office To Premiere This Week @ Slashdot
- 7Gbps Wi-Fi Networking Kit Could Launch In 2010 @ Slashdot
- Sony Bloggie MHS-CM5 Review @ TechReviewSource
- Mac OS X 10.6.3 vs. Windows 7 vs. Ubuntu 10.04 Benchmarks @ Phoronix
- TRENDnet TEW-648UB and TEW-649UB USB Wireless LAN Adapters @ Madshrimps
- NextBase 3-in-1: TV in the Car @ InsideHW
- Levelone N_Max 300mbps Wireless Router and USB Dongle Review @ OverclockersHQ
- The TR Podcast 64: Pots and kettles, Moorestown, and AMD strikes back
- Win an ASUS Maximus III Extreme with OC3D
- Win a 5870XT, a 5770, a 5750 and a plethora of games on KitGuru.net
Happy Monday, your anti-virus program just got p0wned
Source: The Register
The good news is that to use this exploit your PC already has to be comprised pretty badly. The attacker must already have to the ability to run binaries on your system as there is a significant amount of code that needs to be loaded in order to run this particular exploit. Unfortunately once they do have that control, they can thoroughly disable your anti-virus, even if you are running without administrative privileges. Consider it the second part of a two step attack with the first attack coming through an ActiveX or Acrobat (etc) drive by exploit. The attack goes straight for an exploit in the System Service Descriptor Table, a tried and true method for rooting PCs running Windows. You can get some more technical info by following the link from The Register.