Khobe. Is the sky falling?
Sky isn’t falling but big Antivirus firms are lying as well.
I have already written about the Khobe 8.0 research which headlines have hit almost all the security related websites and blogs: “New malware can bypass all AV’s”.
I just came across Graham Cluley‘s blog post on dark reading and Sophos’s Paul Ducklin blog post. Both posts are on Khobe that, according to them, is just a hype.
Graham is Sophos CEO and surely cannot be an independent voice, however Paul makes it clear that Sophos is barely exposed to this threat. Kudos to Sophos.
According to Paul:
The attack needs a multiprocessor CPU, a security product which is using SSDT hooks (to the old-timers, these are analagous to directly changing the Interrupt Vector Table under DOS), and a bit of luck
Honestly, it doesn’t seem much of an excusation for considering Khobe an unjustified hype:
- All laptop and desktop PC’s have 2 or more processors since at least 3 years
- Security products using SSDT are very common (Sophos HIPS is using Microsoft’s Kernel Patch Protection so it’s immune)
- Have you ever made a risk assessment report including “luck” as a mitigating factor?
Both Graham and Paul conclude their posts saying that
What Matousec is describing is a way of “doing something extra” if the malicious code manages to get past your antivirus software in the first place.
In other words, KHOBE is only an issue if antivirus products miss the malware. And that’s one of the reasons, of course, why vendors offer a layered approach using a variety of protection technologies.
Provided that this interpretation of the research is dubious and I would like to atually read what the researchers have to say about it, I find it quite interesting to read “if the malicious code manages to get past your antivirus software in the first place”. We know that malicious code IS capable of bypassing AV’s through encoding or through custom code. And if you read the latest DBIR from verizon (and I know guys at Sophos did) you know this is the path criminals are taking:
P.S. Here is ESET response