Malware can bypass all Windows based AV’s
Now we are in trouble. A research from Matousec has revealed a means by which a hacker would be capable of disabling dozens of modern AV’s including McAfee, Symantec and friends.
The method, developed by software security researchers at matousec.com, works by exploiting the driver hooks the anti-virus programs bury deep inside the Windows operating system. In essence, it works by sending them a sample of benign code that passes their security checks and then, before it’s executed, swaps it out with a malicious payload.
In the words of the researchers:
If a product uses SSDT hooks or other kind of kernel mode hooks on similar level to implement security features it is vulnerable. In other words, 100% of the tested products were found vulnerable.”
SSDT Hooking is one of the techniques covered in the System Security section of our Penetration testing training course . AV software uses this technique to take control of important aspects of the system and above to control the switching from userland to kernel mode. In the research paper there is a great explanation as to why this technique used by AV can be bypassed using preemption after security checks are passed by the AV.
The hack has a great deal of system security and x86 engineering notions that looks genius and incredibily easy at the same time that we advise you to allocate 5 minutes to read it.