May 11, 2010, 12:25 PM — Anti-virus software is not the be-all and end-all of Windows PC security by a long shot. But, to claim, as David Matousec does in his paper, KHOBE-8.0 earthquake for Windows desktop security software is utter nonsense.
The gist of Matousec's is that Windows' SSDT (System Service Descriptor Table) can be attacked by a technique, he calls "the argument-switch attack or KHOBE (Kernel Hook Bypassing Engine) attack, which allows malicious code to bypass protection mechanisms of security applications." The short English version of this is that, in the time between when an anti-virus program checks a file for a malicious payload and when the file actually runs, it can transform into malware and wreak havoc on your PC.
There is some truth here. Rootkits have been successfully attacking Windows via the SSDT for years now. There's nothing new about that.
In fact, as Russian hacker Andrey Sporaw pointed out, the problem, better known as TOCTTOU (time-of-check to time-of-use), was first described in theory, back in 1996 and was described in detail almost seven-years ago. Or, as one Slashdotter succinctly put it, "TFA has discovered 'the rootkit.'" And, as another wrote, "Okay, so basically your PC has some type of rootkit on it already. Then your AV is ineffective due to some obscure attack. Rent a clue, editors! If you have a rootkit, you are f***ed anyway. There is no magical piece of software that will protect you from your machine being owned... . that is the definition of owned."
Exactly.
For this to do anything, the Windows machine must already be busted. As Graham Cluley, a senior technology consultant at the anti-virus company Sophos observed, "KHOBE is not really a way that hackers can avoid detection and get their malware installed on your computer. What Matousec describes is a way of 'doing something extra' if the bad guys' malicious code manages to get past your anti-virus software in the first place. In other words, KHOBE is only an issue if anti-virus products such as Sophos (and many others) miss the malware. And that's one of the reasons, of course, why we -- and to their credit other vendors -- offer a layered approach using a variety of protection technologies."
Now, of course, Windows was, is now, and always will be easy to break into. But, thinking that you shouldn't bother to use anti-virus software because you think KHOBE has somehow made even trying to protect your Windows PC useless is just dumb.
If you're going to keep using Windows, get a good anti-virus program. If you're seriously concerned about security, switch to a Mac or a Linux PC. And, as for KHOBE itself? The only thing that's 'new' about it is how seriously many news publications are taking this tired old rootkit attack.
