New Attack Tactic Sidesteps Windows Security Software

Archive
1

Thought I would share this.

 

http://www.pcworld.com/article/196107/Security_Attack.html?tk=rss_news

"According to Matousec, nearly three-dozen Windows desktop security titles, including ones from Symantec, McAfee, Trend Micro, BitDefender, Sophos and others, can be exploited using the argument-switch tactic. Matousec said it had tested the technique on Windows XP SP3 and Vista SP1 on 32-bit machines."

Any comments from Symantec?

 

Mitka

2

I already posted this days ago.

 

http://community.norton.com/t5/Tech-Outpost/New-Attack-Bypassses-Anti-Malware/td-p/229215

3

 

Garret_Polk wrote:

The current official statement (not mine, subject to change, batteries not included):

 

Symantec is aware of the research. This is a narrowly focused test that examines potential bypass techniques for any security solution that implements kernel mode hooking. This is precisely why Symantec adds multiple layers of security to our products in order to prevent malware, and in this case, even the code that would facilitate the substituting of benign code for malicious code, from getting onto users’ computers in the first place. In particular, Symantec’s Intrusion Prevention (IPS) and Reputation-Based Security play a large role in blocking these types of threats. These additional layers of defenses were not examined as part of the matousec.com investigation.

 

Hi Garrett

 

Although not to do with the tests which is what this thread is about, 

 

With NIS 2011 installed and testing a Rogue which used Windows settings to block Security Software from running, Norton was able to keep running even after the rogue forced a restart of the PC in the attempt.  It blocked MBAM and someone else could not start Avast 

 

So I was happy to see that Norton this time couldn't be stopped,  the only thing that happened to do with Windows and Norton was Windows could not see an AV was installed until I removed the registry entries and restarted the PC.

 

It was a MSE UI look alike but with russian (I think) type.

 

Quads

4

Rogue MSE asks for activation key, SMS button I see

 

5594iCCAA120DC2DE0A86

 

 

It couldn't stop Norton 2011

 

Quads

5

The tset result is here:

http://www.matousec.com/projects/proactive-securit y-challenge/results.php

 

Their testing suite download:

http://www.matousec.com/downloads/

 

Plz test these sample...

6

Thought I would share this.

 

http://www.pcworld.com/article/196107/Security_Attack.html?tk=rss_news

"According to Matousec, nearly three-dozen Windows desktop security titles, including ones from Symantec, McAfee, Trend Micro, BitDefender, Sophos and others, can be exploited using the argument-switch tactic. Matousec said it had tested the technique on Windows XP SP3 and Vista SP1 on 32-bit machines."

Any comments from Symantec?

 

Mitka