AOA Forums AOA Forums AOA Forums Folding For Team 45 AOA Files Home Front Page Become an AOA Subscriber! UserCP Calendar Memberlist FAQ Search Forum Home


Go Back   AOA Forums > Software > Data Security

Data Security Viruses, Firewalls and Safe computing


Reply
 
LinkBack Thread Tools Rate Thread
  #1 (permalink)  
Old 11th May, 2010, 07:22 PM
Daniel ~'s Avatar
Chief BBS Administrator
 
Join Date: September 2001
Location: Seattle Wa.
Posts: 45,606

New attack tactic sidesteps Windows security software

'Very serious' says one antivirus exec, especially for Windows XP usersA just-published attack tactic that bypasses the security protections of most current antivirus software is a "very serious" problem, an executive at one unaffected company said today.

[Front page...]
__________________
"Though all men live in ignorance before mystery,
they need not live in darkness...
Justice is foundation and Mercy ETERNAL
."
DKE

"All that we do is touched by Ocean
Yet we remain on the shore of what we know."
Richard Wilbur

[img]/forum/attachments/random-nonsense/16515-sigs-dan_drag.jpg[/img]
Subscribers! Ask Pitch about a Custom Sig Graphic

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 12th May, 2010, 06:11 PM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

From what I understand, this affects all current versions of Windows (and probably back as far as Windows NT4). It is basically a good old race condition, exacerbated by multicore processors.

High level view of how the attack works:
  • Security software "hook" (or intercept) certain OS calls, such as the "Terminate Process" call so that they can check to see that requests made are not targetting things like AV.
  • Malicious software creates a dummy process, and makes a request to kill it.
  • Security software examines the request, and sees that it is safe, so it passes the request onto the OS.
  • In the meantime, the malicious software changes an aspect of the memory that contains the request, pointing the request at the security software instead.
  • The OS reads the modified request, and uses the data stored there, hence killing the security software.

When there are multiple cores on a machine, it's easier for the malicious software to modify the request. If there's only one core, it's much harder for the malicious software to make the modification before the OS acts on the kill request. If the malicious software gets the timing wrong, it will either be denied access to killing the security software, or it will kill the dummy process. That's not a big deal, as the malicious software could make hundreds of attempts a second to do this. Eventually it'll succeed, probably within the first few attempts.
__________________
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
New Attack Uses Internet Explorer's Own Features Against It Security Daniel ~ Data Security 2 27th January, 2010 08:32 PM
New attack proves critical Windows bug 'highly exploitable' Daniel ~ OS, Software, Firmware, and BIOS 6 7th February, 2008 03:34 PM
"Security App Protects Against Windows Attack!" Daniel ~ Data Security 0 3rd April, 2007 05:35 PM
"A lot of people try to attack the software, I'm attacking the data! Daniel ~ Data Security 6 25th January, 2007 09:29 PM
New Windows attack can kill firewall Gizmo Data Security 9 10th November, 2006 05:24 PM


All times are GMT +1. The time now is 03:51 PM.


Copyright ©2001 - 2010, AOA Forums
Don't Click Here Don't Click Here Either

Search Engine Friendly URLs by vBSEO 3.3.0