A new hacking technique that could potentially bypass dozens of security protections is significant, but shouldn't warrant major concern at enterprises. Called kernel hook bypassing engine (KHOBE), the attack technique exploits a vulnerability within a component of the backbone of Windows XP, giving attackers the ability to shut down security software to boost the ability of the malware to remain undetectable.
The KHOBE technique was published by researchers at Matousec.com who warned that their proof-of-concept demonstrates the inadequacies of antivirus and other security protections to detect and eradicate malware. The technique involves exploiting kernel driver hooks in Microsoft Windows XP. The attack intercepts and alters communication between components and the underlying antivirus applications, making them utterly useless.
"This attack represents serious threat because many security software vendors base their security features on hooking," the research team wrote. "We tested the most widely used security applications and found out that all of them are vulnerable. Today's most popular security solutions simply do not work."
Security experts say the attack technique poses little serious threat, since the malware already needs to bypass security software before attempting the attack. It's analogous to a thief attempting to break into a house from the inside, said Mikko Hyppönen, chief research officer at Helsinki-based antivirus vendor F-Secure Corp.
The ability to alter hooks within the kernel has been known about since the mid-1990s and hasn't grown into a serious problem, Hyppönen said. But he stopped short of dismissing KHOBE all together, admitting the potential of any piece of malware being coded to bypass security software from so many vendors represents a genuine potential threat, but not a very likely one.
"Ever since the research was made public we've been monitoring for real world attacks using this mechanism and we haven't seen a single one," Hyppönen said. "The scenario is interesting; the malware is already on the system and yes it can now bypass heart of the security product. It can uninstall the antivirus or do a million other nasty things."
In all likelihood attackers will choose easier ways to defeat antivirus and other security defenses, said a Michigan-based IT security consultant who is currently working on a project that aims to maintain security defenses while downsizing the firm's data center. The security professional said enterprises should focus on implementing a standard defense-in-depth approach while remaining alert to potential data leakage caused by employee mistakes.
"If I worried about every potential threat out there I wouldn't get any sleep at night," he said. "We've got to ensure the basics are getting done right and then move on to other attack vectors."
The threats that pose a bigger risk to enterprises are fake antivirus programs, lack of control over mobile devices at the endpoint, drive-by attacks and data leakage via social networking sites, said Graham Cluley, a senior technology consultant at U.K.-based security vendor, Sophos. Cluley said businesses need to focus on getting endpoint software up to date, ensuring security software has the latest signature updates and enforcing security policies.
"Businesses require much more than pure antivirus and most enterprises know by now that one layer of defense just isn't going to cut it," Cluley said. "The sky isn't falling over this, but that doesn't mean we need to let our guard down."