From the Now-It's-Time-To-Panic department: The Register just published an article claiming that Matousec, a software security testing service, has uncovered a relatively simple way to bypass nearly all antivirus software (McAfee, Trend Micro, AVG, BitDefender, and others). The trick is based on sending non-malicious code to the antivirus driver hooks, and then swapping it out at the last moment for the malicious code. By doing this, the antivirus engine and detection systems can be completely bypassed.
The article notes, "As a result, the vast majority of malware protection offered for Windows PCs can be tricked into allowing malicious code that under normal conditions would be blocked." But wait, there's more!
The Register goes on to say, "The technique works even when Windows is running under an account with limited privileges," but "it can be carried out only when an attacker already has the ability to run a binary on the targeted PC."
In other words, it doesn't require doing anything that can't already be done by your run-of-the-mill browser expoits and malware payloads. And almost all anti-virus packages are vulnerable. Wonderful. It's not even Monday, and it's already looking like it's going to be a long week. Oh, and in case you want to know if your anti-virus software is on the list, the answer is probably, "yes":
| 3D EQSecure Professional Edition 4.2 | VULNERABLE |
| avast! Internet Security 5.0.462 | VULNERABLE |
| AVG Internet Security 9.0.791 | VULNERABLE |
| Avira Premium Security Suite 10.0.0.536 | VULNERABLE |
| BitDefender Total Security 2010 13.0.20.347 | VULNERABLE |
| Blink Professional 4.6.1 | VULNERABLE |
| CA Internet Security Suite Plus 2010 6.0.0.272 | VULNERABLE |
| Comodo Internet Security Free 4.0.138377.779 | VULNERABLE |
| DefenseWall Personal Firewall 3.00 | VULNERABLE |
| Dr.Web Security Space Pro 6.0.0.03100 | VULNERABLE |
| ESET Smart Security 4.2.35.3 | VULNERABLE |
| F-Secure Internet Security 2010 10.00 build 246 | VULNERABLE |
| G DATA TotalCare 2010 | VULNERABLE |
| Kaspersky Internet Security 2010 9.0.0.736 | VULNERABLE |
| KingSoft Personal Firewall 9 Plus 2009.05.07.70 | VULNERABLE |
| Malware Defender 2.6.0 | VULNERABLE |
| McAfee Total Protection 2010 10.0.580 | VULNERABLE |
| Norman Security Suite PRO 8.0 | VULNERABLE |
| Norton Internet Security 2010 17.5.0.127 | VULNERABLE |
| Online Armor Premium 4.0.0.35 | VULNERABLE |
| Online Solutions Security Suite 1.5.14905.0 | VULNERABLE |
| Outpost Security Suite Pro 6.7.3.3063.452.0726 | VULNERABLE |
| Outpost Security Suite Pro 7.0.3330.505.1221 BETA VERSION | VULNERABLE |
| Panda Internet Security 2010 15.01.00 | VULNERABLE |
| PC Tools Firewall Plus 6.0.0.88 | VULNERABLE |
| PrivateFirewall 7.0.20.37 | VULNERABLE |
| Security Shield 2010 13.0.16.313 | VULNERABLE |
| Sophos Endpoint Security and Control 9.0.5 | VULNERABLE |
| ThreatFire 4.7.0.17 | VULNERABLE |
| Trend Micro Internet Security Pro 2010 17.50.1647.0000 | VULNERABLE |
| Vba32 Personal 3.12.12.4 | VULNERABLE |
| VIPRE Antivirus Premium 4.0.3272 | VULNERABLE |
| VirusBuster Internet Security Suite 3.2 | VULNERABLE |
| Webroot Internet Security Essentials 6.1.0.145 | VULNERABLE |
| ZoneAlarm Extreme Security 9.1.507.000 | VULNERABLE |
In a word, "Uh-oh".
