New malware attack laughs at your antivirus software

How do you get a malware exploit to bypass antivirus protection? By making it work the same way the antivirus software does.

A new exploit outlined this week is so effective, say researchers, that it can slip by “virtually all” antivirus protection undetected.

It works the same way an antivirus app does, by hooking directly into Windows and masquerading as harmless software. It tricks Windows by sending sample code to the OS, like any antivirus app that looks (and in reality is) completely benign, then at the last microsecond it swaps in malicious code, which is then executed.

If an antivirus application uses the traditional method of interacting with Windows — a system called SSDT — then it will be vulnerable to attack via this method. And they all use SSDT. As the researchers atmatousec.com noted during their investigation, “100 percent of the tested products were found vulnerable.” It didn’t matter if the user had administrator rights or not, the exploit was able to sneak through.

The good news is that the attack isn’t completely realistic, since the size of the code required would have to be large to work. A quickie download wouldn’t be possible, so the attack would likely have to find its way onto a target computer by other means. But that also worries researchers, since commonly downloaded software could be intentionally infected with the malware (the story above uses Adobe Reader as an example) and during installation your antivirus software wouldn’t bat an eyelash. The malware could actually uninstall your antivirus application in its initial volley, leaving you wide open to attack.

Right now the attack is primarily theoretical and hasn’t sprung up in the real world, so there’s no need to panic — yet. Antivirus software companies have yet to respond to the threat, and it may take some time for them to do so, eventually requiring a full reworking of everything we know about the way antimalware software works.