"It's the worst virus we've ever seen," and other such nonsense

David Heath
Sunday, 16 May 2010 17:42

Opinion and Analysis

Over the past few days, news outlets have been emulating those bogus virus warnings we regularly receive from well-meaning friends.  Here's the short answer: Khobe isn't a problem.

You know the kind of message, well-meaning (but technically illiterate) friends pass on warnings that including things like (and I paraphrase, with no reflection on any companies named in the emails):

"<Major Computer Company> says it is the worst virus they've ever seen and currently no anti-virus software can detect it.  Please don't open the file called I-am-Not-a-Virus.exe."  Or some such malarkey!

Never mind that the company named in most such emails isn't in the anti-virus business to start with.  In almost all such cases the email itself is the virus - after-all it used up a significant amount of your own resources to deal with it.

With that in mind, I read with some amusement ZDNet's rather strident reporting of the seemingly recently-discovered KHOBE (for Kernel HOok Bypassing Engine) vulnerability, suggesting in their title that this attack "bypasses EVERY Windows security product."  However, ZDNet were far from alone in reporting this theme.

KHOBE is, according to ZDNet, a perfect bait-and-switch attack.  In it, completely harmless code is passed to any scanning engine then upon the 'all clear,' the real payload is executed.  Vulnerability is dependent upon avoiding AV software that makes use of Windows' System Service Descriptor Table (SSDT) - almost all do.

The ZDNet author goes on to identify a list of 35 anti-virus vendors who it claims are vulnerable to being duped by this technique.  In fact, this is essentially a who's-who of those companies making use of the SSDT, nothing more.

Matousec, the security company who first launched this blight upon the world described it as an "8.0 earthquake for Windows desktop security software."

It is no such thing.