Problem solve Get help with specific problems with your technologies, process and projects.

What can the Khobe technique do to Windows antivirus software?

Khobe is an evasion technique, not malware. Learn how to stop a compromise and make sure that antivirus isn't your only line of defense.

A reader writes to our resident security expert Tom Chmielarski, "What is Khobe, what can it do to antivirus software on Windows machines, and how can you stop it?"

Tom Chmielarski:

The Khobe technique, discovered by researchers at the network device testing group, is a method for malware to bypass scanning hooks implemented by a Windows user's antivirus software.

The System Service Descriptor Table (SSDT), a Windows module, is a facility at the boundary between user mode and kernel mode of the operating system, which provides access to various system services. Software can register its own components ("hooking") as a means to modify system behavior. Antivirus products may use this facility as a means to implement their security features where tighter kernel integration is not available -- malware has also long used this method.

The Khobe (kernel hook bypassing engine) attack technique uses multiple threads to modify the SSDT, injecting the malware after antivirus has performed its check and before the specific system call is executed. This is a timing attack or a race condition. Taken at face value, the Khobe technique is a means for malware to sneak past Windows desktop security software and wreak undetected havoc upon a machine.

This is not malware like, say, Conficker; it is an evasion technique. It facilitates undetected compromise by malware, but doesn't actually do anything itself. Keep in mind: The technique could be an utterly valid identification of lurking vulnerabilities in Windows antivirus products, but the fear factor is also marketing for the research group.

To stop a compromise that uses this technique, implement other controls so you're not completely dependent upon antivirus. You should also select an antivirus product that has more than one protective method. Many antivirus suites, for example, feature multiple detection engines, process-based firewalls and other features.

There's nothing you can do directly to address the vulnerability since the flaw pertains to the implementation of antivirus products' scan engines. Khobe is now a known, publicized attack; if your antivirus product was vulnerable to Khobe, it probably isn't anymore. Most antivirus vendors claim to have never been truly vulnerable because multiple detection engines within the product provide a failsafe method that prevents exploitation. Sophos has been particularly clear in their opinion that this vulnerability is not very significant. Other vendors have not publically responded. This provides an excellent opportunity for you to evaluate your vendor's responsiveness to new security concerns; after all, the response to this specific tactic is less important than how they respond to all such threats that are reported to them, even when those issues are not as well publicized.

I hate to be the bearer of bad news, but there is almost certainly malware in the wild right this very minute that will not be detected by whatever antivirus product you have in place. Even if your antivirus product can detect the malware, it may fail to actually stop that malware.

Antivirus may quarantine an executable after the process is launched. That prevents re-execution, but not interference caused by the now-operational malware. The malware may then connect to the Internet and download secondary malicious code. Look at your antivirus logs: Do you see the same malware repeatedly? The same malware repeatedly on the exact same computer? This is a common situation and means your antivirus product may not be completely effective (and it almost certainly isn't).

To restrict network and file activity, you also want to have better network controls around the servers, along with host-based firewalls or intrusion detection systems. As mentioned above, many antivirus products will control network traffic on a per-process basis, verifying the originating executable matches with a known-allowed hash value.

Some products have behavior-based detection of malware; detecting applications that exhibit suspicious behavior. This is an excellent control assuming you have users capable of making that decision. Whitelisting and blacklisting executables, another topic I recently discussed, is another compensating control. No solution is foolproof; you must decide what controls are feasible given cost, complexity, resource time and your ability to accept risk.

Antivirus is an important layer of your security defenses, but it is only a layer. Stay aware of vulnerabilities affecting antivirus products and discuss those with your vendor.

Tom Chmielarski is a senior consultant with GlassHouse Technologies, Inc.

Send Tom your security questions.

Join us on LinkedIn.

Dig Deeper on Microsoft endpoint security management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.