New attack bypasses virtually all AV protection

http://forums.theregister.co.uk/forum/1/2010/05/07/argument_switch_av_bypass/
What does everyone think about this?

Hi texastig,

The attack code vector has to be run to exploit. If the browser is being protected by NoScript the attack cannot be performed or you must get the attack vector in another fashion and click that willingly, a further reason for Adobe Flash and its friends (Java) to turn off the lights after they have left! Re: http://www.apple.com/hotnews/thoughts-on-flash/

polonus

Thanks for the info.

You’ll find more info here

The short answer is to always use layered protection and the new avast! 5 IS product falls into that category. :slight_smile:

what bothers me is that more and more sites are writing articles where they take this matousec demonstration seriously (I’m not sarcastic) >>> so there must be something true about it. I think I read something about attacking the drivers directly…

At driver level, with admin rights, you can do almost everything.
The point is prevent any malware to get that stage.
So, the antivirus only fail IF the malware could run before.

yeah, gotta find the article where I read that…IIRC it was said that the attack would bypass any Windows or AV defenses to target the driver, while the bypassing phase wouldn’t be detected as malware, would work on both accounts with or without admin rights…sorry I don’t have the details, I read this very quickly yesterday on a French site mentioned in the news…really can’t tell which one that was…but there seems to be all the info here actually, the source or the “rumor”:
http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php

Any malware that bypass the resident protection will bypass the antivirus.
The problem, again, is the first detection, not the final state of the computer, i.e., after installed the malware could bypass the antivirus, it needs to be detected before.

yeah, and the whole point of the new type of attack is to first disable the AV silently, making the system vulnerable to anything after this. Of course it needs to be detected before, and that’s what AVs precisely don’t seem to be doing in the matousec demo.
I’m not going any further :wink: >>> I guess we should really go through the reading of the whole matousec page before arguing… + there aren’t many here (on Avast forums) really technically able to discuss that; well I don’t see anyone apart from the devs because they’re dealing with driver implementation, access rights etc…on a daily basis, it’s their job and I wouldn’t mind Vlk for instance to come here and comment the matousec article.