Khobe 8.0 vulenerabilty: The reality

Technorati Tags: News,Security

Most people believe that after installing a popular security suite their system is safe from viruses. Well the fact is that you are NEVER protected from viruses. According to the tests conducted by Matousec most or all of the leading security suites that we use today are vulnerable. The article describes how the argument switch attack can be used to get around those security products that use hooking in SSDT(System Service Descriptor Table) or kernel patcher. Software that do not use this technique can't be attacked using this method. I know what is going through your mind. "I'm using a reputed security suite. So they shouldn't be using such stupid techniques. So I shouldn't worry about it." In a way you are right (I will explain why later)
Here is the list of programs they published:

Product name and version
Result
3D EQSecure Professional Edition 4.2
VULNERABLE
avast! Internet Security 5.0.462
VULNERABLE
AVG Internet Security 9.0.791
VULNERABLE
Avira Premium Security Suite 10.0.0.536
VULNERABLE
BitDefender Total Security 2010 13.0.20.347
VULNERABLE
Blink Professional 4.6.1
VULNERABLE
CA Internet Security Suite Plus 2010 6.0.0.272
VULNERABLE
Comodo Internet Security Free 4.0.138377.779
VULNERABLE
DefenseWall Personal Firewall 3.00
VULNERABLE
Dr.Web Security Space Pro 6.0.0.03100
VULNERABLE
ESET Smart Security 4.2.35.3
VULNERABLE
F-Secure Internet Security 2010 10.00 build 246
VULNERABLE
G DATA TotalCare 2010
VULNERABLE
Kaspersky Internet Security 2010 9.0.0.736
VULNERABLE
KingSoft Personal Firewall 9 Plus 2009.05.07.70
VULNERABLE
Malware Defender 2.6.0
VULNERABLE
McAfee Total Protection 2010 10.0.580
VULNERABLE
Norman Security Suite PRO 8.0
VULNERABLE
Norton Internet Security 2010 17.5.0.127
VULNERABLE
Online Armor Premium 4.0.0.35
VULNERABLE
Online Solutions Security Suite 1.5.14905.0
VULNERABLE
Outpost Security Suite Pro 6.7.3.3063.452.0726
VULNERABLE
Outpost Security Suite Pro 7.0.3330.505.1221 BETA VERSION
VULNERABLE
Panda Internet Security 2010 15.01.00
VULNERABLE
PC Tools Firewall Plus 6.0.0.88
VULNERABLE
Prevx 3.0.5.143
VULNERABLE
PrivateFirewall 7.0.20.37
VULNERABLE
Security Shield 2010 13.0.16.313
VULNERABLE
Sophos Endpoint Security and Control 9.0.5
VULNERABLE
ThreatFire 4.7.0.17
VULNERABLE
Trend Micro Internet Security Pro 2010 17.50.1647.0000
VULNERABLE
Vba32 Personal 3.12.12.4
VULNERABLE
VIPRE Antivirus Premium 4.0.3272
VULNERABLE
VirusBuster Internet Security Suite 3.2
VULNERABLE
Webroot Internet Security Essentials 6.1.0.145
VULNERABLE
ZoneAlarm Extreme Security 9.1.507.000
VULNERABLE


I bet 9/10 people must be using one of these products. It definitely is a shocking discovery! read the complete article here
well that is not the end of the story! After reading that article, you might think that your pc will be flooded with viruses when you wake up tomorrow. naaaay never :D... Sophos have already given a strong reply to this article and Paul Ducklin explains things in detail on his blog . He says the khobe code is never a headache for them because Sophos's on-access anti-virus scanner doesn't use SSDT hooks. He also said that the claims that it "bypasses virtually all anti-virus software" is scaremongering.

Graham Cluley is another sophos expert who in his blog said: "What Matousec describes is a way of "doing something extra" if the bad guys' malicious code manages to get past your anti-virus software in the first place."

I think you are really confused right now.
As far as I'm concerned, this is not an emergency situation but definitely a wakeup call. These revelations conclude that viruses are still in with a chance of getting into our machines and we HAVE TO BE CAREFUL with everything that we do on the net.

Edit: Here's the response from ESET, my favourite.