Maintaining a State of Zen in the Face of the Matousec KHOBE Attack

I have reached a nirvana of sorts during my tenure with Triumfant.  First, we have a product that is truly and completely differentiated from any other endpoint protection product in the security market.   If you know how noisy, undifferentiated and confusing the security market is, you know that is a strong statement.  Second, I have the comfort of knowing that our product’s differentiation puts us in a position where the market moves toward us daily.

Which brings me to the Matousec dust-up of last week.  For those of you who missed the fun, Matousec.com published a paper that defined an attack that bypassed a list of over 30 broadly used endpoint security program.  The paper (found here) describes an attack Matousec calls KHOBE (Kernel HOok Bypassing Engine) but goes by the more generic description of an argument-switch attack.

I won’t restate the particulars (good article with more details in the Register here), but the general gist of the attack is to send a benign piece of code to the A/V software on the targeted machine and then swap out the benign code for malicious code just before execution begins.  The attack seems particularly useful on multi-core machines where it can use multiple threads to facilitate the code switch.  It should be noted that this attack is strictly a lab-based manifestation, and has not been reported in the wild.  Matousec did test a broad spectrum of AV products and reports the following (emphasis by Matousec): “If a product uses SSDT hooks or other kind of kernel mode hooks on similar level to implement security features it is vulnerable. In other words, 100 % of the tested products were found vulnerable.”  Included in that list were Symantec, McAfee, Trend Micro, Kaspersky, Sophos and the other usual suspects.

Several of the AV companies gone on the defensive and responded by noting that the attack is complex and would be difficult to execute in the wild.  Others have noted that it is plausible that known exploits in commonly used programs such as Adobe Reader could turn that software into a delivery vehicle for the malicious code payload needed to execute the KHOBE attack.

As for me, I sit in a zen like state, calmly observing the fuss.  Because Matousec is just the latest, albeit technically progressive, technique for evading defensive shields and getting a malicious payload to the machine.  My zen comes from knowing that Triumfant would be there after KHOBE did all of its complex machinations.  In spite of the technical sophistication of the argument-switch attack, the end result is the same basic trigger – the endpoint will be changed, and we will detect the change, and then we will step in to protect the machine.  Triumfant waits in an equally blissful state of zen, completely unaffected by the sophistication (or lack of sophistication) that got the attack to the machine.

My zen state is only deepened by the knowledge that even if this attack never makes it into the wild, it is a harbinger of new attacks being developed as we speak.  We just passed the ten-year anniversary of the “I love you” virus that rocked the world in May 2000.  Looking back now it seems rather quaint in the context of the malware we face today.  I am quite sure KHOBE is an example of the same phenomenon – except it will look quaint in 2 to 3 years instead of 10.

The bottom line is what I have said in numerous posts (here and here) – attacks will get through your shields.  Write it in stone, because that fact will never change.  Ever.  It is the one absolute you can bank on.  That absolute is the source of my zen state because we provide a really unique and interesting solution that will detect what gets through the shields and restore attacked machines to pre-attack condition in less than five minutes.  This capability is that unique differentiation I spoke about earlier.

The term Nirvana is often defined as “a state of total bliss or happiness”.  I am not happy that organizations are being attacked and I find no bliss in seeing new attacks such as the argument-switch attack being created.  Quite the opposite, my bliss comes from knowing I have the right solution at the right time, and that we can help organizations protect their intellectual property and sensitive data as the complexity and volume of attacks continues to grow. We do not promise a sense of zen, but Triumfant sure can help protect you against whatever new attacks created to evade your defenses.  And just maybe you will find just a little more peace along the way.