Argument-Switch Attack Bypasses Most Windows Antivirus Software

A new attack tactic has been discovered that bypasses the protection of many antivirus applications running on Windows.

Researchers at Matousec.com have identified how hackers could exploit most Windows security software through the kernel driver hooks. Security software such as antivirus applications utilizes the kernel driver hooks to reroute Windows system calls through their software in order to check for code that could be malicious before it executes. This process, which could ultimately bypass security software, basically swaps out safe code (already given the go-ahead by the security software to execute) for malicious code.

The fine details of this switch-attack are outlined in a paper written by Matousec posted on their website. Reportedly, several Windows desktop security applications such as those from McAfee, BitDefender, Sophos and even Symantec could be exploited using this argument-switch tactic. You can think of it as the security software being the FBI on the lookout for a male terrorist with a baseball cap on at a baseball game. The FBI can be looking at the terrorist in the face and not even know it because he has disguised himself as a normal person at the baseball game diminishing the FBI's suspicion.

Some experts and even security software vendors have downplayed the threat of an "argument-switch" attack. They hesitate to support the idea of the argument-switch attack posing a severe threat because they consider this attack to be very complicated and unlikely in the real world or during a widespread attack situation. Simply put, they believe this attack does not bypass security software or allow malware to run completely on its own. Supposedly, the conditions would have to be ideal and the issue is only linked to certain features of security products.

On the flip side, such an attack using an argument-switch tactic would be very difficult to stop. It would give hackers the upper-hand in getting around disk-based security provided by many AV applications. Alfred Huger, vice president of engineering at Immunet (a Palo Alto, California antivirus company) states, "If someone packages this into an easy-to-use library, I think it'll be in play pretty quickly, with widespread adoption."

Although researchers have concluded that antivirus software is not entirely defenseless to this type of attack, could this be a new pandemic of attacks to come from hackers? Surely antivirus vendors will remedy such a vulnerability or will the damages take place before a fix is released by some antivirus companies?