Come ti frego l’antivirus

So how does malware evade detection when starting new rogue processes? Easy—it directly attacks the operating system’s kernel […] The Windows OS internally maintains an array of callback objects with the starting address of PspCreateProcessNotifyRoutine. […] Unsurprisingly, we have discovered malware that uses this implementation by accessing the PspCreateProcessNotifyRoutine (internal pointer) in order to remove all registered callbacks. Once the malware has removed the AV security suite callbacks, it is free to create and terminate processes at will without any pesky security software interference […] And that’s it. The rest of this exploit is trivial. Just walk the PspCreateProcessNotifyRoutine pointer and NULL out all callback objects… Any enterprise or consumer security suite that uses this technique for monitoring process activity can be easily circumvented—a big win for the malware authors.

– da How Advanced Malware Bypasses Process Monitoring, Fireeye.com.

Annunci

Rispondi

Inserisci i tuoi dati qui sotto o clicca su un'icona per effettuare l'accesso:

Logo WordPress.com

Stai commentando usando il tuo account WordPress.com. Chiudi sessione / Modifica )

Foto Twitter

Stai commentando usando il tuo account Twitter. Chiudi sessione / Modifica )

Foto di Facebook

Stai commentando usando il tuo account Facebook. Chiudi sessione / Modifica )

Google+ photo

Stai commentando usando il tuo account Google+. Chiudi sessione / Modifica )

Connessione a %s...