Come ti frego l’antivirus

So how does malware evade detection when starting new rogue processes? Easy—it directly attacks the operating system’s kernel […] The Windows OS internally maintains an array of callback objects with the starting address of PspCreateProcessNotifyRoutine. […] Unsurprisingly, we have discovered malware that uses this implementation by accessing the PspCreateProcessNotifyRoutine (internal pointer) in order to remove all registered callbacks. Once the malware has removed the AV security suite callbacks, it is free to create and terminate processes at will without any pesky security software interference […] And that’s it. The rest of this exploit is trivial. Just walk the PspCreateProcessNotifyRoutine pointer and NULL out all callback objects… Any enterprise or consumer security suite that uses this technique for monitoring process activity can be easily circumvented—a big win for the malware authors.

– da How Advanced Malware Bypasses Process Monitoring,


Falsi antivirus per dispositivi mobili

Sono la prossima – anzi no, l’attuale – frontiera del malware: pubblicità pop-up che compaiono su tablet e smartphone quando si naviga in Rete e si spacciano per avvisi d’infezione, con invito a cliccarvi sopra per comperare l’antivirus che magicamente risolverà il problema (che in realtà non esiste).

Brian Krebs: Beware Scare Tactics for Mobile Security Apps