Layered defense is not enough
By Dean Wilson
Security firm Bromium Labs has discovered a way to use an old Windows kernel exploit to bypass popular anti-malware and other security software.
The method, known as Layer on Layer (LOL) attacks, allow hackers to bypass multiple layers of security in one fell swoop, without anyone being the wiser.
The technique affects application sandboxes, anti-virus software, rootkit detectors, host-based intrusion prevention systems (HIPS), Enhanced Mitigation Experience Toolkit (EMET), and Supervisor Mode Execution Prevention (SMEP), even if they are stacked upon one another. The exploit will either disable them or bypass them completely.
The attack takes advantage of the EPATHOBJ Windows kernel vulnerability, which was discovered last year and largely ignored.
Exploiting the vulnerability gives a hacker system privileges, allowing them to turn off or otherwise disrupt security. Malware can then be run freely. Worse yet, the hacker goes unnoticed.
Kernel integrity
Bromium will showcase its findings at Infosecurity Europe and BSides London, with a demonstration of how the exploit works.
The firm states that even layered approaches to security, advocated by many top security professionals, have weaknesses. It says that virtually all endpoint technologies are reliant on the integrity of the kernel.
“While many were aware of the discovery of the TDL4 rootkit rumoured to be using kernel exploit code at the end of last year, few paid it any serious attention. And that was a huge error of judgement,” said Rahul Kashyap, Head of Security Research at Bromium.
“We discuss that such vulnerabilities can prove lethal to enterprise security and likely go unnoticed for a long periods of time. By simply ‘tweaking’ the exploit, we found we could bypass all the different layers of security software that an enterprise might deploy on an end user machine.”
Bromium believes many more zero-day vulnerabilities exist in the millions of lines of code in the Windows kernel.