Death of antivirus software imminent
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Fri Jan 4 08:57:27 EST 2008
dan at geer.org writes:
>Second, as soon as one of these guys figures out how to hook the memory
>manager (which may already have happened),
It's been done for awhile by various rootkits. The first AFAIK was
ShadowWalker, which marked pages to be hidden as non-present and used a custom
page fault handler to allow it to slip in whatever it wanted the victim to
see.
>then the ability to find the otherwise in-core-only malware goes away as your
>act of scanning memory will be seen by the now-corrupted memory manager and
>the malware will be thus relocated as you search such that you are playing
>blindman's bluff without knowing that you are.
There's a large number of variants of this sort of thing. Some of the most
deviously elegant rootkits use anti-anti-virus scanners to detect antivirus
software from underneath before the AV software detects it. They then either
de-fang the AV software in some way, or unhook themselves until the AV scan
has passed. One neat trick used by... ah, forgotton the particular malware,
but it swaps the handle of the process the AV software is trying to terminate
and the AV software itself, so the AV program ends up terminating itself.
There's lots more like this. You name it, they've done it.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list