One of the biggest threats is that a KHOBE-style attack could be paired with a zero-day attack that bypasses host antimalware or other security software; then KHOBE could be used to do further damage.
The recently discovered
KHOBE, which stands for kernel hook bypassing engine, was discovered by security research group Matousec on May 5th, 2010. The discovery led to a firestorm of media attention, with various experts either proclaiming how serious and dire the threat was, or denouncing it entirely. Both sides mention legitimate issues, but the context is critical to understanding how the research affects enterprises.
The reality is that while similar attack techniques have been reported before, the KHOBE attack technique is an improvement on the prior attacks (mentioned by ESET in a recent blog post). In this tip, we'll explain what you as an enterprise security pro should learn from KHOBE, and how to make sure attackers can't use the KHOBE technique to exploit your organization.
KHOBE Attack explained
The KHOBE attack is basically a classic time of check vs. time of use race condition; the code scanned by the security software running on the host computer finds the malware or data as safe, but before the data is used or malware is executed, malicious code is included or swapped in to be unknowingly executed. In the KHOBE attack, the malware already running on a system will pass innocuous code to be scanned or checked by the security software running on the host computer, and then, after that check, the initial malware will execute the KHOBE attack and actually run malicious code in place of the innocuous code to perform malicious activities, like install any variety of malware or rootkit to take over the system.
The KHOBE technique enables this code swap using a kernel hook to directly manipulate kernel data (or user data) used for execution of software. A kernel hook is a way (unsupported by Microsoft since the introduction of Patchguard in Windows Vista) to get control over the execution of code on a Windows operating system, and is used by the software Matousec lists as vulnerable. A kernel hook bypass inserts itself into the code-execution process to change the control over the code execution. The issue with the race condition is the security software assumes that once it checks the potentially malicious code to see if it is indeed malicious, the code it checked will be the code that runs, and it won't be changed before it is executed; with the KHOBE technique that's not the case. Matousec reports Windows XP and Windows 7 are considered vulnerable, and a long list of security software are affected, primarily host intrusion prevention systems (HIPS) and some antimalware software.
However, it's important to note that malware needs to have already been administered on a target system in order for the KHOBE technique to execute an effective kernel bypass. The KHOBE attack method also requires a sizable piece of code to work and most likely could not be included in attack shell code from an exploit, but could be included with other malware. As we'll cover in a moment, this is why KHOBE's detractors say its relevancy is limited; it depends on other exploits, and by itself is of little use to an attacker.
Security threats from the KHOBE attack technique
While some may argue otherwise, the KHOBE attack technique poses a significant security risk, but the key issue is that code needs to be running on a system to use the attack by the kernel hook bypass. One of the biggest threats is that a KHOBE-style attack could be paired with a zero-day attack that bypasses host antimalware or other security software, and then KHOBE could be used to do further damage. This general type of attack is fairly common with an initial exploit loading additional malware to fully take over the system. The KHOBE technique is not the only way to do this type of attack though; KHOBE just happens to be the newest way.
The real-world implications of the KHOBE attack technique are minimal at this time, but it is certainly conceivable that an attacker could pair KHOBE with a zero-day attack to exploit any vulnerable software applications. Since the KHOBE attack is now much better known, it could even be included in more general attack toolkits or scripted attacks, which would elevate the priority of deploying patches to mitigate a potential attack.
KHOBE attack technique: Enterprise defense strategy
The enterprise defense strategy for the KHOBE attack technique is fairly straightforward at this point, since KHOBE is still a proof-of-concept and hasn't been observed in the wild yet. You should follow your standard antimalware protection strategy and update your antimalware software as soon as an update is released.
For other security software, you may want to investigate in more depth the vulnerability of your software, especially if you don't have other antimalware software protecting your system. For example, if you use a HIPS that is vulnerable and you use other antimalware software, the HIPS software could be disabled leaving your system protected by the antimalware software. So, given that the antimalware software is still protecting your system, you may not need to immediately deploy the update for your HIPS software. Antimalware companies are also releasing updated signatures to detect attacks using this technique, so that the KHOBE attack code cannot run on a host system even if an initial exploit is successful, and some software vendors are updating their products to not use kernel hooks, and thus would not be vulnerable.
Despite what its detractors have said, the KHOBE attack technique is an important one that Windows-centric enterprises should be aware of, and something vulnerable security software vendors should quickly patch in their software. Enterprises and vendors alike should ensure their security software is not vulnerable and provides protections, but there is minimal threat to widespread attacks from the KHOBE attack techniques in and of itself.
About the author:
Nick Lewis (CISSP, GCWN) is an information security analyst for a large Public Midwest University responsible for the risk management program and also supports its technical PCI compliance program. Nick received his Master of Science in Information Assurance from Norwich University in 2005 and Telecommunications from Michigan State University in 2002. Prior to joining his current organization in 2009, Nick worked at Children's Hospital Boston, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University. He also answers your information security threat questions.
This was first published in July 2010