jump to navigation

KHOBE: Are you at risk? May 15, 2010

Posted by ibradsiblog in Uncategorized.

Now just so you know before you start reading this post is about computer security. If you find computer security boring you probably may want to ignore this post.

KHOBE also knowing as Kernel Hooking Bypassing Engine has been in the news many times recently. Although many of the news titles say this is a bypass of all AV’s and you are highly at risk you may want to know it’s not as bad as you think. KHOBE is the result of a bug that was found in 1996 and till today not one virus tried to attack it, so basically KHOBE has been known for a while and no one cared that it was out there.  Yes a virus could possibly attack this vulnerability but it does not instantly bypass all AV products. Like all malware this attack follows the “it most execute to infect” pattern. So you AV is not worthless in this attack, it can still block it like all other malware.

So now just to recap what I already said:

  • Your Antivirus can still protect you as long as you keep it updated
  • This bug has been known for a while and nothing has attacked it, no one worried then so no one should worry now
  • Programs that do not use SSDT hooks are not affected. Some vendors that have been using SSDT hooks are planning on removing them from future version.
  • Most vendors that have this issue are already working on a fix.

For those of you who would like more info on this here are some links that explain this in more detail:

matousec: http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php

ESET: http://www.eset.com/blog/2010/05/11/khobe-wan-these-arent-the-droids-youre-looking-for

GData Software: http://blog.gdatasoftware.com/overview/article/1654-khobe-no-problem.html

F-Secure: http://www.f-secure.com/weblog/archives/00001949.html



No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: