Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bug In Windows Kernel Could Prevent Security Software From Identifying Malware (bleepingcomputer.com)

Posted by BeauHD on from the security-issues dept.

An anonymous reader writes: "Malware developers can abuse a programming error in the Windows kernel to prevent security software from identifying if, and when, malicious modules have been loaded at runtime," reports Bleeping Computer. "The bug affects PsSetLoadImageNotifyRoutine, one of the low-level mechanisms some security solutions use to identify when code has been loaded into the kernel or user space. The problem is that an attacker can exploit this bug in a way that PsSetLoadImageNotifyRoutine returns an invalid module name, allowing an attacker to disguise malware as a legitimate operation. The issue came to light earlier this year when enSilo researchers were analyzing the Windows kernel code. Omri Misgav, Security Researcher at enSilo and the one who discovered the issue, says the bug affects all Windows versions released since Windows 2000. Misgav's tests showed that the programming error has survived up to the most recent Windows 10 releases." In an interview, the researcher said Microsoft did not consider this a security issue. Bug technical details are available here.

8 of 75 comments (clear)

  1. That's Because by Anonymous Coward · · Score: 2, Funny

    It is the malware.

  2. Windows is full of old bugs by Anonymous Coward · · Score: 5, Interesting

    Microsoft has never bothered to fix anything to do with Unicode search, either. Try this out at home, kids:

    • paste "Español" into a Notepad window and save it into Unicode, Unicode big-endian, UTF-8 and ANSI text files.
    • Try using Windows Explorer to search for Español in that folder - no matches.
    • Open a Command Prompt and run: findstr "Español" *.txt - no matches.
    • Open a Command Prompt and run: find "Español" *.txt - at least it finds the Unicode little-endian file.

    It's been this way since Microsoft introduced UCS-2 in Windows NT4 and UTF-16 in Windows 2000. They don't consider it a bug so they won't acknowledge it requires a fix.

    1. Re: Windows is full of old bugs by cyber-vandal · · Score: 2

      Por favor, suba un incidente de Jira?

    2. Re: Windows is full of old bugs by Entrope · · Score: 2, Insightful

      It takes Microsoft-class, Apple-style courage to rename "grep" to "select-string-path" and call the result a PowerShell.

  3. Just dreaming. by Gravis+Zero · · Score: 2, Interesting

    If only there was some way that programs from around the globe could review the kernel of an operating system. No wait, we could expand it to all software and make it some sort of hub for getting software. Oh well, I guess it's one of those impossible things that will never happen. ;)

    --
    Anons need not reply. Questions end with a question mark.
  4. This is not a bug by mea2214 · · Score: 3, Insightful

    Someting that doesn't allow third party anti virus software to detect malware is a feature.

  5. Duh by Kuruk · · Score: 2

    Isnt that 101 malware. Hide for virus protection software.

  6. It's "fixed" with Powershell by The+MAZZTer · · Score: 3, Insightful

    Command Prompt has always been about legacy support. For modern terminal support Microsoft offers Command Prompt... which passes your test find using Select-String. The only variant it fails on is ANSI but I suspect that file did not save properly... I opened it in a few apps and the ñ had been lost.

    PS C:\Users\mzzt\Desktop> Select-String

    cmdlet Select-String at command pipeline position 1
    Supply values for the following parameters:
    Pattern[0]: Español
    Pattern[1]:
    Path[0]: *.txt
    Path[1]:

    Unicode big endian.txt:1:Español
    Unicode.txt:1:Español
    UTF-8.txt:1:Español