A bug in the Windows kernel made the news last week after it was found that it could purportedly prevent anti-virus (AV)/security software from identifying malware. All versions of Windows since Windows 2000’s release are reportedly affected.
The programming error lies in the Application Programming Interface (API) PsSetLoadImageNotifyRoutine, which registers a driver-supplied callback whenever an image is loaded or mapped into memory. PsSetLoadImageNotifyRoutine programmatically informs application developers of newly registered drivers, for instance. And since the routine can also determine if a Portable Executable (PE) image—a common file format in many malware—are loaded into memory, it became one of the mechanisms integrated to security solutions to check for malicious code.
Omri Misgav, the security researcher that uncovered the bug, said that an attacker can exploit the error in a way that PsSetLoadImageNotifyRoutine will return an invalid name. It can, in turn, bypass AV solutions or similar security mechanisms by forging the name of the module loaded in the kernel and disguise it as legitimate.
While the error in the API can be abused to bypass AV solutions and host-based intrusion detection, Misgav told Bleeping Computer that they haven’t tested any specific security software against the bug. “We are aware that some vendors do use this mechanism, however at this point in time we cannot say if and how the use of the faulty [PsSetLoadImageNotifyRoutine] information affects them.”
“We [also] contacted MSRC [Microsoft Security Response Center] about this issue at the beginning of this year,” Misgav added, “They did not deem it as a security issue.”
Trend Micro is aware of the Windows kernel error reported to Microsoft by enSilo. The kernel bug does not affect any of Trend Micro’s proactive and defensive security solutions; supported Trend Micro products do not rely on the API involved. Trend Micro has its own implementation for monitoring behavior and logging events. Our behavior-monitoring technology helps in reporting system events of interest to other modules, and is used to augment Trend Micro’s solutions. More information about the issue can be found in this technical advisory.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).