Q&A - From The Labs

Malware Trivia: Episode 10

More device drivers, collective intelligence and wireless security

Hello and welcome to the “anniversary” issue of the Malware Trivia. Now that we reached 10 sessions of questions and answers with the Malware City fans it’s time that we dug deeper into the ins and outs of operating system security.

Will you please explain what kernel patch protection is? – Question asked by Jeet.

Kernel patch protection is a security feature that has been implemented across the 64-bit family of Windows® operating systems starting with Windows XP. Given the fact that the kernel is the most important part of an operating system and it has the power to control all other software applications running on top of it, the OS vendor has added kernel patch protection (also known as PatchGuard) to ensure its integrity.

In order to understand what kernel patch protection is, I should first explain what kernel patching is. I already mentioned that the kernel is a special area of the OS that runs with the highest privileges. However, the kernel is not alone; it is accompanied by device drivers that run with about the same privileges as the kernel itself, which means that system drivers can modify (patch or “hook into”) it. This approach has been frequently used by antivirus vendors to intercept system calls in order to disallow a malicious application execution. Malware (i.e. rootkits use the same technique to conceal other malicious applications from the user or from the operating system itself). Wrong patching of the Windows kernel not only that involves huge security risks, but it also impacts on the reliability and stability of the operating system and often results in system crashes and the apparition of the Blue Screen of Death (BSoD).

Kernel Patch Protection is a safety mechanism that only works on 64-bit architectures and ensures that the kernel and the subsystems it uses are unmodified. These modifications include, but are not limited to, modification of the system service tables, modifications of the descriptor tables or modifications of the hardware abstraction layer subsystem. Once the Kernel Patch Protection detects that the kernel has been subverted, it simply triggers a shutdown procedure.

Can you please tell me how collective intelligence systems work and what are their advantages? – Question asked by Indranil.

Collective intelligence systems rely on the opinion of a pool of users (or a pool of historic data coming from these users) to cast a verdict on a specific situation. At the moment, there are a variety of services relying on collective intelligence and historical data to catalogue data as positive or negative. This kind of community-driven information simply relies on the opinion of the pool of users. For instance, in the anti-malware industry, collective intelligence allows the users of a solution to label a file as clean or infected; the antivirus solution will then weight the user’s opinion on that file when issuing a verdict. If the majority says that the file is infected, then the antivirus will take the appropriate measures and block the file, even if there is no specific signature or heuristic detection to address that file.

The upside of using the community as a source of information is detection of dangerous files even when these files haven’t been analyzed inside the labs, the ease of issuing signatures and the addition of an extra layer of protection to complement the signature base. The downside of using it is potential manipulation of the results, where the “bad guys” get to vouch for their creations, thus preventing the antivirus solution from reliably identifying an e-threat.

How can I use access points without giving away some hacker with packet sniffing tools all my credentials? Is it safe to check mail, banking sites etc? – Question asked by Jeet.

Wireless security is a growing concern among tech-savvy users, since access points are present nearly everywhere in urban areas. Some of the times, web surfing goes on without incidents, but other times, one may find that their personal information has been eavesdropped over an unencrypted connection. That is why we strongly recommend that users avoid sending account information over unencrypted (“open”) hotspots such as the ones present in coffee shops, airports, malls etc. Always use the cabled alternative if available (i.e. in hotel rooms and lounges) and keep the amount of sensitive information to a minimum): do not connect to instant messaging services, as they usually send login information and conversations in plain text and – most importantly – do not perform any task related to e-banking. Always remember that your e-banking credentials can fall into the wrong hands, or worse, your banking session can be exposed to a real-time, man-in-the-middle attack.

Also, if you’re frequently tapping into open Wi-Fi networks, you should consider getting an antivirus solution with firewall, since attackers aren’t exclusively focused on sniffing traffic, but might also try to access the resources you have shared with your desktop PC or workplace network.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.