New Windows Code Injection Attack

Wednesday, November 2, 2016 @ 11:11 AM gHale


There is a code injection technique attackers can use against all Windows versions without triggering current security solutions, researchers said.

The technique, called AtomBombing, exploits the operating system’s atom tables, said researchers at enSilo.

RELATED STORIES
Windows Zero Day in Play
LDAP Open for Attack
IoT Attack Scare: Is Industry Ready?
Dirty COW Zero-Day Patched

“These tables are provided by the operating system to allow applications to store and access data. [They] can also be used to share data between applications,” said enSilo’s Tal Liberman in a blog post.

“The underlying Windows mechanism which AtomBombing exploits is called atom tables,” Liberman said. “These tables are provided by the operating system to allow applications to store and access data. These atom tables can also be used to share data between applications.”

“What we found is that a threat actor can write malicious code into an atom table and force a legitimate program to retrieve the malicious code from the table,” he said. “We also found that the legitimate program, now containing the malicious code, can be manipulated to execute that code.”

Depending of the process in which it is injected, the malicious code could allow attackers to take screenshots, access encrypted passwords, or perform Man in the Browser (MitB) attacks.
“Being a new code injection technique, AtomBombing bypasses AV, NGAV and other endpoint infiltration prevention solutions,” Liberman said.

“Once a code injection technique is well-known, security products focused on preventing attackers from compromising the endpoints, typically update their signatures accordingly,” he said.

There is no effective way to patch this hole, as it’s not a vulnerability. The only solution is for security solutions to start monitoring API calls for malicious activity.

The success of AtomBombing depends on attackers being able to trick users into running a malicious executable.



Leave a Reply

You must be logged in to post a comment.