Thursday, December 7, 2017

New code injection method avoids malware detection on all versions of Windows

Presented at Black Hat Europe, a new fileless code injection technique has been detailed by security researchers Eugene Kogan and Tal Liberman. Dubbed Process Doppelgänging, commonly available antivirus software is unable to detect processes that have been modified to include malicious code.
The process is very similar to a technique called Process Hollowing, but software companies can already detect and mitigate risks from the older attack method. Process Hollowing occurs when memory of a legitimate program is modified and replaced with user-injected data causing the original process to appear to run normally while executing potentially harmful code.
Unlike the outdated hollowing technique, Process Doppelgänging takes advantage of how Windows loads processes into memory. The mechanism that loads programs was originally designed for Windows XP and has changed little since then.
To attempt the exploit, a normal executable is handed to the NTFS transaction and then overwritten by a malicious file. The NTFS transaction is a sandboxed location that returns only a success or failure result preventing partial operations. A piece of memory in the target file is modified. After modification, the NTFS transaction is intentionally failed so that the original file appears to be unmodified. Finally, the Windows process loader is used to invoke the modified section of memory that was never removed.
The following table shows the antivirus software tested by the researchers that is unable to block the exploit discovered.
ProductOperating SystemResult
Windows DefenderWindows 10Success
AVG Internet SecurityWindows 10Success
BitdefenderWindows 10Success
ESET NOD 32Windows 7 SP1Success
Symantec Endpoint ProtectionWindows 7 SP1Success
McAfee VSE 8.8 Patch 6Windows 7 SP1Success
Kaspersky Endpoint Security 10Windows 7 SP1Success
Kasperksy Antivirus 18Windows 7 SP1Success
Symantec Endpoint Protection 14Windows 7 SP1Success
PandaWindows 8.1Success
AvastWindows 8.1Success
It should be noted that Windows 10 Fall Creators Update originally appeared to fix the issue since the duo presenting were unable to perform the exploit on the latest version. When attempting the exploit, a stop error otherwise known as the blue screen of death occurs. Not a desirable effect, but better than ending up with an infected machine.
However, later updates apparently allowed for the exploit to work again even on the latest patches of Windows 10. Due to the nature of the exploit, Microsoft will have its work cut out to update a core feature that helps preserve software compatibility. Antivirus vendors should be able to push out updates to detect and prevent Process Doppelgänging within the coming weeks.


via Techspot

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes