AtomBombing code injection techniques affecting windows

AtomBombing_a_new_form_of_code_injection

AtomBombing is the latest and apparently the greatest code injection technique.

Antivirus software applications are supposed to protect users from all sorts of malware and malware injections.

And while they do their job sufficiently well 99 percent of the time, that “one time” can really hurt the user.

How?

Well, let’s answer that question with two words (or maybe three):

New types of malware

Cyber security researchers have now exposed a recently released malware which is different from previous malware codes.

In other words, hackers have found a new way which allows nasty things like malware to inject more malware code right into the heart of other processes.

The worst part is that antivirus applications can’t detect these type of malware.

In fact, most of the endpoint security systems can’t do so either.

So what is this new technique?

Ensilo, which is an endpoint security platform, put some of its researchers to work on this new malware.

They now call the new hacking technique as AtomBombing.

Why is it called AtomBombing?

Because this new technique relies on mechanisms such as the Windows atom tables.

These auto tables aren’t ordinary tables.

They are special.

And usually, all major operating systems provide such tables.

Applications use these atom tables to share data with other applications.

Hackers know this and hence inject their code using this exploit.

Moreover, this exploit is present in almost all versions of Windows.

This malware injection method exploits what the experts call atom tables.

And because of the exploitation, the malware is able to bypass all security sandbox environments.

Hackers can then inscribe some really nasty malicious code right into a given atom table.

Then they force the targeted program to retrieve that malicious code.

For clarity’s sake, this exploit is not really based on any flaw.

But it does exist because of bad operating system design.

Tai, who is a researcher at Ensilo, says that what the firm found was that a threat actor like a hacker could easily write malicious code into a given atom table.

Then he would force a given legitimate program to go and retrieve the injected malicious code from the same atom table.

Tai said his team also found that the legitimate program, which still had malicious code injected into it, is prone to more manipulation.

And hackers can take advantage of that to execute more malicious code.

What Is This Technique AtomBombing?

There are a total of three principal ways in which the technique AtomBombing works.

Readers can understand these three principles as three main stages.

  1. Write-What-Where: this is the stage where AtomBombing technique writes arbitrary data to a specific but arbitrary location which is present in the target computer’s process address space.
  2. Execute- this is the stage that allows hackers to hijack a given threat of the targeted process in order to execute the malicious code.
    This malicious code is written in stage one of the technique
  3. Restore- After the AtomBombing technique hijacks a process, it moves ahead and cleans up space.
    It also restores the execution of the process thread that AtomBombing hijacked in the previous stage of the technique.

As mentioned before, this is a new code injection technique.

And hence Antivirus software applications don’t really know how to handle it.

They can’t detect it and can’t identify it either.

This holds true for endpoint security systems as well.

Primarily though, we’re talking about security systems which are present in the wild.

Why can’t these security systems detect AtomBombing?

AtomBombing_code_injection

Hackers continue to improve. Consequently, security vendors have to do the same.

Because it has a different base.

It works off a legitimate program.

And hence exploits totally harmless functionalities of the given operating system.

As mentioned before, the atom tables mechanism is present on all version of the Windows.

So it isn’t something that researchers can patch quickly.

More importantly though, researchers can’t come up with a fix because it not actually a full prone vulnerability.

One of the security researchers at Ensilo told the media that AtomBombing code injection technique was new.

And it had no trouble in bypassing antivirus and other endpoint infiltrative preventive solutions.

If you want to read more about the AtomBombing technique then you can go here and read the whole analysis.

What Are The Researchers Doing?

Ensilo security research team have now come up with a new method in order to leverage certain mechanisms which underly the Windows operating system.

They can use this new method to inject some malicious code that is considered as valuable.

Readers should know that this AtomBombing technique is dangerous and affects some crucial areas of the operating system.

Hackers can use this new technique that is ingrained in the original design of the operating system and bypass all security solutions.

As of now, there aren’t any security solutions that can prevent such a malicious code infection.

Researchers have tested AtomBombing on the Windows operating system as well.

And they have found that it is quite difficult if not impossible to code a patch for this exploit.

Why Can’t Researchers Come Up With A Patch?

Because AtomBombing does not make use of any flawed or broken code.

It exploits the design on which the Windows operating system operates.

Explain Malicious Code Injection?

AtomBombing_still_no_solution

Security researchers can’t come up with a patch for every code injection technique. AtomBombing is one of them.

Hackers love code injection technique and that’s why they have become so prevalent.

Cyber criminals use the technique in an attempt to inject nasty malicious codes and/or malware into legitimate programs.

This makes it very easy for them to bypass any and all security programs.

Moreover, they can operate undetected.

And the targeted user doesn’t even know that hackers are injecting the user’s machine with malware.

Using this technique, hackers can then steal sensitive information from the user’s system.

After data exfiltration, it is possible for hackers to access any information.

Information, that is otherwise inaccessible.

Identifying Malicious Code Injections

Some Ensilo security researchers say that to take an example, let’s assume a hacker convinced a user to install some malware code on the user’s machine.

Let’s also assume, the user executed and ran the malicious code called evil.exe.

According to the researcher, any given reasonable security application or application level firewall would take care of such a threat.

In other words, if the user’s computer has a firewall installed on it, the firewall will block the evil.exe executable and any related communication.

Needless to say, if evil.exe wants to do any meaningful work it will have to find a way to overcome this blocking program.

In other words, it would have to find a new way in order to manipulate a legitimate program.

One of the legitimate programs that it could manipulate is the internet web browser.

If this malware gets a hold of the internet browser, then it can communicate on behalf of the aforementioned evil.exe

This is the reason why hackers value code injections.

Code injections provide these hackers with the new ability to bypass all the different security protocols.

This bypassing technique also allows hackers to get pass process level restrictions.

Using this technique, hackers can take screenshots and also send those screenshots back to their HQ.

This technique also allows hackers to carry out Man in the Browser cyber attacks.

Man in the Browser attacks, require the hackers to make some modifications to the content that is displayed to the targeted user.

Hackers can then, potentially, also access passwords regardless of the fact if they are encrypted.

More Uses Of Code Injection techniques

Cyber criminals along with malicious programs can also use techniques such as code injection to carry out other types of attacks.

Examples include,

  • Trojans that target banking institutions
  • More Trojans that attack other Financial services and Insurance companies

These Trojans are able to inject nasty malicious code right into the browser processes.

This allows hackers to not only monitor processes but also modify websites which are locally displayed.

Usually, these type of websites include banking websites.

Hackers can then steal sensitive login credentials along with payment card information.

They can also secretly trick the systems and redirect the transaction to their own accounts.

Hackers also use code injection techniques to bypass certain types of data restrictions.

Some data types are not available for everyone to see and access.

Hackers can use these new techniques to access that type of data as well.

As mentioned before, examples include hackers accessing encrypted passwords from other given applications.

And of course, screenshots.

Hackers can take screenshots just by using this new code injection technique.

These screenshots can include any type of content.

Nothing is off limits.

Hackers can take screenshots of the user’s screen too.

Even if the malware process doesn’t have required privileges.

But endpoint security system products aren’t helpless.

Some have come up with mechanisms to protect their clients against several well-known malicious code injection techniques.

Different Injection Techniques And The Details

By now, we should all accept that code injection techniques are very helpful for hackers.

Hacker can use these new code injection techniques to do lots of interesting things.

Let’s take a look at some of them.

Hackers can bypass process level restrictions

Any process that is able to take the user’s desktop screenshots has to run within the user’s desktop’s context.


Hackers usually load the malware right into the service’s desktop.


And not the user’s.
This prevents the malware from carrying out its primary duty which is to take screenshots.


However, code injection can solve this problem.


Malware code that is injected into a process is in great shape.


Why?
Because the process is already running on the targeted user’s desktop.


Hence taking pictures and sending them back to the malware HQ within the service’s desktop becomes an easy task.

Hackers can carry out Man in the Browser Cyber Attacks


Hackers can inject malicious code into an internet browser and then modify the content that is shown to the user.


If a user is going through a banking transaction process, then the banking website will always show the user the exact payments information as before.


The banking site will also make use of confirmation screens to assist the user.


But when hackers modify the banking site’s data, things change.


The banking site receives the wrong transaction information.
This information brings the hackers into the equation.
And then the hacker can make the banking website send money to a different destination account.


The hacker can provide the banking site with his/her own account number and may also specify the amount.


The worst part about Man in the Browser attacks is that the customer is unaware of the proceedings.
And the money just funnels out of the user’s account.
In the end, the user can do very little to stop a Man in the Browser attack.

Hackers can access encrypted passwords


How does Google Chrome encrypt all of the user’s stored passwords?
It uses a thing called Windows Data Protection API.
This API makes use of the data that is derived only from the current user to decrypt and encrypt the rest of the data.
This is the way it allows access to user passwords.
Under such a scenario, any given malware that isn’t running in the proper context of the current user can’t access those encrypted passwords.
But with malware code injection, hackers can infect a process that already has the proper context.
And then they can see the current user’s passwords in a plain-text file.
Hackers can access that file and steal sensitive information.

 

Some Past Examples Of Code Injection

We’ve mentioned several times that hackers love code injection teams.

And in some sense, they have proliferated in the hacking world.

But, in terms of types, there are only a handful of code injection techniques.

If you want to read up on a list of code injection techniques, then go here.

Security researchers at Ensilo also found out that attacker had made use of another code injection technique:

PowerLoaderEx.

This powerful piece of code injection allows hackers to inject code into a target computer without writing any code.

Hackers don’t even have to make use of any data in order to begin the injection process.

But here is the problem for hackers:

Whenever a certain code injection technique rises to fame, security researchers get on it.

And then they focus all their energy on stopping hackers from making use of that technique.

In the process, security researchers have to protect endpoints from compromising situations.

This is how they improve the performance of security products such as Antivirus software and tools such as host intrusion prevention systems.

Consequently, good antivirus software applications update their virus signature database regularly.

Once hackers make a code injection technique known, security software can detect it.

And then they can mitigate it via updated code.

AtomBombing is a technique that can still bypass antivirus and NGAZ along with other endpoint injection preventative solutions.

But that doesn’t mean it will continue to do so indefinitely.

Let’s Talk About Mitigation

As mentioned before, hackers use the AtomBombing technique by exploiting some crucial underlying Windows operating system mechanisms.

They don’t really need to exploit the operating system itself.

In fact, they don’t make use of bugs or any other type of vulnerabilities.

Security researchers can’t fix the issue and we have mentioned that is because there is no patch for it yet.

So the only way to protect against AtomBombing is via direct mitigation.

That will come in the form of a tech dive right into the heart of API calls.

Then one will need to monitor those APIs for any malicious activity.

Security researchers would do well if they just take a step back for a moment.

And think about AtomBombing, which is now just another one of hundreds of tools in any hacker’s arsenal.

Hackers will continue to do what they do best:

Infiltrate and bypass security technologies such as antivirus, NGAV  and of course HIPS.

They will use new tools as well as old tools.

Basically, hackers will do anything that will get them bypass these security software applications.

Some security analysts believe that there is a possible solution.

They say that the fact that a hacker doesn’t exploit any known software vulnerability is irrelevant.

And that, security vendors can still detect and then potentially block malicious payloads.

How Can Antivirus And Anti-Malware Software Help?

 

AtomBombing_is_dangerous

Users can improve their defenses by adopting better online computing habits.

According to one security analyst, hackers can do two things in this scenario:

They can either forcefully execute the payload.

Or they can execute the payload via an illegal resource.

Then the payload moves forward to insert the malicious code into a genuine and legitimate application.

Security vendors might think this bodes trouble for their products, but this security analyst says otherwise.

He says that security solutions can still detect and block such malicious code.

How?

No new solution needed according to this security analyst.

Why?

Because security solutions usually monitor processes along with services through the entire duration of their execution life.

Conclusion

Of course, users still need antivirus and antimalware application to improve and deal with such code injection techniques.

Hackers will always make use of unknown as well as known code injection techniques.

Security products have to come up with better defenses.

And they will need to do so in newer situations.

Newer situations like, even if hackers have compromised a given environment, security products still need to block them from taking further advantage.

But there is no question that the first line of defense is good online computing habits on part of users.

That is what Microsoft says.

This is the best way to avoid malware infection.

Users should exercise extreme caution while clicking on random links that are present on most web pages.

They shouldn’t open unknown files without scanning it first.

And more discretion is advised while accepting random file transfers.

One Microsoft representative said in an interview via email that code injection techniques can’t do their job if a malware doesn’t compromise a system first.

For users, that is a good start.

 

 

 

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.