Code Injection Technique ‘Process Doppelgänging’ Bypasses Security Software

Security concept: Lock on digital screen, contrast, 2d illustration

Security experts found a code injection technique, Process Doppelgänging, which inserts an undetectable malware on all versions of the Windows OS.

When everyone heaved a sigh of relief that the security issues of 2017 are over, a team of security experts have found a newcode injection technique named “Process Doppelgänging,” which allows hackers to bypass all security measures in any version of the Windows operating system.

The security experts are from a company named Ensilo. Tal Liberman and Eugene Kogan are the two researchers who have found this loophole, and they presented their findings at the recent Black Hat Europe 2017 Conference.

They explained that the loophole could allow any third party to gain access into the system, and any antivirus or antimalware program would never recognize the presence of the issue as it will look like a legitimate program.

Instead of allowing hackers to take control of computers and create chaos, the white hat hackers are taking operations into their own hands to bring it to the attention of software developers.

Compared to the previously identified concept named “Process Hollowing,” which exploits a vulnerability found in NTFS transactions to gain access into Windows, the newly discovered Process Doppelgänging is more serious in nature, because at the moment there isn’t any security measure to stop it.

Code Injection Technique Works on All OS Versions

workplace with office stuff and tablet with padlock icons on screen

When everyone heaved a sigh of relief that the security issues of 2017 are over, a team of security experts have found a newcode injection technique named “Process Doppelgänging,” which allows hackers to bypass all security measures in any version of the Windows operating system.

The process makes use of a code injection technique to insert a file-less code into applications such that any antivirus software or security program would never recognize it.

The shocking find is that it works on operating systems and versions ranging from the old Vista to the newly launched Windows 10, which could affect millions of users worldwide.

The newfound way to bypass security software and forensic methods is part of Process Hollowing, which first emerged years ago.

It used NTFS partition processing to gain access into a computer it targeted.

Hackers could make use of this vulnerability to replace any existing process memory with their own file, and it would continue to run under the guise of a legitimate software program.

Even the most secure antivirus programs would not be able to find it, but a fix was finally released by Microsoft and security software developers to fight against this technique.

However, the Doppelgänging code injection technique works in a slightly different and more efficient way to gain access into your computer.

How Process Doppelgänging Code Injection Infects a PC?

NTFS transaction is the main objective of this process which has been developed in Windows versions. It enables users to create, modify or delete files atomically in a NTFS environment without affecting the system.

It was originally created for developers to make it easy to test files in an isolated environment without affecting the operating system’s setup.

Here are the elements that make it work:

  1. A process known as transaction begins by executing a legitimate file in the NTFS arena which will later be replaced with a malicious program.
  2. Then, a section of the memory will be split from the malicious file.
  3. Once the malicious code is separated, the main process will be canceled so that all the transactions are without any trace of the codes that were used in it.
  4. At this point, the hacker can bring the code injection technique, Process Doppelgänging, to life and make use of the memory section left in the NTFS process to initiate the malicious code file.

It will be part of the Windows OS but will never be identified as it was once approved to be legitimate and safe to work with at the beginning of the process.

Code Injection Technique Evades All Major Antivirus Programs

In their conference presentation, the security researchers who found the vulnerability had also released a list of top antivirus programs that were unable to find the presence of the malware because the technique is unique and penetrates the core system making it tough to find it.

Some of the popular names in the industry like Bitdefender, Kaspersky, AVG, Avast, Symantec and many others were unable to find it.

The code injection issue persisted in all versions of the Windows operating system including 7 SP1, 8.1 and the newly launched Windows 10 platform.

The only version of the operating system that is safe from this issue is the version 10 Fall Creators Update which was released recently.

The developers seem to have fixed the code injection issue with their latest launch, but users who are still running previous versions are not safe.

The security experts commented that they don’t expect Microsoft to instantly release a patch but antivirus companies could do it to detect and stop this code injection technique from being used further.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.