Tel: (+355) 69 518 4660    e-Mail: info@c-systems.al

Technology Magazine - Revista Informatike

28 Oct

Code Injection Technique to Attack All Versions of Windows

 

Guess what? If you own a Windows PC, which is fully-patched, attackers can still hack your computer. Isn't that scary? Well, definitely for most of you. Security researchers have discovered a new technique that could allow attackers to inject malicious code on every version of Microsoft's Windows operating system, even Windows 10, in a manner that no existing anti-malware tools can detect, threaten millions of PCs worldwide.

Dubbed "AtomBombing," the technique does not exploit any vulnerability but abuses a designing weakness in Windows.

New Code Injection Attack helps Malware Bypass Security Measures

AtomBombing attack abuses the system-level Atom Tables, a feature of Windows that allows applications to store information on strings, objects, and other types of data to access on a regular basis.

And since Atom are shared tables, all sorts of applications can access or modify data inside those tables. You can read a more detailed explanation of Atom Tables on Microsoft's blog.

A team of researchers from cyber security company EnSilo, who came up with the AtomBombing technique, say this design flaw in Windows can allow malicious code to modify atom tables and trick legitimate apps into executing malicious actions on its behalf.

Once injected into legitimate processes, the malware makes it easier for attackers to bypass security mechanisms that protect such systems from malware infections, the researchers said.

AtomBombing can Perform MITM Browser attack, Decrypt Passwords, and More

Besides process level restrictions bypass, the AtomBombing code injection technique also allows attackers to perform man-in-the-middle (MITM) browser attacks, remotely take screenshots of targeted user desktops, and access encrypted passwords stored on a browser.

Google Chrome encrypts your saved passwords using Windows Data Protection API (DPAPI), which uses data derived from the current user to encrypt or decrypt the data and access the passwords.

So, if malware is injected into a process which is already running in the context of the current user, it is easy to access those passwords in plain text.

Moreover, by injecting code into a web browser, attackers can modify the content shown to the user.

"For example, in a banking transaction process, the customer will always be shown the exact payment information as the customer intended via confirmation screens," said Tal Liberman, Security Research Team Leader of enSilo. 
"However, the attacker modifies the data so that the bank receives false transaction information in favor of the attacker, i.e. a different destination account number and possibly amount."

No Patch for AtomBombing Attack

What's worse? The company said all versions of Windows operating system, including Microsoft's newest Windows 10, were affected. And What's even worse? There is no fix at this moment.

"Unfortunately, this issue cannot be patched since it does not rely on broken or flawed code – rather on how these operating system mechanisms are designed," said Liberman.

Since the AtomBombing technique exploits legitimate operating system functions to carry out the attack, Microsoft can not patch the issue without changing how the entire operating system works. This is not a feasible solution, so there is no notion of a patch.
Guess what? If you own a Windows PC, which is fully-patched, attackers can still hack your computer.

Isn't that scary? Well, definitely for most of you.

Security researchers have discovered a new technique that could allow attackers to inject malicious code on every version of Microsoft's Windows operating system, even Windows 10, in a manner that no existing anti-malware tools can detect, threaten millions of PCs worldwide.

Dubbed "AtomBombing," the technique does not exploit any vulnerability but abuses a designing weakness in Windows.
 

New Code Injection Attack helps Malware Bypass Security Measures


AtomBombing attack abuses the system-level Atom Tables, a feature of Windows that allows applications to store information on strings, objects, and other types of data to access on a regular basis.

And since Atom are shared tables, all sorts of applications can access or modify data inside those tables. You can read a more detailed explanation of Atom Tables on Microsoft's blog.

A team of researchers from cyber security company EnSilo, who came up with the AtomBombing technique, say this design flaw in Windows can allow malicious code to modify atom tables and trick legitimate apps into executing malicious actions on its behalf.

Once injected into legitimate processes, the malware makes it easier for attackers to bypass security mechanisms that protect such systems from malware infections, the researchers said.

AtomBombing can Perform MITM Browser attack, Decrypt Passwords, and More


Besides process level restrictions bypass, the AtomBombing code injection technique also allows attackers to perform man-in-the-middle (MITM) browser attacks, remotely take screenshots of targeted user desktops, and access encrypted passwords stored on a browser.
 

Google Chrome encrypts your saved passwords using Windows Data Protection API (DPAPI), which uses data derived from the current user to encrypt or decrypt the data and access the passwords.

So, if malware is injected into a process which is already running in the context of the current user, it is easy to access those passwords in plain text.

Moreover, by injecting code into a web browser, attackers can modify the content shown to the user.

"For example, in a banking transaction process, the customer will always be shown the exact payment information as the customer intended via confirmation screens," said Tal Liberman, Security Research Team Leader of enSilo. 
"However, the attacker modifies the data so that the bank receives false transaction information in favor of the attacker, i.e. a different destination account number and possibly amount."

No Patch for AtomBombing Attack


What's worse? The company said all versions of Windows operating system, including Microsoft's newest Windows 10, were affected. And What's even worse? There is no fix at this moment.

"Unfortunately, this issue cannot be patched since it does not rely on broken or flawed code – rather on how these operating system mechanisms are designed," said Liberman.

Since the AtomBombing technique exploits legitimate operating system functions to carry out the attack, Microsoft can not patch the issue without changing how the entire operating system works. This is not a feasible solution, so there is no notion of a patch.
  • Posta elektronike
Kostaq Cipo

Programmer analyst, Web developer, Technology Evangelist and Enthusiast, Tech Author, Blogger, C C++ Java .NET VB, Mobile developer, Security analyst, Project Manager.

Faqja web: www.c-systems.al Posta elektronike This email address is being protected from spambots. You need JavaScript enabled to view it.

C-Systems në Twitter

We specialize in designing and implementing cost-effective, creative information solutions to your complex business problems. No matter what C-Systems services you utilize, you can count on our committment and expertise. We are committed to your success and satisfaction.

Photos

gallery_bottomgallery_bottomgallery_bottomgallery_bottomgallery_bottomgallery_bottomgallery_bottomgallery_bottomgallery_bottom

Our Newsletter

The latest technologies and news!

Contact Us

 Address: Rr. "Luigj Gurakuqi", Nr.21, Tirana 1001, Albania

  Web: www.c-systems.al