New method of code injection prevents detection of malware in all versions of Windows -


Post Top Ad

Post Top Ad

Friday, 8 December 2017

New method of code injection prevents detection of malware in all versions of Windows

The new method of code injection prevents the detection of malware in all versions of Windows. The evil twin software hides inside other programs.

Presented at Black Hat Europe, security researchers Eugene Kogan and Tal Liberman have detailed a new code injection technique without files. Dubbed Process Doppelgänging, the commonly available antivirus software can not detect processes that have been modified to include malicious code.
The process is very similar to a technique called Hollow Process, but software companies can already detect and mitigate the risks of the previous attack method. The emptying of the process occurs when the memory of a legitimate program is modified and replaced by data injected by the user, which makes the original process appear to function normally while executing a potentially harmful code.

New method of code injection

Unlike the obsolete emptying technique, Process Doppelgänging takes advantage of the way Windows loads processes in memory. The mechanism that loads programs was originally designed for Windows XP and has changed little since then. To attempt the exploit, a normal executable is delivered to the NTFS transaction and then overwritten with a malicious file. The NTFS transaction is an isolated space location that returns only a success or failure result that prevents partial operations. A part of the memory is modified in the destination file. After the modification, the NTFS transaction intentionally fails to make the original file appear unmodified. Finally, the Windows process loader is used to invoke the modified section of the memory that was never deleted.

The following table shows the antivirus software tested by researchers that can not block the discovered exploit.

It should be noted that Windows 10 Fall Creators Update originally appeared to fix the problem since the duo that submitted could not perform the exploit in the latest version. When attempting the feat, a stop error occurs known as the blue screen of death. It is not a desirable effect, but better than ending up with an infected machine.

However, subsequent updates apparently allowed the exploit to work again even in the latest Windows 10 patches. Due to the nature of exploitation, Microsoft will have its work cut short to update a central feature that helps preserve software compatibility. Antivirus vendors should be able to publish updates to detect and prevent Process Doppelgänging in the coming weeks.

Hopefully this method of code injection will be stopped in time.

No comments:

Post a Comment

Post Top Ad