1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

New code injection method avoids malware detection on all versions of Windows

By Greg S ¬∑ 8 replies
Dec 7, 2017
Post New Reply
  1. Presented at Black Hat Europe, a new fileless code injection technique has been detailed by security researchers Eugene Kogan and Tal Liberman. Dubbed Process Doppelgänging, commonly available antivirus software is unable to detect processes that have been modified to include malicious code.

    The process is very similar to a technique called Process Hollowing, but software companies can already detect and mitigate risks from the older attack method. Process Hollowing occurs when memory of a legitimate program is modified and replaced with user-injected data causing the original process to appear to run normally while executing potentially harmful code.

    Unlike the outdated hollowing technique, Process Doppelgänging takes advantage of how Windows loads processes into memory. The mechanism that loads programs was originally designed for Windows XP and has changed little since then.

    To attempt the exploit, a normal executable is handed to the NTFS transaction and then overwritten by a malicious file. The NTFS transaction is a sandboxed location that returns only a success or failure result preventing partial operations. A piece of memory in the target file is modified. After modification, the NTFS transaction is intentionally failed so that the original file appears to be unmodified. Finally, the Windows process loader is used to invoke the modified section of memory that was never removed.

    The following table shows the antivirus software tested by the researchers that is unable to block the exploit discovered.

    Product Operating System Result
    Windows Defender Windows 10 Success
    AVG Internet Security Windows 10 Success
    Bitdefender Windows 10 Success
    ESET NOD 32 Windows 7 SP1 Success
    Symantec Endpoint Protection Windows 7 SP1 Success
    McAfee VSE 8.8 Patch 6 Windows 7 SP1 Success
    Kaspersky Endpoint Security 10 Windows 7 SP1 Success
    Kasperksy Antivirus 18 Windows 7 SP1 Success
    Symantec Endpoint Protection 14 Windows 7 SP1 Success
    Panda Windows 8.1 Success
    Avast Windows 8.1 Success

    It should be noted that Windows 10 Fall Creators Update originally appeared to fix the issue since the duo presenting were unable to perform the exploit on the latest version. When attempting the exploit, a stop error otherwise known as the blue screen of death occurs. Not a desirable effect, but better than ending up with an infected machine.

    However, later updates apparently allowed for the exploit to work again even on the latest patches of Windows 10. Due to the nature of the exploit, Microsoft will have its work cut out to update a core feature that helps preserve software compatibility. Antivirus vendors should be able to push out updates to detect and prevent Process Doppelgänging within the coming weeks.

    Permalink to story.

    Last edited by a moderator: Dec 7, 2017
  2. amstech

    amstech IT Overlord Posts: 1,964   +1,138

    That's good work everybody, keep it up.
    Reehahs and senketsu like this.
  3. Uncle Al

    Uncle Al TS Evangelist Posts: 4,201   +2,662

    I'll give that one a big thumbs up!
  4. UmbraEmsisoft

    UmbraEmsisoft TS Member Posts: 25   +9

    But at the moment the process to use it as an effective weapon is quite laborious.
    Reehahs and wiyosaya like this.
  5. wiyosaya

    wiyosaya TS Evangelist Posts: 2,919   +1,429

    My thoughts too. It sounds like physical access to an unlocked machine where the logged on account has administrative rights is necessary. My bet is that the probability of infection from this particular exploit is exceptionally low.
    UmbraEmsisoft likes this.
  6. OortCloud

    OortCloud TS Addict Posts: 197   +81

    And Windows 10 (since updates are mandatory) is unaffected. Other than that great clickbait.
  7. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 10,568   +4,410

    That is not what I read.
    UmbraEmsisoft and senketsu like this.
  8. Dustyn

    Dustyn TS Booster Posts: 77   +28

  9. UmbraEmsisoft

    UmbraEmsisoft TS Member Posts: 25   +9

    If so the attacker just have to uninstall the security solutions manually ^^ (joking)

    It is a variation of process hollowing, so remote deployment is more than probable.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...