SoylentNews is people
SoylentNews
AtomBomb: The New Zero-Day Windows Exploit Microsoft Can't Fix?
There's a new zero-day Microsoft Windows exploit in the wild by the name of AtomBomb, and Microsoft may not be able to fix it.
Ensilo security researchers have discovered a new zero-day exploit in Windows that attackers can make use of to inject and execute malicious code. The researches call the exploit AtomBombing because of its use of a Windows function called Atom Tables.
What's particularly interesting about the exploit is that it does not rely on security vulnerabilities in Windows components but native Windows functions. This means, according to the researchers, that Microsoft won't be able to patch the issue.
It is particularly worrying that the issue affects all versions of Windows, and that security programs that run on the system -- firewall or antivirus for instance -- won't stop the execution of the exploit.
The technique works in the following way on an abstract level:
- Malicious code needs to be executed on a Windows machine. A user might run malicious code for instance.
- This code is blocked usually by antivirus software or other security software or policies.
- In the case of AtomBombing, the malicious program writes the malicious code in an atom table (which is a legitimate function of Windows and won't be stopped therefore).
- It then uses legitimate processes via APC (Async Procedure Calls) , a web browser for instance, to retrieve the code from the table undetected by security software to execute it.
You can find an extremely detailed explanation of AtomBombing here. Time to run Windows only in VMs?
New code injection attack works on all Windows versions - Help Net Security
Source: https://www.helpnetsecurity.com/2016/10/28/code-injection-windows-atombombing/
(Score: 4, Informative) by len_harms on Sunday October 30 2016, @07:41PM
https://msdn.microsoft.com/en-us/library/windows/desktop/ms649053(v=vs.85).aspx [microsoft.com]
https://msdn.microsoft.com/en-us/library/windows/desktop/ff468795(v=vs.85).aspx [microsoft.com]
Been awhile since I had messed with them so I had to go refresh myself on what they were. It is a leftover from DDE and windows 3.x. Not sure how much people use it anymore . There are much better interprocess calls to use.
Basically ATOMs are a storage of either strings (binary data) or integers for IPC. He is using the ATOM table to basically hold the exploit code. Much like using a file system. He is just using a little known about feature of windows to store data.
The supposition that MS and virus scanners can not scan the ATOM tables is silly. They control the API and the kernel has total control of the system. MS could easily add a 'get atom table' function with a call back into the viruscanner when someone calls add or just add a hook like all the other functions virus scanners keep an eye on. https://msdn.microsoft.com/en-us/library/windows/desktop/ms644990(v=vs.85).aspx [microsoft.com]
It is an interesting place to store data, that is for sure. I can think of 2 or 3 other places like that in windows you could squirrel away data. Even apple had a similar exploit recently they just fixed where data could be manipulated by a global structure.
(Score: 0) by Anonymous Coward on Sunday October 30 2016, @07:54PM
HIPS kernel drivers can just hook the API globally, Microsoft doesn't even need to offer this functionality because it's already present.
(Score: 0) by Anonymous Coward on Monday October 31 2016, @12:10AM
True. However I think MS tends to discourage that way as it is easy to create BSOD with it. As you are running at the kernel level and if you bug out you can take out the whole thing. It would be better to get MS to add to their existing API to hook it. https://msdn.microsoft.com/en-us/library/windows/hardware/dn613955(v=vs.85).aspx [microsoft.com]