Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Sunday October 30 2016, @04:58PM   Printer-friendly
from the don't-run-unknown-code! dept.

AtomBomb: The New Zero-Day Windows Exploit Microsoft Can't Fix?

There's a new zero-day Microsoft Windows exploit in the wild by the name of AtomBomb, and Microsoft may not be able to fix it.

Ensilo security researchers have discovered a new zero-day exploit in Windows that attackers can make use of to inject and execute malicious code. The researches call the exploit AtomBombing because of its use of a Windows function called Atom Tables.

What's particularly interesting about the exploit is that it does not rely on security vulnerabilities in Windows components but native Windows functions. This means, according to the researchers, that Microsoft won't be able to patch the issue.

It is particularly worrying that the issue affects all versions of Windows, and that security programs that run on the system -- firewall or antivirus for instance -- won't stop the execution of the exploit.

The technique works in the following way on an abstract level:

  1. Malicious code needs to be executed on a Windows machine. A user might run malicious code for instance.
  2. This code is blocked usually by antivirus software or other security software or policies.
  3. In the case of AtomBombing, the malicious program writes the malicious code in an atom table (which is a legitimate function of Windows and won't be stopped therefore).
  4. It then uses legitimate processes via APC (Async Procedure Calls) , a web browser for instance, to retrieve the code from the table undetected by security software to execute it.

You can find an extremely detailed explanation of AtomBombing here. Time to run Windows only in VMs?

New code injection attack works on all Windows versions - Help Net Security

Source: https://www.helpnetsecurity.com/2016/10/28/code-injection-windows-atombombing/


Original Submission #1Original Submission #2

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Informative) by frojack on Sunday October 30 2016, @08:33PM

    by frojack (1554) on Sunday October 30 2016, @08:33PM (#420630) Journal

    So as I read, 'the malicious program writes malicious code'... Where does the end user get the malicious program from ? Is it compromised when coming from the publisher, or does someone have to download something stupid from a compromised site ?

    True, even having a fist full of malicious code that you can't instantiate any other way, you still can't stuff it in an atom without some pre-existing atom stuffing code already on the target machine. And if you can sneak THAT onto the target, you could sneak an exploit far easier than using this routine. To that extent this story is hype.

    The risk here is that someone will write and atom stuffer and plant it in some useful program (or java jar) and then sit back and exploit it weeks or months later.

    Atoms are usually used by software to record that some other condition exists, so it can be tested later, by other processes.

    One of the most common is for one instance of a program to set a flag to let another instance know that it has already been started, thereby preventing duplicate processes, or limiting concurrent connections, etc.

    The problem is that Microsoft lets you store quite a bit of stuff in an atom and has no rules about cleanup, or usage. They were meant to be simple flags or a word or a few bytes of data.

    Atom Basics [microsoft.com]
    These (exist in one form or another) in EVERY Operating system, because they are a very useful tool. When you run into the need for one of these you quickly find out that nothing else will quite do the job you need done.

    --
    No, you are mistaken. I've always had this sig.
    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 1, Informative) by Anonymous Coward on Sunday October 30 2016, @11:54PM

    by Anonymous Coward on Sunday October 30 2016, @11:54PM (#420711)

    You can't plant the atom in a different program or anything of the sort, as atoms are run-time structures (essentially, an interned string). It basically makes string comparisons (possibly across multiple processes) fast by converting it to a number.

    In the described case, you can use it to pass data across processes by passing the number around instead of the actual data. But that means you already have code on the retrieving side, so it's only useful for covert data transfer (but you still need to be able to transfer an integer instead of the whole original string).

    The "already started" case I've seen would instead hold a mutex [microsoft.com] instead, with an explicit name [microsoft.com]. Also a global runtime-only object, but one that goes away when your process exits (which means starting a new instance after your last instance quits will do the correct thing).