'Process Doppelganging' Attack Bypasses Most Security Products, Works On All Windows Versions (bleepingcomputer.com) 126
An anonymous reader quotes a report from Bleeping Computer: Yesterday, at the Black Hat Europe 2017 security conference in London, two security researchers from cyber-security firm enSilo have described a new code injection technique called "Process Doppelganging." This new attack works on all Windows versions and researchers say it bypasses most of today's major security products. Process Doppelganging is somewhat similar to another technique called "Process Hollowing," but with a twist, as it utilizes the Windows mechanism of NTFS Transactions.
"The goal of the technique is to allow a malware to run arbitrary code (including code that is known to be malicious) in the context of a legitimate process on the target machine," Tal Liberman & Eugene Kogan, the two enSilo researchers who discovered the attack told Bleeping Computer. "Very similar to process hollowing but with a novel twist. The challenge is doing it without using suspicious process and memory operations such as SuspendProcess, NtUnmapViewOfSection. In order to achieve this goal we leverage NTFS transactions. We overwrite a legitimate file in the context of a transaction. We then create a section from the modified file (in the context of the transaction) and create a process out of it. It appears that scanning the file while it's in transaction is not possible by the vendors we checked so far (some even hang) and since we rollback the transaction, our activity leaves no trace behind." The good news is that "there are a lot of technical challenges" in making Process Doppelganging work, and attackers need to know "a lot of undocumented details on process creation." The bad news is that the attack "cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows." More research on the attack will be published on the Black Hat website in the following days.
"The goal of the technique is to allow a malware to run arbitrary code (including code that is known to be malicious) in the context of a legitimate process on the target machine," Tal Liberman & Eugene Kogan, the two enSilo researchers who discovered the attack told Bleeping Computer. "Very similar to process hollowing but with a novel twist. The challenge is doing it without using suspicious process and memory operations such as SuspendProcess, NtUnmapViewOfSection. In order to achieve this goal we leverage NTFS transactions. We overwrite a legitimate file in the context of a transaction. We then create a section from the modified file (in the context of the transaction) and create a process out of it. It appears that scanning the file while it's in transaction is not possible by the vendors we checked so far (some even hang) and since we rollback the transaction, our activity leaves no trace behind." The good news is that "there are a lot of technical challenges" in making Process Doppelganging work, and attackers need to know "a lot of undocumented details on process creation." The bad news is that the attack "cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows." More research on the attack will be published on the Black Hat website in the following days.
Multi-process... (Score:2, Funny)
If it's done with multiple processes, is it a Process Doppelgangbang?
Re: (Score:3, Funny)
Re: (Score:2)
You don't even have to go that far back. It work on Windows 98 or ME either.
Re: Multi-process... (Score:2)
Re: (Score:1)
Windows is better because Linux breaks backward compatibility whenever a penguin takes a shit.
captcha bugged
Re: (Score:2)
Re: (Score:1)
Well the Mac is re-polished Linux (yes, I know, MachBSD, not Linux, but whatever) that even Apple doesn't care about any more. It bugged me when I worked there how they'd end up making really good software and then not give a damn about it. The mentality was always that the software was to sell the hardware. The software itself had no value.
Re: (Score:1)
That's because Macs are designed so anyone can get root with a couple of clicks...
Re:Windows Versus Linux (Score:5, Insightful)
Intelligent people use the operating system that lets them get the tasks they want to get done done, rather than engaging in pointless O/S debates.
Re: (Score:3)
Fortunately intelligent people don't post on slashdot.
Re: (Score:2)
:-(
Re: Windows Versus Linux (Score:2)
Mac is company-approved Unix (Score:1)
> Windows is used by people who either don't have a choice, BECAUSE THEY WORK FOR A BIG COMPANY, or are lazy. *nix is used by computer skilled people. Mac is the Unix used by by skilled people who work for big companies.
Re: (Score:2)
Intelligent people that need to use commercial software.
So... (Score:2, Insightful)
Re: (Score:1)
What is it with people modding ordinary posts as Troll lately? Either snowflakes or actual trolls must be getting mod points now.
Re: (Score:1)
The mod point allocation has seemed to be off the last few months. Not sure why.
Re: So... (Score:3)
Re: (Score:1)
Re: (Score:2)
OK, if that's the bar we're going set, then I get to mod you "-1 Snowflake".
Re:So... MAC (Score:1)
The main problem is that Windows doesn't have a proper implementation of Mandatory Access Control that really works. Linux has multiple ones e.g. SELinux and AppArmor.
MAC can prevent this attack since it could prevent the modification of a file by a different process that isn't allowed to do that.
Re: (Score:1)
Why would there be a "sales dive"?
99.9% of buyers don't know, and don't care.
Re: (Score:2)
No. This just another virus. As someone else pointed out, there's no inherent reason you can't detect it the way other viruses are detected. And it doesn't let you gain more privilege. All it does is bypass current virus detection, which presumably will get fixed.
Re: (Score:3)
How about:
Crook: Let's see, here we have a file I want to run and for some reason I have the right to run -> let's go transactional!
NTFS: Ah, a transactional lock! Don't see those too often!
Crook: Modify the file that I for some reason have the right to modify _wïthïn_thá_transáctïon_ HOHOHO!!
NTFS: Okay... Got that.
Scanner: Ah ho a hum, don't see shit... Boring.
Crook: Now let's do the cool thing and run this modified shït!
System: Let's see... Loading a file within a transac
Re: (Score:2)
Unless the A/V runs its own rootkit. Then it could probably still track what's going on.
Re: So, Basically (Score:3)
Read the summary, the attack canâ(TM)t be detected because the OS doesnâ(TM)t let itself or any other process into a running transaction.
This made senses in the 80s/90s in that you donâ(TM)t want a program unnecessarily holding up or interrupting a disk operation because that would cause corruption, hence why we invented file systems that have a journal.
Re: (Score:2)
Re: (Score:2)
Maybe you should RTFA and THINK.
At the moment, yes, it isn't detected. The user runs a program, the program loads and modifies and runs a different program. The actions of the program in loading and modifying another program CAN BE DETECTED.
Got it?
Re: (Score:3)
One still have to have the rights to open and modify the file, one still have to have the rights to execute the file. It's "just" that one can replace a section of a file one already could modify and execute in a way that malware scanners can't detect.
To me this isn't a huge problem - if security requires malware scanning one have no security. And it is using functionality not commonly used together so a hack that detects the combination and handles it should be relatively easy. But why care?
This is why we need alternative File systems (Score:2, Interesting)
This is why we need alternative file systems on windows. If this were Linux we'd either fix it or change to another file system. Not 'live with inscruity for the remaining days of your life.
Re: This is why we need alternative File systems (Score:2)
Re: (Score:3)
First, pretend that you have a job.
Now, pretend that you have to persuade IT at your job to let you install a filesystem different to the one everyone else in the company is using.
Let us know how it goes.
Re: (Score:2)
No, I *could* have mod-bombed you, but you were providing us some fine entertainment by trolling yourself, so why bother.
Re: Ok - Design one yourself then! apk (Score:2)
We're boned (Score:3)
Now does this mean we can finally move on to the "post security" era? Please, can we? So much security fatigue...
Anybody can bust into my house with a solid kick, but I don't lose any sleep over it.
Re: (Score:2)
Yes, but it takes a lot of resources to bash in your door, and there's a lot of risk involved. You might be home at the time, you might have a gun. They either have to be near you or travel hours to get to your house to do it. On the internet, someone can write a script to bash in millions of "doors" in the space of a few hours with minimal resources and very little risk of getting shot and do it from the comfort of their home halfway around the world.
Re: (Score:2)
Foot, momentum. Not deal-killing resources. Probability of shock attack encountering properly trained people able to respond quite low. Add cell jammer and some gimmicks and you have a high probability of getting stuff to buy more ...whatever.
GP’s point remains. We have constant risk, but losing sleep over it is stupid. Why?
Re: (Score:2)
If you want to break into a million houses all over the world, that's some major deal killing resources. If you want to break into one person's house that lives within an hour of you, that's not too big of a deal. Because of that, the odds of someone picking your house to break into are very slim, and not much to worry about. The odds of some script kiddie from Russia doing a scan and looking for vulnerabilities is quite high. If you're vulnerable to a remote attack, you will most assuredly get hit with
Re: (Score:2)
Basic security steps like you mention are totally analogous to locking your door and not driving through bad neighborhoods. That's the easy stuff. Extra locks, alarms systems, reading every day to keep up on criminal techniques and following police blotters is stuff that goes beyond and most people won't do it. But strangely enough we have to hear about every worm, bug, bot, and breach in the news headlines. And every one of those stories has some "security expert" telling us what new thing we need to do
Re: (Score:1)
I'm pretty sure the only thing that particular moron knows how to secure is another vial
Re: (Score:2)
Even my hosts with no published domains get attackers kicking at the server's door multiple times a minute!
Nobody has ever kicked at my front door of my house. One person tried the doorhandle one time, and ran away when I opened the door.
Works On All Windows Versions? (Score:2)
Not really. But at long last we have a single data point where Window 95 is better than Windows NT.
Re: (Score:2)
What is really of note is the alleged compatibility. I never seen anything compatible with all windows versions. ANYTHING.. In fact, I doubt anyone really checked it because I'm pretty sure it will hang or crash on some versions.
One right off hand. Forte Agent 1.92, just move a short-cut to the newest install and have an E-mailer/Newsreader all set-up and ready to go.
Older versions work as well, but needed yEnc the newer 1.92 offered. Used this version from W2K/Win98 to Win10 and in between.
Re: parade of idiots (Score:2)
Re: (Score:2)
Microsoft strongly recommends developers utilize alternative means to achieve your application’s needs. Many scenarios that TxF was developed for can be achieved through simpler and more readily available techniques. Furthermore, TxF may not be available in future versions of Microsoft Windows.
Looks like the future needs to be now.
Not patchable, really? (Score:4, Insightful)
Creating a process from a file that is part of an in-progress transaction is probably not a documented feature of Windows at all. Making such files non-executable until the transaction is completed sounds like it would be a sufficient fix.
Much as I like to brag that Linux folks can fix this sort of thing overnight, it is not really the case that everyone at Microsoft is a knuckle-walking Neanderthal who could not fix this in a week or a month.
Watch some Neanderthal get offended...
Re: (Score:2)
Yeah, like filesystem transactions and executing files. The whole exploit is explained in the summary. Create a file in a transaction. Virus checker can't get at it because it's not visible outside of the transaction. Execute the file. Abort the transaction. No file left for the virus checker. Process still running.
Re: (Score:2)
Why are you bigoted against Neandertals?
Re:Not patchable, really? (Score:4, Funny)
I believe I can say in complete truthfulness that I have never met a Neanderthal that I didn't like.
Re: (Score:2)
Re: (Score:1)
I just read another post here that says the thing being exploited first appeared in Vista. So it's not quite as bad as I was thinking. XP is the 800-pound post-EOL gorilla, and nobody in their right mind should want to run Vista at all, especially EOL.
And apparently it requires a particular service to be running, which should be easy for the 99.999% of people who don't use NTFS Transactions to simply turn it off. On my Windows 7 gaming computer it was set to Manual. Yeah, let's just completely disable this
You still need the admin password, right? (Score:5, Interesting)
Trying to understand this. Basically NTFS Transactions are a deprecated feature, but this amounts to little more than monkeying with the in-RAM read cache of an executable file.
Well great. In order to do that I have to have access to the system at some level in the first place. So this exploit technique is only really viable if you have either an inside job or a leaked password. And it isn't clear to me that you don't need an admin-level access to use that API as well.
Unless I missed something this doesn't seem like that hot an issue.
Re: (Score:2)
Re: (Score:2)
Also, since the attack writes nothing to disk, how does it survive a reboot or power cycle?
I think that was the whole point of why this new exploit sounds so scary. Nothing gets written to disk so it isn't "traceable."
The thing is if you are able to inject your own code to run in a system in the first place, you can do it again and again as long as the owner of the system isn't aware of it and doesn't change anything. I can see the appeal of that; it would allow an attacker to set up a temporary base that would be devilishly hard to trace back to the system that injected it. At least if all
Re: (Score:2)
In order to do that I have to have access to the system at some level in the first place.
This is Microsoft Windows, the Swiss Cheese of operating system security. Attackers most likely already have this for any given machine.
So this exploit technique is only really viable if you have either an inside job or a leaked password.
See answer to quote #1 above.
And it isn't clear to me that you don't need an admin-level access to use that API as well.
See answer to quote #1 above.
All Windows Versions (Score:2)
All Windows Versions (Score:2)
spot the shill (Score:2)
Well it is Friday evening here, another Windows vulnerability found, it is time for a Drinking Game.
"Spot the shill", you should be able to guess the rules now
All versions of windows (Score:1)
This is amazing. It's the first thing I ever heard of that can work on all versions of windows. They should patent that and make bank.
Can't be patched? (Rubbish) (Score:1)
I'm sure that not instantiating a process from an uncommitted NTfs transaction wouldn't break many legitamate programs.
Only create processes from files that are also not being written to would also work equally as will within the kernel.
Both paths sound like they would ensure that virus software can pick up the dodgy behavior.
A creative attack though.
Ungood! (Score:2)
The bad news is that the attack "cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows."
Yes, I'd say that qualifies as "bad news". This is ungood, and yet another reason to switch to another OS.
Seriously, after all this time the fucknutz at Microsoft have managed to create a vulnerability that's baked in to every version of Windows, their flagship product?
Re: Curry eater English (Score:2)
Re: And THIS is why Kevin uses Linux now (Score:2)
Re: (Score:2)
But NASA and in the aircraft industry still have less problems with bugs
How many external attacks are their on the systems? All NASA has to do is not include legacy MacOS binary compatibility [engadget.com] to keep spacecraft relatively virus-proof.
Re: Amazing (Score:2)
Re: (Score:2)
Its even stupider than that. The critical embedded system in deep space has about zero malicious hackers analyzing it and attacking it.
And this particular windows flaw would not be a much of a risk on a computer floating in deep space.