Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Security Operating Systems Privacy Software The Internet Windows Technology

'Process Doppelganging' Attack Bypasses Most Security Products, Works On All Windows Versions (bleepingcomputer.com) 126

An anonymous reader quotes a report from Bleeping Computer: Yesterday, at the Black Hat Europe 2017 security conference in London, two security researchers from cyber-security firm enSilo have described a new code injection technique called "Process Doppelganging." This new attack works on all Windows versions and researchers say it bypasses most of today's major security products. Process Doppelganging is somewhat similar to another technique called "Process Hollowing," but with a twist, as it utilizes the Windows mechanism of NTFS Transactions.

"The goal of the technique is to allow a malware to run arbitrary code (including code that is known to be malicious) in the context of a legitimate process on the target machine," Tal Liberman & Eugene Kogan, the two enSilo researchers who discovered the attack told Bleeping Computer. "Very similar to process hollowing but with a novel twist. The challenge is doing it without using suspicious process and memory operations such as SuspendProcess, NtUnmapViewOfSection. In order to achieve this goal we leverage NTFS transactions. We overwrite a legitimate file in the context of a transaction. We then create a section from the modified file (in the context of the transaction) and create a process out of it. It appears that scanning the file while it's in transaction is not possible by the vendors we checked so far (some even hang) and since we rollback the transaction, our activity leaves no trace behind." The good news is that "there are a lot of technical challenges" in making Process Doppelganging work, and attackers need to know "a lot of undocumented details on process creation." The bad news is that the attack "cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows."
More research on the attack will be published on the Black Hat website in the following days.
This discussion has been archived. No new comments can be posted.

'Process Doppelganging' Attack Bypasses Most Security Products, Works On All Windows Versions

Comments Filter:
  • by Anonymous Coward

    If it's done with multiple processes, is it a Process Doppelgangbang?

  • So... (Score:2, Insightful)

    ...so you run a program on the target machine that uses some API to run some malware undetected. Clever. Computers that run arbitrary software need to be banned. Only approved computers running a small set of governmental approved programs should be permitted.
    • What is it with people modding ordinary posts as Troll lately? Either snowflakes or actual trolls must be getting mod points now.

    • by Anonymous Coward

      The main problem is that Windows doesn't have a proper implementation of Mandatory Access Control that really works. Linux has multiple ones e.g. SELinux and AppArmor.

      MAC can prevent this attack since it could prevent the modification of a file by a different process that isn't allowed to do that.

  • by Anonymous Coward

    This is why we need alternative file systems on windows. If this were Linux we'd either fix it or change to another file system. Not 'live with inscruity for the remaining days of your life.

  • by Lije Baley ( 88936 ) on Friday December 08, 2017 @08:12PM (#55704619)

    Now does this mean we can finally move on to the "post security" era? Please, can we? So much security fatigue...

    Anybody can bust into my house with a solid kick, but I don't lose any sleep over it.

    • Yes, but it takes a lot of resources to bash in your door, and there's a lot of risk involved. You might be home at the time, you might have a gun. They either have to be near you or travel hours to get to your house to do it. On the internet, someone can write a script to bash in millions of "doors" in the space of a few hours with minimal resources and very little risk of getting shot and do it from the comfort of their home halfway around the world.

      • Foot, momentum. Not deal-killing resources. Probability of shock attack encountering properly trained people able to respond quite low. Add cell jammer and some gimmicks and you have a high probability of getting stuff to buy more ...whatever.

        GP’s point remains. We have constant risk, but losing sleep over it is stupid. Why?

        • If you want to break into a million houses all over the world, that's some major deal killing resources. If you want to break into one person's house that lives within an hour of you, that's not too big of a deal. Because of that, the odds of someone picking your house to break into are very slim, and not much to worry about. The odds of some script kiddie from Russia doing a scan and looking for vulnerabilities is quite high. If you're vulnerable to a remote attack, you will most assuredly get hit with

          • Basic security steps like you mention are totally analogous to locking your door and not driving through bad neighborhoods. That's the easy stuff. Extra locks, alarms systems, reading every day to keep up on criminal techniques and following police blotters is stuff that goes beyond and most people won't do it. But strangely enough we have to hear about every worm, bug, bot, and breach in the news headlines. And every one of those stories has some "security expert" telling us what new thing we need to do

            • The worst of it is that the self-proclaimed security guys have no clue what the fuck they're talking about in the first place, most of the time. For instance, the moron here on Slashdot who kept calling me Junior while insinuating that I'm an old-timer (insisting that I was relying on techniques 3 decades out of date), right after insisting that my Mac must have a virus, then going on about how Macs don't get viruses.

              I'm pretty sure the only thing that particular moron knows how to secure is another vial
          • Even my hosts with no published domains get attackers kicking at the server's door multiple times a minute!

            Nobody has ever kicked at my front door of my house. One person tried the doorhandle one time, and ran away when I opened the door.

  • Not really. But at long last we have a single data point where Window 95 is better than Windows NT.

  • by Bruce Perens ( 3872 ) <bruce@perens.com> on Friday December 08, 2017 @08:46PM (#55704721) Homepage Journal

    Creating a process from a file that is part of an in-progress transaction is probably not a documented feature of Windows at all. Making such files non-executable until the transaction is completed sounds like it would be a sufficient fix.

    Much as I like to brag that Linux folks can fix this sort of thing overnight, it is not really the case that everyone at Microsoft is a knuckle-walking Neanderthal who could not fix this in a week or a month.

    Watch some Neanderthal get offended...

    • Why are you bigoted against Neandertals?

  • by AlanObject ( 3603453 ) on Friday December 08, 2017 @08:53PM (#55704741)

    Trying to understand this. Basically NTFS Transactions are a deprecated feature, but this amounts to little more than monkeying with the in-RAM read cache of an executable file.

    Well great. In order to do that I have to have access to the system at some level in the first place. So this exploit technique is only really viable if you have either an inside job or a leaked password. And it isn't clear to me that you don't need an admin-level access to use that API as well.

    Unless I missed something this doesn't seem like that hot an issue.

    • It also appears this attack needs the Distributed Transaction Coordinator service to be running, which is rarely used. The linked Microsoft article on NTFS transactions says it uses DTC. I always turn that service off to Manual or Disabled, otherwise it just wastes resources and slows boot time. Also, since the attack writes nothing to disk, how does it survive a reboot or power cycle?
      • Also, since the attack writes nothing to disk, how does it survive a reboot or power cycle?

        I think that was the whole point of why this new exploit sounds so scary. Nothing gets written to disk so it isn't "traceable."

        The thing is if you are able to inject your own code to run in a system in the first place, you can do it again and again as long as the owner of the system isn't aware of it and doesn't change anything. I can see the appeal of that; it would allow an attacker to set up a temporary base that would be devilishly hard to trace back to the system that injected it. At least if all

    • In order to do that I have to have access to the system at some level in the first place.

      This is Microsoft Windows, the Swiss Cheese of operating system security. Attackers most likely already have this for any given machine.

      So this exploit technique is only really viable if you have either an inside job or a leaked password.

      See answer to quote #1 above.

      And it isn't clear to me that you don't need an admin-level access to use that API as well.

      See answer to quote #1 above.

  • So it works on Windows 3.0?
  • Well it is Friday evening here, another Windows vulnerability found, it is time for a Drinking Game.

    "Spot the shill", you should be able to guess the rules now

  • This is amazing. It's the first thing I ever heard of that can work on all versions of windows. They should patent that and make bank.

  • by Anonymous Coward

    I'm sure that not instantiating a process from an uncommitted NTfs transaction wouldn't break many legitamate programs.

    Only create processes from files that are also not being written to would also work equally as will within the kernel.

    Both paths sound like they would ensure that virus software can pick up the dodgy behavior.

    A creative attack though.

  • The bad news is that the attack "cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows."

    Yes, I'd say that qualifies as "bad news". This is ungood, and yet another reason to switch to another OS.

    Seriously, after all this time the fucknutz at Microsoft have managed to create a vulnerability that's baked in to every version of Windows, their flagship product?

I judge a religion as being good or bad based on whether its adherents become better people as a result of practicing it. - Joe Mullally, computer salesman

Working...