Security News GhostHook Attack Targets Windows 10 Vulnerability

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Last week, CyberArk Labs demonstrated an attack that can enable the installation of rootkit malware under Windows 10 64-bit. The proof-of-concept attack overrides the operating system's PatchGuard feature.

Microsoft's PatchGuard was designed to prevent malicious code from patching the kernel of 64-bit Windows operating systems. The feature's official name is Kernel Patch Protection, and it was introduced with 64-bit Windows XP in 2005. One type of attack that PatchGuard was designed to mitigate is malware that poses as Windows security updates.

CyberArk Labs researchers' GhostHook attack method targets a vulnerability in how Windows 10 implements Intel Processor Trace. Intel PT can be used in debugging, malware analysis, and exploit detection. The researchers discovered that if they allocate a very small memory buffer for processing Intel PT packets, a buffer overflow can trigger which opens a PMI handler. Unfortunately, PatchGuard isn't designed to monitor PMI handlers.

When CyberArk Labs informed Microsoft of the vulnerability, they decided not to include a patch in a security update. Microsoft claims that an attacker would need to have kernel-level access on a targeted machine. They said they might patch the Intel PT vulnerability in a future bug fix, but they don't consider it to be a security flaw. According to a Microsoft engineer, “As such, this doesn’t meet the bar for servicing in a security update; however it may be addressed in a future version of Windows. As such I’ve closed this case.”

CyberArk researcher Kasif Dekel disagreed with Microsoft's claim that an attacker would require kernel-level access for an attack to be successful. “Gaining this level of access is table stakes for attackers, typically accomplished through simple phishing emails. This technique is about moving beyond admin rights and exploiting the machine at the kernel level. Attackers would be able to gain full control over the network and gain the ability to intercept anything on a system", he said.

GhostHook is the first known attack method for using hooking to acquire kernel-level control of 64-bit Windows operating systems.
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
A nasty one it looks like, and whats with the "Ghost" in the title, getting a little too close for comfort. Next thing ya know there is a CyberGhosT Ransomware, then I have to change my name to "The RealExterminator 5.0" rofl j/k :p
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top