Security News GhostHook Attack Targets Windows 10 Vulnerability

Exterminator

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
Last week, CyberArk Labs demonstrated an attack that can enable the installation of rootkit malware under Windows 10 64-bit. The proof-of-concept attack overrides the operating system's PatchGuard feature.

Microsoft's PatchGuard was designed to prevent malicious code from patching the kernel of 64-bit Windows operating systems. The feature's official name is Kernel Patch Protection, and it was introduced with 64-bit Windows XP in 2005. One type of attack that PatchGuard was designed to mitigate is malware that poses as Windows security updates.

CyberArk Labs researchers' GhostHook attack method targets a vulnerability in how Windows 10 implements Intel Processor Trace. Intel PT can be used in debugging, malware analysis, and exploit detection. The researchers discovered that if they allocate a very small memory buffer for processing Intel PT packets, a buffer overflow can trigger which opens a PMI handler. Unfortunately, PatchGuard isn't designed to monitor PMI handlers.

When CyberArk Labs informed Microsoft of the vulnerability, they decided not to include a patch in a security update. Microsoft claims that an attacker would need to have kernel-level access on a targeted machine. They said they might patch the Intel PT vulnerability in a future bug fix, but they don't consider it to be a security flaw. According to a Microsoft engineer, “As such, this doesn’t meet the bar for servicing in a security update; however it may be addressed in a future version of Windows. As such I’ve closed this case.”

CyberArk researcher Kasif Dekel disagreed with Microsoft's claim that an attacker would require kernel-level access for an attack to be successful. “Gaining this level of access is table stakes for attackers, typically accomplished through simple phishing emails. This technique is about moving beyond admin rights and exploiting the machine at the kernel level. Attackers would be able to gain full control over the network and gain the ability to intercept anything on a system", he said.

GhostHook is the first known attack method for using hooking to acquire kernel-level control of 64-bit Windows operating systems.
Click to expand...
 
  • Like
Reactions: Drexciya, _CyberGhosT_, harlan4096 and 1 other person
_CyberGhosT_

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
A nasty one it looks like, and whats with the "Ghost" in the title, getting a little too close for comfort. Next thing ya know there is a CyberGhosT Ransomware, then I have to change my name to "The RealExterminator 5.0" rofl j/k :p
 
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
Arm Issues Patch for Mali GPU Kernel Driver Vulnerability Amidst Ongoing Exploitation
Replies
0
Views
992
News Archive
silversurfer
silversurfer
nicolaasjan
    • Like
    • +Reputation
Government-backed actors exploiting WinRAR vulnerability
Replies
1
Views
916
News Archive
rooney49
rooney49
CyberTech
    • Like
Security News Intel Sued Over ‘Downfall’ CPU Vulnerability
Replies
0
Views
1,298
Security News
CyberTech
CyberTech

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top