- Oct 23, 2012
- 12,527
Security researchers from enSilo have discovered a new way to inject malicious code into legitimate processes, which helps malware bypass security solutions.
The technique, named AtomBombinb, revolves around atom tables, a feature of the Windows operating system. Microsoft describes atom tables as such:
“ An atom table is a system-defined table that stores strings and corresponding identifiers. An application places a string in an atom table and receives a 16-bit integer, called an atom, that can be used to access the string. A string that has been placed in an atom table is called an atom name. ”
Basically, these are shared tables where apps store information on strings, objects, and other types of data, which they need to access on a regular basis. Because they're shared tables, all sorts of apps can access, or alter, data inside those tables.
AtomBombing technique helps malware bypass security solutions
enSilo researchers, who came up with the technique, say that malware can alter atom tables in order to trick legitimate apps into executing malicious actions on the it's behalf.
"Many security products employ a white list of trusted processes," enSilo's Tal Liberman explained. "If the attacker is able to inject malicious code into one of those trusted processes, the security product can easily be bypassed."
Furthermore, Liberman says that AtomBombing also helps malware perform Man-in-the-Browser (MitB) attacks, an attack vector often used by banking trojans.
The technique, named AtomBombinb, revolves around atom tables, a feature of the Windows operating system. Microsoft describes atom tables as such:
“ An atom table is a system-defined table that stores strings and corresponding identifiers. An application places a string in an atom table and receives a 16-bit integer, called an atom, that can be used to access the string. A string that has been placed in an atom table is called an atom name. ”
Basically, these are shared tables where apps store information on strings, objects, and other types of data, which they need to access on a regular basis. Because they're shared tables, all sorts of apps can access, or alter, data inside those tables.
AtomBombing technique helps malware bypass security solutions
enSilo researchers, who came up with the technique, say that malware can alter atom tables in order to trick legitimate apps into executing malicious actions on the it's behalf.
"Many security products employ a white list of trusted processes," enSilo's Tal Liberman explained. "If the attacker is able to inject malicious code into one of those trusted processes, the security product can easily be bypassed."
Furthermore, Liberman says that AtomBombing also helps malware perform Man-in-the-Browser (MitB) attacks, an attack vector often used by banking trojans.
By leveraging AtomBombing, Liberman says that malware can also take screenshots of the user's screen, access encrypted passwords or take any other action a whitelisted application can perform.
AtomBombing can't be patched
The enSilo researcher says that AtomBombing affects all Windows versions. The bad news is that this is a design flaw and not a vulnerability, which means that Microsoft can't patch it without changing how the entire OS works, an unfeasible solution.
AtomBombinb joins the list of various code injection techniques discovered in the past, such as SQL injection, XSS, hotpatching, code hooking, and more.
Earlier in the month, Trend Micro researchers uncovered a PoS malware variant named FastPOS that abuses the Windows Mailslots mechanism to store data before exfiltration from infected systems.