- Jul 22, 2014
- 2,525
Microsoft has worked on adding security protections against two forms of code injection techniques known as process hollowing and atom bombing.
These new protections will debut with the Windows 10 Fall Creators Update, set to be released somewhere in October or November 2017.
These improved anti-exploitation techniques will be part of the Windows Defender Advanced Threat Protection (Windows Defender ATP), meaning they won't be available for regular users unless they buy the commercial version of Windows Defender.
Both protections are gravely needed as process hollowing has been a problem on Windows for years, while the newer atom bombing technique has seen limited usage only in the Dridex banking trojan, mainly because the technique was first detailed only nine months ago, in October 2016.
Microsoft addresses process hollowing
The biggest issue addressed is process hollowing, used by Kovter and various other malware families.
In a very simplified explanation, process hollowing happens when malware starts a legitimate process (such as explorer.exe, regsvr32.exe, svchost.exe, etc.), suspends the process, empties the memory space allocated for the legitimate process, and copies malicious code inside. When the legitimate process is resumed, the legitimate app executes the malicious code found inside its allocated memroy space, bypassing security protections.
This technique has been used by malware families in fileless attacks, where the malware leaves minimal footprints on disk and stores and executes code only from the computer's memory.
Atom bombing gets nine months after disclosure
The second code injection technique that Microsoft boasts to block is atom bombing, an attack method first detailed by enSilo last year.
The technique relies on malware storing malicious code inside atom tables, which are shared memory tables where all apps store information on strings, objects, and other types of data that they need to access on a regular basis.
enSilo discovered that malware could save malicious code inside these shared tables and use lesser known Windows APIs to execute it.
Researchers say that atom tables can be used to trick AV or OS-whitelisted apps into executing malicious operations, bypassing security products.
It's great to see Microsoft finally addressing code injection issues, but let's hope the company eventually adds these improvements to the free version of Windows Defender.
These new protections will debut with the Windows 10 Fall Creators Update, set to be released somewhere in October or November 2017.
These improved anti-exploitation techniques will be part of the Windows Defender Advanced Threat Protection (Windows Defender ATP), meaning they won't be available for regular users unless they buy the commercial version of Windows Defender.
Both protections are gravely needed as process hollowing has been a problem on Windows for years, while the newer atom bombing technique has seen limited usage only in the Dridex banking trojan, mainly because the technique was first detailed only nine months ago, in October 2016.
Microsoft addresses process hollowing
The biggest issue addressed is process hollowing, used by Kovter and various other malware families.
In a very simplified explanation, process hollowing happens when malware starts a legitimate process (such as explorer.exe, regsvr32.exe, svchost.exe, etc.), suspends the process, empties the memory space allocated for the legitimate process, and copies malicious code inside. When the legitimate process is resumed, the legitimate app executes the malicious code found inside its allocated memroy space, bypassing security protections.
This technique has been used by malware families in fileless attacks, where the malware leaves minimal footprints on disk and stores and executes code only from the computer's memory.
Atom bombing gets nine months after disclosure
The second code injection technique that Microsoft boasts to block is atom bombing, an attack method first detailed by enSilo last year.
The technique relies on malware storing malicious code inside atom tables, which are shared memory tables where all apps store information on strings, objects, and other types of data that they need to access on a regular basis.
enSilo discovered that malware could save malicious code inside these shared tables and use lesser known Windows APIs to execute it.
Researchers say that atom tables can be used to trick AV or OS-whitelisted apps into executing malicious operations, bypassing security products.
It's great to see Microsoft finally addressing code injection issues, but let's hope the company eventually adds these improvements to the free version of Windows Defender.
