- Aug 17, 2014
Researchers at SafeBreach, a cybersecurity firm that specializes in breach and attack simulations, have catalogued most known Windows process injection techniques. They also discovered a new method, which they claim is stealthy and can bypass all protections implemented by Microsoft.
Malware can use process injection techniques to inject code designed for a specific operation into a legitimate process that can help it achieve its goal. Malware can leverage process injection for stealth and to bypass security mechanisms.
Itzik Kotler, co-founder and CTO of SafeBreach, and Amit Klein, the firm’s VP of security research, have summarized and tested two dozen known process injection techniques. Their research shows whether each technique is stable, what its prerequisites and limitations are, and specifies the main APIs they use. While some of the injection methods are theoretical, some have been known to be used by malware in the wild.
According to the researchers, the process injections that are capable of bypassing the protection mechanisms in Windows are typically aggressive and easier to detect. However, the new injection method they have found, dubbed StackBomber, is supposedly much stealthier, which makes it more valuable to attackers, and it does not require elevated privileges to work. StackBomber has been described as a new execution technique that works well in combination with a new memory writing technique that was also discovered by Kotler and Klein.
Microsoft does not view process injection methods as vulnerabilities and, as such, they are not covered by its bug bounty programs. The SafeBreach researchers told SecurityWeek that they reported their findings to the tech giant, but, as expected, it will not take any immediate action to address StackBomber.
UPDATE. Microsoft has provided SecurityWeek the following statement: Microsoft has a strong commitment to security and will take appropriate action as needed to help keep customers protected.