New Windows Process Injection Can Be Useful for Stealthy Malware

silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,154
Content source
https://www.securityweek.com/new-windows-process-injection-can-be-useful-stealthy-malware
Researchers at SafeBreach, a cybersecurity firm that specializes in breach and attack simulations, have catalogued most known Windows process injection techniques. They also discovered a new method, which they claim is stealthy and can bypass all protections implemented by Microsoft.

Malware can use process injection techniques to inject code designed for a specific operation into a legitimate process that can help it achieve its goal. Malware can leverage process injection for stealth and to bypass security mechanisms.

Itzik Kotler, co-founder and CTO of SafeBreach, and Amit Klein, the firm’s VP of security research, have summarized and tested two dozen known process injection techniques. Their research shows whether each technique is stable, what its prerequisites and limitations are, and specifies the main APIs they use. While some of the injection methods are theoretical, some have been known to be used by malware in the wild.
Click to expand...
According to the researchers, the process injections that are capable of bypassing the protection mechanisms in Windows are typically aggressive and easier to detect. However, the new injection method they have found, dubbed StackBomber, is supposedly much stealthier, which makes it more valuable to attackers, and it does not require elevated privileges to work. StackBomber has been described as a new execution technique that works well in combination with a new memory writing technique that was also discovered by Kotler and Klein.

Microsoft does not view process injection methods as vulnerabilities and, as such, they are not covered by its bug bounty programs. The SafeBreach researchers told SecurityWeek that they reported their findings to the tech giant, but, as expected, it will not take any immediate action to address StackBomber.

UPDATE. Microsoft has provided SecurityWeek the following statement: Microsoft has a strong commitment to security and will take appropriate action as needed to help keep customers protected.
Click to expand...
 
  • Like
  • Wow
  • +Reputation
Reactions: Andy Ful, Gandalf_The_Grey, upnorth and 5 others
You must log in or register to reply here.

Similar threads

upnorth
    • Like
    • +Reputation
    • Thanks
Security News New ‘Pool Party’ Process Injection Techniques Undetected by EDR Solutions
Replies
0
Views
1,069
Security News
upnorth
upnorth
vtqhtr413
    • Like
    • +Reputation
Mockingjay Process Injection Technique Could Let Malware Evade Detection
Replies
4
Views
1,143
News Archive
Sandbox Breaker
Sandbox Breaker
Gandalf_The_Grey
    • Like
    • +Reputation
D-Link WiFi range extender vulnerable to command injection attacks
Replies
0
Views
1,162
News Archive
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top