Doppelgänging: How to circumvent security products to execute code on Windows
Researchers have disclosed an attack which exploits processes in the Windows operating system to circumvent all traditional security software and perform code execution attacks.
At Black Hat Europe on Thursday, security professionals Eugene Kogan and Tal Liberman from endpoint security firm enSilo revealed research into how cybersecurity products on the market can be circumvented by exploiting how they scan for malware and interact with memory processes.
Security
In a presentation titled, "Lost in transaction: Process Doppelgänging," the team described a play on process hollowing to circumvent security software.
Process hollowing is the creation of a process for the sole purpose of running a malicious executable inside.
Attackers who favor this method load a process in a suspended state, replace elements of memory with crafted code and then resume the process -- tricking a system into believing the process is legitimate and safe to run.
Many security solutions today now take hollowing into account and are able to detect these attacks.
However, the new technique, dubbed Process Doppelgänging, is harder to detect and defend against.
Transactionable NTFS integrates transactions into the NTFS file system to allow for improved error handling and data integrity preservation in Windows systems. The duo's technique works by masking a crafted executable through a process to make changes to an executable file that is never committed to disk by overwriting a legitimate file in the context of a transaction.
A section of this transaction is overwritten with malicious code, pointing to the malicious executable.
The process loading mechanism is then harnessed using "undocumented implementation details" to load the modified executable which resulted in creating a process based on the modified executable, hoodwinking security products in the process and avoiding detection.
The transaction is then rolled back to its legitimate state so no trace of the attack is left behind, which the team says "effectively removes our changes from the file system."
In addition, the researchers say AV products will not scan for this kind of attack at all, or will only scan clean files.
enSilo says the goal of the technique is to run arbitrary code in the content of a legitimate process on the target machine. While the researchers' attack method is a twist on process hollowing, it manages to compromise systems without using suspicious processes and tipping off traditional security software.
This technique does not require any files to be created during the process, and it cannot be patched as "it exploits fundamental features and the core design of the process loading mechanism in Windows," according to the team.
enSilo tested out the attack on cybersecurity products offered by major vendors including Windows Defender, AVG, Symantec Endpoint Protection versions 12 and 14, Avast, and Norton.
The team says that not only does the technique work on all major products, but can be launched on all versions of Microsoft Windows -- and can also be used to execute hacking utilities such as password stealers to avoid detection and retain persistence.
The attack can also give old malware variants new life by making them undetectable.
To successfully emulate Process Doppelgänging, however, requires advanced technical skill and knowledge. One of the most difficult barriers to overcome is that in order to run a process out of a section, rather than a file on disk, the process must be created using NtCreateProcess, which further requires manual initialization.
There are also other challenges, such as problems with scanning locked files, which causes issues to AV scanners which hand over the task of scanning to user-mode processes.
"While this technique leverages Microsoft's transaction technology, it is not a vulnerability, but an evasion technique," Liberman told ZDNet. "That being said, we did submit a description of the technique to Microsoft and as they, too, do not deem it to be a vulnerability, they will not address it."