Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Process Doppelganging' Attack Bypasses Most Security Products, Works On All Windows Versions (bleepingcomputer.com)

Posted by BeauHD on from the nobody-is-safe dept.

An anonymous reader quotes a report from Bleeping Computer: Yesterday, at the Black Hat Europe 2017 security conference in London, two security researchers from cyber-security firm enSilo have described a new code injection technique called "Process Doppelganging." This new attack works on all Windows versions and researchers say it bypasses most of today's major security products. Process Doppelganging is somewhat similar to another technique called "Process Hollowing," but with a twist, as it utilizes the Windows mechanism of NTFS Transactions.

"The goal of the technique is to allow a malware to run arbitrary code (including code that is known to be malicious) in the context of a legitimate process on the target machine," Tal Liberman & Eugene Kogan, the two enSilo researchers who discovered the attack told Bleeping Computer. "Very similar to process hollowing but with a novel twist. The challenge is doing it without using suspicious process and memory operations such as SuspendProcess, NtUnmapViewOfSection. In order to achieve this goal we leverage NTFS transactions. We overwrite a legitimate file in the context of a transaction. We then create a section from the modified file (in the context of the transaction) and create a process out of it. It appears that scanning the file while it's in transaction is not possible by the vendors we checked so far (some even hang) and since we rollback the transaction, our activity leaves no trace behind." The good news is that "there are a lot of technical challenges" in making Process Doppelganging work, and attackers need to know "a lot of undocumented details on process creation." The bad news is that the attack "cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows." More research on the attack will be published on the Black Hat website in the following days.

60 of 126 comments (clear)

  1. Multi-process... by Anonymous Coward · · Score: 2, Funny

    If it's done with multiple processes, is it a Process Doppelgangbang?

    1. Re: Multi-process... by VernonNemitz · · Score: 2, Funny

      NOT all Windows versions. I have a machine with Win 3.1 on it, that does not have NTFS.

    2. Re: Multi-process... by omnichad · · Score: 1

      You don't even have to go that far back. It work on Windows 98 or ME either.

    3. Re: Multi-process... by Brockmire · · Score: 1

      Your clarification privileges have been revoked.

  2. So... by 110010001000 · · Score: 1, Insightful

    ...so you run a program on the target machine that uses some API to run some malware undetected. Clever. Computers that run arbitrary software need to be banned. Only approved computers running a small set of governmental approved programs should be permitted.

    1. Re: So... by Nocturna81 · · Score: 2

      But have yet to understand that Slashdot doesn't use unicode

    2. Re:So... by Lije+Baley · · Score: 1

      OK, if that's the bar we're going set, then I get to mod you "-1 Snowflake".

      --
      Strange things are afoot at the Circle-K.
  3. Re:Windows Versus Linux by Anonymous Coward · · Score: 1

    Windows is better because Linux breaks backward compatibility whenever a penguin takes a shit.

    captcha bugged

  4. Re:Windows Versus Linux by hcs_$reboot · · Score: 1

    Nobody mentions the Mac anymore :-(

    --
    Slashdot, fix the reply notifications... You won't get away with it...
  5. Re:So, Basically by Anonymous Coward · · Score: 1

    Why would there be a "sales dive"?

    99.9% of buyers don't know, and don't care.

  6. This is why we need alternative File systems by Anonymous Coward · · Score: 2, Interesting

    This is why we need alternative file systems on windows. If this were Linux we'd either fix it or change to another file system. Not 'live with inscruity for the remaining days of your life.

    1. Re: This is why we need alternative File systems by Brockmire · · Score: 1

      Workstation Pro with ReFS for extra $$$.

  7. We're boned by Lije+Baley · · Score: 2

    Now does this mean we can finally move on to the "post security" era? Please, can we? So much security fatigue...

    Anybody can bust into my house with a solid kick, but I don't lose any sleep over it.

    --
    Strange things are afoot at the Circle-K.
    1. Re:We're boned by yorgasor · · Score: 1

      Yes, but it takes a lot of resources to bash in your door, and there's a lot of risk involved. You might be home at the time, you might have a gun. They either have to be near you or travel hours to get to your house to do it. On the internet, someone can write a script to bash in millions of "doors" in the space of a few hours with minimal resources and very little risk of getting shot and do it from the comfort of their home halfway around the world.

      --
      Looking for a computer support specialist for your small business? Check out
    2. Re:We're boned by aaarrrgggh · · Score: 1

      Foot, momentum. Not deal-killing resources. Probability of shock attack encountering properly trained people able to respond quite low. Add cell jammer and some gimmicks and you have a high probability of getting stuff to buy more ...whatever.

      GP’s point remains. We have constant risk, but losing sleep over it is stupid. Why?

    3. Re:We're boned by yorgasor · · Score: 1

      If you want to break into a million houses all over the world, that's some major deal killing resources. If you want to break into one person's house that lives within an hour of you, that's not too big of a deal. Because of that, the odds of someone picking your house to break into are very slim, and not much to worry about. The odds of some script kiddie from Russia doing a scan and looking for vulnerabilities is quite high. If you're vulnerable to a remote attack, you will most assuredly get hit within a pretty short period of time. If you're not a high value target, basic security steps that block remote automated attacks and internet hygiene where you don't travel the seedier places on the internet and staying up to date on security patches will make it less likely that you'll be hit.

      --
      Looking for a computer support specialist for your small business? Check out
    4. Re:We're boned by Lije+Baley · · Score: 1

      Basic security steps like you mention are totally analogous to locking your door and not driving through bad neighborhoods. That's the easy stuff. Extra locks, alarms systems, reading every day to keep up on criminal techniques and following police blotters is stuff that goes beyond and most people won't do it. But strangely enough we have to hear about every worm, bug, bot, and breach in the news headlines. And every one of those stories has some "security expert" telling us what new thing we need to do today or we'll be PwNed!! They need to dial back the hype before nobody listens to them any more than they listen to the guy selling alarm systems. It's already too late. Security fatigue has set in, in earnest.

      --
      Strange things are afoot at the Circle-K.
    5. Re:We're boned by Aighearach · · Score: 1

      Even my hosts with no published domains get attackers kicking at the server's door multiple times a minute!

      Nobody has ever kicked at my front door of my house. One person tried the doorhandle one time, and ran away when I opened the door.

  8. Works On All Windows Versions? by bagofbeans · · Score: 1

    Not really. But at long last we have a single data point where Window 95 is better than Windows NT.

    1. Re:Works On All Windows Versions? by Trax3001BBS · · Score: 1

      What is really of note is the alleged compatibility. I never seen anything compatible with all windows versions. ANYTHING.. In fact, I doubt anyone really checked it because I'm pretty sure it will hang or crash on some versions.

      One right off hand. Forte Agent 1.92, just move a short-cut to the newest install and have an E-mailer/Newsreader all set-up and ready to go.

      Older versions work as well, but needed yEnc the newer 1.92 offered. Used this version from W2K/Win98 to Win10 and in between.

  9. Re: And THIS is why Kevin uses Linux now by Brockmire · · Score: 1

    I don't know if this is funnier written by a human or by a bot. It's like as if Beck trolls /. (Nonsensical words slapped together).

  10. Not patchable, really? by Bruce+Perens · · Score: 3, Insightful

    Creating a process from a file that is part of an in-progress transaction is probably not a documented feature of Windows at all. Making such files non-executable until the transaction is completed sounds like it would be a sufficient fix.

    Much as I like to brag that Linux folks can fix this sort of thing overnight, it is not really the case that everyone at Microsoft is a knuckle-walking Neanderthal who could not fix this in a week or a month.

    Watch some Neanderthal get offended...

    --
    Bruce Perens.
    1. Re:Not patchable, really? by Aighearach · · Score: 1

      Why are you bigoted against Neandertals?

    2. Re:Not patchable, really? by Bruce+Perens · · Score: 3, Funny

      Why are you bigoted against Neandertals?

      I believe I can say in complete truthfulness that I have never met a Neanderthal that I didn't like.

      --
      Bruce Perens.
    3. Re:Not patchable, really? by Bruce+Perens · · Score: 1

      The way I read the summary was that the part of the exploit they haven't told us about involves features that are core to the OS.

      Yeah, like filesystem transactions and executing files. The whole exploit is explained in the summary. Create a file in a transaction. Virus checker can't get at it because it's not visible outside of the transaction. Execute the file. Abort the transaction. No file left for the virus checker. Process still running.

      --
      Bruce Perens.
    4. Re:Not patchable, really? by Anonymous Coward · · Score: 1

      I just read another post here that says the thing being exploited first appeared in Vista. So it's not quite as bad as I was thinking. XP is the 800-pound post-EOL gorilla, and nobody in their right mind should want to run Vista at all, especially EOL.

      And apparently it requires a particular service to be running, which should be easy for the 99.999% of people who don't use NTFS Transactions to simply turn it off. On my Windows 7 gaming computer it was set to Manual. Yeah, let's just completely disable this useless piece of bullet point fodder. There, that's better.

    5. Re:Not patchable, really? by MrMr · · Score: 1

      About 2% of the people you meet outside Africa is Neanderthal. See: https://genographic.nationalge...

  11. You still need the admin password, right? by AlanObject · · Score: 4, Interesting

    Trying to understand this. Basically NTFS Transactions are a deprecated feature, but this amounts to little more than monkeying with the in-RAM read cache of an executable file.

    Well great. In order to do that I have to have access to the system at some level in the first place. So this exploit technique is only really viable if you have either an inside job or a leaked password. And it isn't clear to me that you don't need an admin-level access to use that API as well.

    Unless I missed something this doesn't seem like that hot an issue.

    1. Re:You still need the admin password, right? by Cephacles · · Score: 2

      It also appears this attack needs the Distributed Transaction Coordinator service to be running, which is rarely used. The linked Microsoft article on NTFS transactions says it uses DTC. I always turn that service off to Manual or Disabled, otherwise it just wastes resources and slows boot time. Also, since the attack writes nothing to disk, how does it survive a reboot or power cycle?

    2. Re:You still need the admin password, right? by StormReaver · · Score: 1

      In order to do that I have to have access to the system at some level in the first place.

      This is Microsoft Windows, the Swiss Cheese of operating system security. Attackers most likely already have this for any given machine.

      So this exploit technique is only really viable if you have either an inside job or a leaked password.

      See answer to quote #1 above.

      And it isn't clear to me that you don't need an admin-level access to use that API as well.

      See answer to quote #1 above.

    3. Re:You still need the admin password, right? by AlanObject · · Score: 1

      Also, since the attack writes nothing to disk, how does it survive a reboot or power cycle?

      I think that was the whole point of why this new exploit sounds so scary. Nothing gets written to disk so it isn't "traceable."

      The thing is if you are able to inject your own code to run in a system in the first place, you can do it again and again as long as the owner of the system isn't aware of it and doesn't change anything. I can see the appeal of that; it would allow an attacker to set up a temporary base that would be devilishly hard to trace back to the system that injected it. At least if all you had to go on was the infected system itself.

      Of course if you have decent IDS that covers both inside and outside jobs that is really not much added safety for the bad hombre. But not that many sites have that.

  12. Re:Windows Versus Linux by Anonymous Coward · · Score: 1

    That's because Macs are designed so anyone can get root with a couple of clicks...

  13. All Windows Versions by PoopJuggler · · Score: 1

    So it works on Windows 3.0?

  14. All Windows Versions by hcs_$reboot · · Score: 1

    At last, something fully backwards compatible in Windows.

    --
    Slashdot, fix the reply notifications... You won't get away with it...
  15. spot the shill by jmccue · · Score: 1

    Well it is Friday evening here, another Windows vulnerability found, it is time for a Drinking Game.

    "Spot the shill", you should be able to guess the rules now

  16. Re:Windows Versus Linux by murdocj · · Score: 5, Insightful

    Intelligent people use the operating system that lets them get the tasks they want to get done done, rather than engaging in pointless O/S debates.

  17. Re:So, Basically by murdocj · · Score: 1

    No. This just another virus. As someone else pointed out, there's no inherent reason you can't detect it the way other viruses are detected. And it doesn't let you gain more privilege. All it does is bypass current virus detection, which presumably will get fixed.

  18. All versions of windows by dougg76 · · Score: 1

    This is amazing. It's the first thing I ever heard of that can work on all versions of windows. They should patent that and make bank.

    --
    I laugh at inappropriate times.
  19. Re:Windows Versus Linux by eddeye · · Score: 2

    Intelligent people use the operating system that lets them get the tasks they want to get done done, rather than engaging in pointless O/S debates.

    Fortunately intelligent people don't post on slashdot.

    --
    Democracy is two wolves and a sheep voting on lunch.
  20. Re: So, Basically by guruevi · · Score: 2

    Read the summary, the attack canâ(TM)t be detected because the OS doesnâ(TM)t let itself or any other process into a running transaction.

    This made senses in the 80s/90s in that you donâ(TM)t want a program unnecessarily holding up or interrupting a disk operation because that would cause corruption, hence why we invented file systems that have a journal.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  21. Re:So... MAC by Anonymous Coward · · Score: 1

    The main problem is that Windows doesn't have a proper implementation of Mandatory Access Control that really works. Linux has multiple ones e.g. SELinux and AppArmor.

    MAC can prevent this attack since it could prevent the modification of a file by a different process that isn't allowed to do that.

  22. Re:Windows IFS model allows other filesystems by Zontar+The+Mindless · · Score: 2

    First, pretend that you have a job.

    Now, pretend that you have to persuade IT at your job to let you install a filesystem different to the one everyone else in the company is using.

    Let us know how it goes.

    --
    Il n'y a pas de Planet B.
  23. Re:Windows Versus Linux by Megol · · Score: 1

    :-(

  24. Re:So, Basically by Megol · · Score: 2

    One still have to have the rights to open and modify the file, one still have to have the rights to execute the file. It's "just" that one can replace a section of a file one already could modify and execute in a way that malware scanners can't detect.

    To me this isn't a huge problem - if security requires malware scanning one have no security. And it is using functionality not commonly used together so a hack that detects the combination and handles it should be relatively easy. But why care?

  25. Can't be patched? (Rubbish) by Anonymous Coward · · Score: 1

    I'm sure that not instantiating a process from an uncommitted NTfs transaction wouldn't break many legitamate programs.

    Only create processes from files that are also not being written to would also work equally as will within the kernel.

    Both paths sound like they would ensure that virus software can pick up the dodgy behavior.

    A creative attack though.

  26. Re: So, Basically by Megol · · Score: 2

    How about:
    Crook: Let's see, here we have a file I want to run and for some reason I have the right to run -> let's go transactional!

    NTFS: Ah, a transactional lock! Don't see those too often!

    Crook: Modify the file that I for some reason have the right to modify _wïthïn_thá_transáctïon_ HOHOHO!!

    NTFS: Okay... Got that.

    Scanner: Ah ho a hum, don't see shit... Boring.

    Crook: Now let's do the cool thing and run this modified shït!

    System: Let's see... Loading a file within a transactional lock? Now I don't like this, I don't like this AT ALL! *plonk*

    Crook: OMGWTF?!? I can't run the file :(((

    Crook: (releases lock either voluntarily or when killed by system)

    NTFS: Ah, a transactional release! Don't see those too often!

    Scanner: Still don't see shit... Really boring, should take up macrame or something.

  27. Re:So, Basically by ilguido · · Score: 1

    RTFA. The whole point of this exploit is that is undetectable by anti virus software or any other application.

  28. Re:So, Basically by murdocj · · Score: 1

    Maybe you should RTFA and THINK.

    At the moment, yes, it isn't detected. The user runs a program, the program loads and modifies and runs a different program. The actions of the program in loading and modifying another program CAN BE DETECTED.

    Got it?

  29. Re: Windows Versus Linux by Zero__Kelvin · · Score: 1

    I disagree, and you might want to think about your claim a bit more too.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  30. Re:Windows Versus Linux by omnichad · · Score: 1

    Intelligent people that need to use commercial software.

  31. Re: So, Basically by omnichad · · Score: 1

    Unless the A/V runs its own rootkit. Then it could probably still track what's going on.

  32. Re:Amazing by omnichad · · Score: 1

    But NASA and in the aircraft industry still have less problems with bugs

    How many external attacks are their on the systems? All NASA has to do is not include legacy MacOS binary compatibility to keep spacecraft relatively virus-proof.

  33. Ungood! by JustAnotherOldGuy · · Score: 1

    The bad news is that the attack "cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows."

    Yes, I'd say that qualifies as "bad news". This is ungood, and yet another reason to switch to another OS.

    Seriously, after all this time the fucknutz at Microsoft have managed to create a vulnerability that's baked in to every version of Windows, their flagship product?

    --
    Just cruising through this digital world at 33 1/3 rpm...
  34. Re: Curry eater English by Brockmire · · Score: 1

    Snippy, motherfucker, snippy.

  35. Re: Ok - Design one yourself then! apk by Brockmire · · Score: 1

    And it was merely pointing out your posts are useless and unnecessary. No one gives a shit what you post, most times it's nonsense. Now get off the rag and stop being a whiny little bitch.

  36. Re: parade of idiots by Brockmire · · Score: 1

    Please use capital letters next time you feel like insulting someone. I give zero fucks to people who can't do very, very basic English.

  37. Re: Amazing by Brockmire · · Score: 1

    You're comparing a specific, critical embedded system intended for operation in space from millions of miles away to be the same as a general purpose desktop operating system sold for free to cheap? Are you fucked in the head? Do you expect heart surgery by your nurse?

  38. Re: Amazing by vux984 · · Score: 1

    Its even stupider than that. The critical embedded system in deep space has about zero malicious hackers analyzing it and attacking it.

    And this particular windows flaw would not be a much of a risk on a computer floating in deep space.

  39. Re:NTFS Transactions have been deprecated for year by jdschulteis · · Score: 1
    Per MSDN:

    Microsoft strongly recommends developers utilize alternative means to achieve your application’s needs. Many scenarios that TxF was developed for can be achieved through simpler and more readily available techniques. Furthermore, TxF may not be available in future versions of Microsoft Windows.

    Looks like the future needs to be now.

  40. Re:I point out fact you can't overcome... apk by Zontar+The+Mindless · · Score: 1

    No, I *could* have mod-bombed you, but you were providing us some fine entertainment by trolling yourself, so why bother.

    --
    Il n'y a pas de Planet B.