Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Process Doppelganging' Attack Bypasses Most Security Products, Works On All Windows Versions (bleepingcomputer.com)

Posted by BeauHD on from the nobody-is-safe dept.

An anonymous reader quotes a report from Bleeping Computer: Yesterday, at the Black Hat Europe 2017 security conference in London, two security researchers from cyber-security firm enSilo have described a new code injection technique called "Process Doppelganging." This new attack works on all Windows versions and researchers say it bypasses most of today's major security products. Process Doppelganging is somewhat similar to another technique called "Process Hollowing," but with a twist, as it utilizes the Windows mechanism of NTFS Transactions.

"The goal of the technique is to allow a malware to run arbitrary code (including code that is known to be malicious) in the context of a legitimate process on the target machine," Tal Liberman & Eugene Kogan, the two enSilo researchers who discovered the attack told Bleeping Computer. "Very similar to process hollowing but with a novel twist. The challenge is doing it without using suspicious process and memory operations such as SuspendProcess, NtUnmapViewOfSection. In order to achieve this goal we leverage NTFS transactions. We overwrite a legitimate file in the context of a transaction. We then create a section from the modified file (in the context of the transaction) and create a process out of it. It appears that scanning the file while it's in transaction is not possible by the vendors we checked so far (some even hang) and since we rollback the transaction, our activity leaves no trace behind." The good news is that "there are a lot of technical challenges" in making Process Doppelganging work, and attackers need to know "a lot of undocumented details on process creation." The bad news is that the attack "cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows." More research on the attack will be published on the Black Hat website in the following days.

15 of 126 comments (clear)

  1. Multi-process... by Anonymous Coward · · Score: 2, Funny

    If it's done with multiple processes, is it a Process Doppelgangbang?

    1. Re: Multi-process... by VernonNemitz · · Score: 2, Funny

      NOT all Windows versions. I have a machine with Win 3.1 on it, that does not have NTFS.

  2. This is why we need alternative File systems by Anonymous Coward · · Score: 2, Interesting

    This is why we need alternative file systems on windows. If this were Linux we'd either fix it or change to another file system. Not 'live with inscruity for the remaining days of your life.

  3. We're boned by Lije+Baley · · Score: 2

    Now does this mean we can finally move on to the "post security" era? Please, can we? So much security fatigue...

    Anybody can bust into my house with a solid kick, but I don't lose any sleep over it.

    --
    Strange things are afoot at the Circle-K.
  4. Not patchable, really? by Bruce+Perens · · Score: 3, Insightful

    Creating a process from a file that is part of an in-progress transaction is probably not a documented feature of Windows at all. Making such files non-executable until the transaction is completed sounds like it would be a sufficient fix.

    Much as I like to brag that Linux folks can fix this sort of thing overnight, it is not really the case that everyone at Microsoft is a knuckle-walking Neanderthal who could not fix this in a week or a month.

    Watch some Neanderthal get offended...

    --
    Bruce Perens.
    1. Re:Not patchable, really? by Bruce+Perens · · Score: 3, Funny

      Why are you bigoted against Neandertals?

      I believe I can say in complete truthfulness that I have never met a Neanderthal that I didn't like.

      --
      Bruce Perens.
  5. You still need the admin password, right? by AlanObject · · Score: 4, Interesting

    Trying to understand this. Basically NTFS Transactions are a deprecated feature, but this amounts to little more than monkeying with the in-RAM read cache of an executable file.

    Well great. In order to do that I have to have access to the system at some level in the first place. So this exploit technique is only really viable if you have either an inside job or a leaked password. And it isn't clear to me that you don't need an admin-level access to use that API as well.

    Unless I missed something this doesn't seem like that hot an issue.

    1. Re:You still need the admin password, right? by Cephacles · · Score: 2

      It also appears this attack needs the Distributed Transaction Coordinator service to be running, which is rarely used. The linked Microsoft article on NTFS transactions says it uses DTC. I always turn that service off to Manual or Disabled, otherwise it just wastes resources and slows boot time. Also, since the attack writes nothing to disk, how does it survive a reboot or power cycle?

  6. Re:Windows Versus Linux by murdocj · · Score: 5, Insightful

    Intelligent people use the operating system that lets them get the tasks they want to get done done, rather than engaging in pointless O/S debates.

  7. Re:Windows Versus Linux by eddeye · · Score: 2

    Intelligent people use the operating system that lets them get the tasks they want to get done done, rather than engaging in pointless O/S debates.

    Fortunately intelligent people don't post on slashdot.

    --
    Democracy is two wolves and a sheep voting on lunch.
  8. Re: So, Basically by guruevi · · Score: 2

    Read the summary, the attack canâ(TM)t be detected because the OS doesnâ(TM)t let itself or any other process into a running transaction.

    This made senses in the 80s/90s in that you donâ(TM)t want a program unnecessarily holding up or interrupting a disk operation because that would cause corruption, hence why we invented file systems that have a journal.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  9. Re:Windows IFS model allows other filesystems by Zontar+The+Mindless · · Score: 2

    First, pretend that you have a job.

    Now, pretend that you have to persuade IT at your job to let you install a filesystem different to the one everyone else in the company is using.

    Let us know how it goes.

    --
    Il n'y a pas de Planet B.
  10. Re:So, Basically by Megol · · Score: 2

    One still have to have the rights to open and modify the file, one still have to have the rights to execute the file. It's "just" that one can replace a section of a file one already could modify and execute in a way that malware scanners can't detect.

    To me this isn't a huge problem - if security requires malware scanning one have no security. And it is using functionality not commonly used together so a hack that detects the combination and handles it should be relatively easy. But why care?

  11. Re: So, Basically by Megol · · Score: 2

    How about:
    Crook: Let's see, here we have a file I want to run and for some reason I have the right to run -> let's go transactional!

    NTFS: Ah, a transactional lock! Don't see those too often!

    Crook: Modify the file that I for some reason have the right to modify _wïthïn_thá_transáctïon_ HOHOHO!!

    NTFS: Okay... Got that.

    Scanner: Ah ho a hum, don't see shit... Boring.

    Crook: Now let's do the cool thing and run this modified shït!

    System: Let's see... Loading a file within a transactional lock? Now I don't like this, I don't like this AT ALL! *plonk*

    Crook: OMGWTF?!? I can't run the file :(((

    Crook: (releases lock either voluntarily or when killed by system)

    NTFS: Ah, a transactional release! Don't see those too often!

    Scanner: Still don't see shit... Really boring, should take up macrame or something.

  12. Re: So... by Nocturna81 · · Score: 2

    But have yet to understand that Slashdot doesn't use unicode