A new code-injection attack, called AtomBombing, has been found that affects all versions of Windows going back...
to Windows 2000, and Microsoft may not be able to create a patch to mitigate the issue.
The AtomBombing technique was created by Tal Liberman, security research team leader for San Francisco-based data protection company enSilo. According to Liberman, AtomBombing abuses the atom tables that are a fundamental structure in Windows.
"The underlying Windows mechanism, which AtomBombing exploits, is called atom tables. These tables are provided by the operating system to allow applications to store and access data. These atom tables can also be used to share data between applications," Liberman wrote in a blog post. "What we found is that a threat actor can write malicious code into an atom table and force a legitimate program to retrieve the malicious code from the table. We also found that the legitimate program, now containing the malicious code, can be manipulated to execute that code."
Liberman said this type of code injection could be used to bypass security products, perform man-in-the-browser attacks, access encrypted passwords or take screenshots of a user's system. But Liberman told SearchSecurity there are limits to the attack.
"Any method that will get code to execute on the target machine -- outside a sandbox -- will suffice. Exploiting a vulnerability, tricking someone into running a malicious executable, etc. This is not a privilege escalation, meaning it cannot be used to inject to an administrative account from a nonadministrative account," Liberman said via email. "What we need to remember is that this method is useful not only during the initial infection. The attacker will somehow gain persistence and then be stuck in a single process."
J.P. Taggart, senior security researcher with Malwarebytes Labs, based in Santa Clara, Calif., said AtomBombing is very similar to current code-injection operations "performed by the majority of modern malware, just doing it in a way that hasn't been seen before."
J.P. Taggartsenior security researcher at Malwarebytes Labs
"The end goal is privileged code execution. AtomBombing uses legitimate Windows components, almost like a pathogen subverting the immune system. Once that occurs, it's pretty much game over," Taggart told SearchSecurity. "Basically, once that kind of trusted code execution happens, the code has the ability to do anything on the system, including downloading additional malware, modifying security settings and anything else modern malware can do."
Bobby Kuzma, systems engineer at Core Security, based in Roswell, Ga., said the ease of the atom tables attack was especially scary.
"It's pretty straightforward to implement. From the proof of concept, I was able reproduce it in about a half an hour. I wouldn't call myself an expert on this type of technique, so this is worrisome," Kuzma told SearchSecurity. "The API calls that make this attack possible aren't privileged, so if an adversary was able to get any code execution, they'd be able to leverage this to inject malicious code into a trusted process."
Liberman said one potential mitigation technique would be to monitor API calls for malicious activity by using any host intrusion prevention system tools.
"Since the issue cannot be fixed, there is no notion of a patch for this. Thus, the direct mitigation answer would be to tech-dive into the API calls and monitor those for malicious activity," Liberman wrote. "It's important, though, at this point to take a step back. AtomBombing is one more technique in the attacker's toolbox. Threat actors will continuously take out a tool -- used or new -- to ensure that they bypass anti-infiltration technologies."
Taggart said modern security products should be able to detect and kill the offending process if the system is running a real-time monitoring application.
"It's likely that many solutions won't be looking for that kind of operation right now," Taggart said. "Having a security solution with real-time detection, monitoring API and process injections should be able to identify this method. And since it's such an odd way of doing things, [it] would be identified as malicious."
Kuzma said Microsoft may not be able to patch this code-injection issue, and any change made to atom tables could have disastrous side effects.
"The underlying mechanism is a fundamental part of the Windows kernel architecture. Removing it or altering the behavior will break a lot of software in hideously nonobvious ways," Kuzma said. "It's doubtful that Microsoft will make a breaking change. More likely, they'll introduce a layer of abstraction that would serve to sandbox the threads from each other, which is a wise move in general."
Taggart said some of the best attack techniques rely on architectural weaknesses that are difficult or impossible to patch. "Flash is a good example of this," Taggart said.
"They continue to work, because fixing them would require rebuilding the program from the ground up. Rebuilding an operating system from the ground up is a daunting task," Taggart said. "We could see a whack-a-mole effect, where Microsoft closes one vector of AtomBombing after another, while never fixing the underlying structural weakness, as it would require massive changes. As this is a new and emerging threat vector, only time will tell."
Learn more about preventing SQL code-injection attacks.
Find out about testing applications for code-injection vulnerabilities.
Get info on the risks of using Windows kernel-mode drivers in systems management.