An unpatchable issue in the basic mechanics of Windows is threatening millions of PCs.
The eSilo research team has uncovered the “AtomBombing” technique to inject malicious code. Threat actors can use this technique, which exists by design of the operating system, to bypass security solutions that attempt to prevent infection, hide from the user and extract sensitive information that would otherwise be unattainable. The issue cannot be patched since it doesn’t rely on broken or flawed code.
“The underlying Windows mechanism which AtomBombing exploits is called atom tables,” the firm explained, in a blog. “These tables are provided by the operating system to allow applications to store and access data. These atom tables can also be used to share data between applications.”
A threat actor can write malicious code into an atom table and force a legitimate program to retrieve the malicious code from the table. We also found that the legitimate program that contains the malicious code can then be manipulated to execute that code.
AtomBombing affects all Windows versions.
The issue we revealed presents a way for threat actors to inject code. Attackers use code injection to add malicious code into legitimate processes, making it easier to bypass security products,
For example, let’s say an attacker was able to persuade a user to run a malicious executable, evil.exe. Any kind of decent application level firewall installed on the computer would block that executable’s communication. To overcome this issue, evil.exe would have to find a way to manipulate a legitimate program, such as a web browser, so that the legitimate program would carry out communication on behalf of evil.exe.
An attacker may use code injection to bypass process-level restrictions; gain access to context-specific data (some data is only accessible to certain processes, while inaccessible to others); access encrypted passwords; take screenshots; and perform Man in the Browser (MitB) attacks.
This last possibility can have broad consequences.
“For example, in a banking transaction process, the customer will always be shown the exact payment information as the customer intended via confirmation screens,” eSilo explained. “However, the attacker modifies the data so that the bank receives false transaction information in favor of the attacker, i.e. a different destination account number and possibly amount. In an MitB attack, the customers are unaware of the money being funneled out of their account until it’s too late.”
Photo © Everett Historical