Wednesday 27 December 2017, Poradnik bezpieczeństwa

“Doppelgänging” – a new cyber attack technique capable of evading most security software on all Windows versions

Lost24

A new code injection technique, called “Process Doppelgänging”, has been described at the recent Black Hat Europe 2017 security conference in London. According to the security experts from enSilo cyber-security firm, the newly discovered attack pose a serious threat to all Windows OS systems and is capable of bypassing the majority of today's internet security solutions. This is because the it utilizes the Windows mechanism of NTFS Transactions.

Transactionable NTFS integrates transactions into the NTFS file system to allow for improved error handling and data integrity preservation in Windows systems. The researchers claim that “it is possible to create a file inside a transaction, and for no other process this file is visible, as long as our transaction is not committed. It can be used to drop and run malicious payloads in an unnoticed way. If we roll back the transaction in an appropriate moment, the operating system behaves like our file was never created.”

The enSilo security experts have successfully tested their attack on products from Kaspersky, Bitdefender, ESET, Symantec, McAfee, Windows Defender, AVG, Avast, Qihoo 360, and Panda. Furthermore, even advanced forensics tools such as Volatility will not detect it.

The bad news is that the attack “cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows.”

Fortunately, the experts confirm that “there are a lot of technical challenges” in making the “Process Doppelgänging” work. They point out that it will require a great deal of effort and time from the cyber attackers to quickly implement the new technique.

For now we can only wait and hope that the internet security companies will provide us with a effective solutions, before the “Doppelgänging” becomes a real threat.