Researchers show new method for code injection in Windows
Researchers at the security company enSilo have discovered a new way to inject code into Windows processes. They use atom tables for this. They argue that there is no immediate solution to the problem.
According to enSilo, there is no solution, because the problem is not related to vulnerabilities in code. The “AtomBombing” technique, as the company calls it, takes advantage of legitimate operating system functions, the company said. It ran a successful test on Windows 10, but all versions of Windows are said to be susceptible to the attack. An attacker could use the method to access data that is only accessible to certain processes and thus gain access to encrypted passwords or perform a man-in-the-middle attack on the browser.
In addition, the attacker could bypass security products by injecting code into processes trusted by the software. The attack works by using atom tables. These are tables in which programs can store and share data, according to enSilo. An attacker could write malicious code to such a table and cause a legitimate program to retrieve and execute this code. This is possible on the basis of two API calls, the researchers explain in a technical analysis.
According to enSilo, there is no immediate solution to the problem, other than monitoring the api calls themselves and watching for malicious activity. One of the researchers tells ZDNet that the biggest concern is that a motivated attacker will always discover similar techniques. In addition, this attack could easily bypass security software as the method has not yet been identified as malicious. Microsoft said in a response to the same site that users must be vigilant about unknown files and that “the user’s system must already be in the hands of the attacker before malware can use this form of code injection.”
AtomBombing leads to crash in Paint