Symantec

Researchers have disclosed a fresh attack against Microsoft's Windows operating system which can be used to inject malicious code and compromise user PCs.

On October 27, cybersecurity company enSilo's research team disclosed a practice called "AtomBombing" that can be launched against every version of Windows to bypass current security solutions which protect such systems from malware infections.

The technique is dubbed AtomBombing as it relies on underlying Windows atom tables to exploit a system. Atom tables are used to store strings and identifiers by Windows which support other application functions.

The enSilo research team says that by writing malicious code into an atom table and forcing a legitimate program to retrieve this code, security software would not be able to detect attacks using this method.

In addition, legitimate programs which have retrieved this code can then be manipulated to execute malicious functions.

The researchers say:

"For example, let's say an attacker was able to persuade a user to run a malicious executable, evil.exe. Any kind of decent application level firewall installed on the computer would block that executable's communication.



To overcome this issue, evil.exe would have to find a way to manipulate a legitimate program, such as a web browser, so that the legitimate program would carry out communication on behalf of evil.exe."

If an attacker used the AtomBombing technique, they would be able to bypass security products, extract sensitive information, take screenshots, and access encrypted passwords.

The latter is possible as Google Chrome encrypts stored passwords using Windows Data Protection API (DPAPI) and if malware is injected into a process which runs in the context of the current user, these passwords can then be revealed in plain text -- as the API utilizes current user data to encrypt and decrypt information, as well as access these passwords.

There are a handful of code injection techniques which are already known and once established, antivirus software vendors update their signatures to prevent endpoint compromise. However, as a new technique, enSilo says this method is able to bypass current antivirus software, alongside all current endpoint infiltration prevention solutions.

As AtomBombing utilizes underlying Windows mechanisms rather than relying on security flaws or broken code to exploit machines, there is no fix or patch available.

As noted by the research team, the only way to potentially mitigate attacks using this tool is to dive deeply into the API and monitor for any suspicious changes.

It is simply one more attack in the hacking toolbox, and so as problems like this design flaw will always be exploited if they can be, the best defense is knowing about it -- especially when there is no solution available.

Speaking to ZDNet, Tal Liberman, security research team leader at enSilo said:

"AtomBombing uses legitimate OS mechanisms and features to perform and hide malicious activity. The greatest concern is that when attackers are motivated they will always find creative techniques such as this one. Since it's new and has not yet been marked as malicious, this method will easily bypass any security product that attempts to heuristically block malicious activity. Recognizing that compromise is inevitable, organizations should consider a security strategy that assumes that attackers are already inside."

Update 9.28GMT: A Microsoft spokesperson told ZDNet:

"To help avoid malware infection, we encourage our customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers. A user's system must already be compromised before malware can utilize code-injection techniques. For more information on protecting computers against malware, please visit microsoft.com/protect/pc."