AtomBombing: the danger of a new threat to Windows and how to protect yourself

A few days ago, security expert Tal Lieberman from enSilo showed a new technique for introducing code that affects all versions of Windows up to Windows 10. Due to the nature of this technique, unfortunately, it can hardly be patched. In this article, I would like to shed light on this attack and its consequences, as well as tell you what can be done to protect yourself.

How does it work?
')
Basically, this attack uses its own operating system to inject malicious code, and then uses some legitimate processes to execute it. Although this approach does not fundamentally distinguish this threat from other malicious programs that have used it for many years (malicious programs have been introducing themselves into running processes for decades), but its feature is that the use of atomic tables (provided by Windows and allowing applications to store and access to data) is not common. Therefore, it is likely that this threat may go unnoticed by a number of security solutions.

This attack is unusual, and therefore, it is likely that it will remain unnoticed by a number of security solutions.

The best description you can find at the moment is Tala's material on his blog " AtomBombing: A Code Injection that Bypasses Current Security Solutions ."

If there is no patch, and the threat infects all versions of Windows, does this mean that we are facing a great danger?

Not really. First, in order to use this technique, the malware must be able to run on the machine. It cannot be used for remote attack and hacking of your computer. Cyber ​​criminals will have to use some kind of exploit or deceive the user in such a way that he downloads and launches a malicious program in the hope that existing security solutions will not be able to stop this threat.

Really something new?

The way in which an attack is performed to inject code is new, although, as I mentioned earlier, malware has been using techniques to introduce malicious code for many years (for example, you can see this approach in many families of cryptographers).



New, but not dangerous ... why panic?

As I said, the malware must first be executed on the machine, but we know that at some point this will happen (the question is not IF if, but WHEN).

Many security solutions detect attempts to implement the process, however, they do this based on signatures, with the result that many of them are not able to detect this particular technique these days.

In addition, many solutions have a list of trusted processes. If the introduction of malicious code took place during one of them, then all the security measures taken by such a security solution “will pass by”.

Finally, in reality, this attack can be easily carried out, and it is already known that sooner rather than later, a number of cyber-criminals will emerge who will introduce this technique into their malicious programs.

What can we do to protect our corporate network?

On the one hand, traditional anti-malware solutions are effective in detecting and preventing infection from hundreds of millions of different threats. However, they are not so good if you want to stop targeted attacks or completely new threats.

On the other hand, we have the so-called "next-generation antivirus". Most of them claim that they do not use signatures, and their capabilities are due to the use of machine learning techniques that have evolved significantly over the past few years and have shown that they are capable of detecting some new threats quite well. Knowing their weaknesses in the fact that they are not so good at blocking all threats, they have good expertise in post-infectious scenarios, offering tremendous added value in cases where a security breach has already occurred. Another problem with these solutions is that machine learning does not provide black or white diagnostics, which translates into a high level of false positives.

Is the best option to use traditional antivirus + next-generation antivirus?

No, although this is better than using only one of these solutions, since Both of these solutions can complement each other well. However, this approach also has a number of disadvantages. First, you have to pay for both of these solutions. Although this may be justified due to increased overall security, this means that you will need an additional budget for additional work (the level of false positives from the next-generation antivirus will increase significantly, you will have to manage two products from different management consoles, etc. d.). Performance problems are also possible, since Both solutions will work simultaneously on computers. Finally, these solutions do not interact with each other, therefore, you will not be able to take full advantage of all the advantages of the information that they process.

What corporate solutions combine the capabilities of traditional anti-malware solutions and machine learning techniques?

In my opinion, the best way is a solution that combines the capabilities of two such classes of solutions (for example, Adaptive Defense 360 ), i.e. the power of traditional anti-malware solutions, as well as many years of experience in using machine learning techniques combined with Big Data and the cloud . This approach allows both classes of solutions to work together, exchange information, continuously monitor all running processes, classifying all programs running on any computer in your corporate network, and providing real-time expert data in case of any security breaches. In this case, a small agent will be deployed to the end machines, taking care of everything using the cloud for demanding processes to achieve the best level of performance on the market.

Author: Louis Corrons (PandaLabs Antivirus Lab)