Vulnerability found in all versions of Windows, which does not close any antivirus
The Hacker News portal reports that a vulnerability has been detected in the Windows loader, which allows you to run executable code so that it is not detected by antivirus programs, while the exploit leaves no trace on the file system.
The technology used in the exploit, called Process Doppelgänging (from "doppelganger" - "twin"), and uses the technology NTFS Transactions to hide traces and launch Malvar. The general scheme of the exploit is as follows:
At the first stage, an NTFS transaction is created to change a legitimate Windows file, its body is replaced with malicious code. The transaction does not close.
')
The second stage is creating a copy of the modified file in memory (memory section). Malicious code gets into the memory, but since there was no actual access to the file system, the antiviruses do not respond to the appeal to the file system.
The third stage is the rollback of the NTFS transaction. The file has not changed, there are no traces on the disk, but the malware has already been stored in the memory.
The fourth stage is a call to the Windows loader using a call that creates a process from a section of memory created from an executable file (ZwCreateProcess), which actually contains the malicious code. The antivirus scanner's algorithms react, but they read the image of the file from the disk, and there no one has changed anything, and the process is launched for execution.
The developers claim that currently this exploit cannot be blocked, but anti-virus solutions can be updated to detect attacks through this method. Currently, the vulnerability exists in all versions of Windows, starting withWindows XP Windows Vista, in which NTFS transactions were entered, and ending with the latest version of Windows 10 Fall Creators Update. The last one had a bug, because of which the use of Process Doppelgänging dropped the system into a “blue screen of death”, but Microsoft has since fixed this bug.
Proven antivirus solutions that allow exploit on December 7, 2017 (from source): Windows Defender, Kaspersky Endpoint Protection 14, AVG Internet Security, ESET NOD 32, Symantec Endpoint Protection 14, Trend Micro, Avast, McAfee VSE 8.8, Panda Antivirus, Qihoo 360
The technology used in the exploit, called Process Doppelgänging (from "doppelganger" - "twin"), and uses the technology NTFS Transactions to hide traces and launch Malvar. The general scheme of the exploit is as follows:
At the first stage, an NTFS transaction is created to change a legitimate Windows file, its body is replaced with malicious code. The transaction does not close.
')
The second stage is creating a copy of the modified file in memory (memory section). Malicious code gets into the memory, but since there was no actual access to the file system, the antiviruses do not respond to the appeal to the file system.
The third stage is the rollback of the NTFS transaction. The file has not changed, there are no traces on the disk, but the malware has already been stored in the memory.
The fourth stage is a call to the Windows loader using a call that creates a process from a section of memory created from an executable file (ZwCreateProcess), which actually contains the malicious code. The antivirus scanner's algorithms react, but they read the image of the file from the disk, and there no one has changed anything, and the process is launched for execution.
The developers claim that currently this exploit cannot be blocked, but anti-virus solutions can be updated to detect attacks through this method. Currently, the vulnerability exists in all versions of Windows, starting with
Proven antivirus solutions that allow exploit on December 7, 2017 (from source): Windows Defender, Kaspersky Endpoint Protection 14, AVG Internet Security, ESET NOD 32, Symantec Endpoint Protection 14, Trend Micro, Avast, McAfee VSE 8.8, Panda Antivirus, Qihoo 360
Source: https://habr.com/ru/post/344376/
All Articles