AtomBombing: Zero-Day Windows exploit

Martin Brinkmann
Oct 29, 2016
Windows
|
39

Ensilo security researchers have discovered a new zero-day exploit in Windows that attackers can make use of to inject and execute malicious code.

The researches call the exploit AtomBombing because of its use of a Windows function called Atom Tables.

What's particularly interesting about the exploit is that it does not rely on security vulnerabilities in Windows components but native Windows functions.

This means, according to the researchers, that Microsoft won't be able to patch the issue.

Unfortunately, this issue cannot be patched since it doesn’t rely on broken or flawed code – rather on how these operating system mechanisms are designed.

It is particularly worrying that the issue affects all versions of Windows, and that security programs that run on the system -- firewall or antivirus for instance -- won't stop the execution of the exploit.

atombombing chrome
via Breaking Malware

The technique works in the following way on an abstract level:

  1. Malicious code needs to be executed on a Windows machine. A user might run malicious code for instance.
  2. This code is blocked usually by antivirus software or other security software or policies.
  3. In the case of AtomBombing, the malicious program writes the malicious code in an atom table (which is a legitimate function of Windows and won't be stopped therefore).
  4. It then uses legitimate processes via APC (Async Procedure Calls) , a web browser for instance, to retrieve the code from the table undetected by security software to execute it.

What we found is that a threat actor can write malicious code into an atom table and force a legitimate program to retrieve the malicious code from the table. We also found that the legitimate program, now containing the malicious code, can be manipulated to execute that code.

The researchers have released a -- very technical -- explanation of how AtomBombing works. If you are interested in the details, I suggest you check it out as it may answer all the questions that you may have.

ZDnet had a chance to talk to Tal Liberman, security research team leader at Ensilo, who mentioned that executing malicious code on a Windows machine was but one of the many ways attackers could use AtomBombing.

Attackers could use the technique to take screenshots, extract sensitive information and even encrypted passwords.

Accord to the research, Google Chrome encrypts stored passwords using the Windows Data Protection API. Any attack that is injected into a process that runs in the context of the active user could gain access to the data in plain text.

Ensilio believes that Microsoft cannot patch the AtomBombing exploit. Microsoft has yet to respond to the revelation.

Now You: What's your take on AtomBombing?

Summary
AtomBombing: Zero-Day Windows exploit
Article Name
AtomBombing: Zero-Day Windows exploit
Description
Ensilo security researchers have discovered a new zero-day exploit in Windows that attackers can make use of to inject and execute malicious code.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Felipe said on December 24, 2016 at 6:04 pm
    Reply

    Why the hell the most obvious aplication of this hack isn’t mentioned?
    FREAKING GAMES!
    could you imagine what a wonder it would be if we can inject arbitrary code completely undetectable to the game? a completely secure BANPROOF ESP hack for freaking ANY GAME? and i’m not even being creative.
    In my opinion that blackbox code would benefit a lot of users if used right.

  2. evaristecrypto.com said on November 3, 2016 at 12:37 pm
    Reply

    You cannot enqueue foreign code to another process/thread without elevated privilege. You can
    obviously enqueue your own process/thread. Obviously unless some malware has already
    compromised your system and can get your process/thread to run whatever code it likes – it is embellishment to say you can get your malware code to call ntqueueapc().

  3. SecurityBopp said on October 31, 2016 at 9:12 am
    Reply

    Windows Defender on windows 10 is not worse ever security application, it is built into the operating system so as not to slow down everything with extra added bloatware in the kernel like Symantec or extra code that is bound to cause blue screens everytime Microsoft upgrades the OS. I have never gotten malware using windows defender on windows 10. If you know what you are doing, you don’t need to install extra antivirus like Kaspersky or Symantec or Intel or MacAfee, it all just slows you down and scans every file you have on your system against signatures that they have so it is so easy to get around a-v these days it is just about not running any code that you don’t trust. Its up to the user to be smart enough not to click on links and download attachments in emails. Its up to you!

    1. Pete said on November 1, 2016 at 12:40 pm
      Reply

      There are several independent tests made that show that Windows Defender is much heavier on the system than 3rd party AVs. You’re totally wrong.

  4. JR said on October 31, 2016 at 12:05 am
    Reply

    I guess this means that if your computer becomes infected then you MUST reformat and re-install. To be safe.

  5. CHEF-KOCH said on October 30, 2016 at 3:12 pm
    Reply

    Since Windows Defender is activated and integrated in each new Windows version the real threat is not as dangerous as it might sounds. The question is also what privileges the code needs, normally you need for such level administrative privileges which is also a hint/warning for the user.

    This entire idea is also not new, malware can and use NtQueueApcThread for years now.

    1. Hy said on November 2, 2016 at 12:24 am
      Reply

      @CHEF-KOCH “The question is also what privileges the code needs, normally you need for such level administrative privileges which is also a hint/warning for the user.”

      So as usual, yet another reminder to never run Windows as an Administrator, but rather create a standard limited user account and run Windows in that account, with UAC protection jacked up to the maximum setting. And never approve any UAC prompts for something you don’t recognize…

    2. ilev said on October 31, 2016 at 8:09 am
      Reply

      Windows Defender is the worse ever written security application in the history of computers. There no other security app worse than Windows Defender.

  6. kalmly said on October 30, 2016 at 2:23 pm
    Reply

    “Ensilo security researchers have discovered a new zero-day exploit in Windows that attackers can make use of to inject and execute malicious code.”

    OK. I am not a computer geek. So I am surely missing something here. This says, “researchers have discovered . . .” My question is: has anyone actually been A-bombed? And if not, why announce to the slimeballs of the world exactly where to aim their malicious payloads?

    Just asking.

    1. Hy said on November 2, 2016 at 12:19 am
      Reply

      @kalmly “…why announce to the slimeballs of the world exactly where to aim their malicious payloads?”

      My thoughts exactly. If a new zero-day has been discovered for which no solution exists and which may never exist, why on earth announce it to the world? Don’t say, “These kinds of exploits have been around forever, blah, blah…”—the fact is that now that this story is out there, likely thousands of folks who had not heard about this particular vulnerability have now heard about it or will hear about it, and may thus seek to exploit it and other vulnerabilities similar to it.

      I understand announcing a vulnerability when the patch is available but I really cannot see the good that came out of announcing this particular exploit which has no fix. Maybe Ensilo are helping themselves somehow, their reputation, etc., at the expense of every Windows user? I don’t know…

      1. Hy said on November 2, 2016 at 7:40 pm
        Reply

        No, that was something else. That was the Windows flaw Russian hackers used to break in to the American Democratic Party computers. Google apparently discovered the flaw and gave Microsoft ten days to fix it, and then Google announced it. And yes, Microsoft is apparently trying to get a fix out on November 8, which, ironically enough, is election day in the US.

        This article above is referring to something else, discovered by Ensilo security researchers, and which is built into Windows itself and which, according to the same researchers, means that Microsoft will not be able to patch the issue.

      2. chesscanoe said on November 2, 2016 at 11:01 am
        Reply

        My understanding is Google announced the problem to pressure Microsoft to fix it, which Microsoft will now do on 11/08.

  7. Jeff said on October 30, 2016 at 7:58 am
    Reply

    Sure it can be patched. Microsoft will re-architect that part of the OS.

  8. RANDOMBOT said on October 30, 2016 at 5:06 am
    Reply

    You still need to download and run the malicious application, just like any other virus or malware executable, There are plenty of ways to create malicious applications, and I imagjne this is just another way to make a malicious app for windows, I think its overreacting since you should not be downloading and running applications that you don’t trust anyway. There are plenty of ways to make malicious Mac apps too, its up to the developer of the malicious programs to get users to execute them. I haven’t read too much about this, but since DDE and atom tables are a way for 2 applications to access each other, it should require creating little dde applications using atom tables that will need to be downloaded and executed by users. This rings true for all malicious applications, Unless they have found a way to create a driveby download with this hack, I;m not worried.

    1. Christoph Wagner said on November 1, 2016 at 8:33 pm
      Reply

      Yeah, at first I thought this was scary. But then I realized it just works around programs protecting you from your own mistakes. Considering how often Project Zero releases bugs in those same programs that actually widen the attack surface, I’m feeling quite safe with common sense and all AV tools disabled.

  9. Steve Jobs said on October 30, 2016 at 1:23 am
    Reply

    Get a Mac.

    1. Anonymous said on October 30, 2016 at 12:53 pm
      Reply

      @Steve Jobs
      Get a therapy.

      1. Jeff said on October 30, 2016 at 10:48 pm
        Reply

        zero day or macos/linux

      2. Tom Hawack said on October 30, 2016 at 2:59 pm
        Reply

        Therapies are even more expensive than a Mac.
        @Anonymous, I’m still laughing, lol lol & lol. Just sounds so nice in English, “Get a therapy”…. lol!

  10. Parker Lewis said on October 29, 2016 at 10:14 pm
    Reply

    That smells like overblown sensationalism from people who want to market their skills and name.

  11. Torro said on October 29, 2016 at 10:11 pm
    Reply

    What about WinAntiRansomware?
    Would this help protect a PC from atombombing?

    https://www.winpatrol.com/winantiransom/

  12. Shawn said on October 29, 2016 at 9:04 pm
    Reply

    How fast do you think ATM machines running windows are gonna get hit?

    Banks are gonna freak out on this one this time.

  13. paflegeek said on October 29, 2016 at 8:53 pm
    Reply

    Time to use Qubes OS…

    1. Torro said on October 29, 2016 at 10:19 pm
      Reply

      Does Cubes support online gaming??

      1. The Flash said on October 30, 2016 at 1:42 am
        Reply

        The only online game that will run on Pubes is TF2.

  14. HACKED said on October 29, 2016 at 8:51 pm
    Reply

    Ready for Atombombing based malware, Microsoft?

  15. kktkkr said on October 29, 2016 at 7:23 pm
    Reply

    As the Microsoft response in the ZDnet article mentions: “…A user’s system must already be compromised before malware can utilize code-injection techniques.”

    For AtomBombing to work, you must already have run malware. In other words, from the OS point of view this may not be a bug. Antivirus vendors and users certainly won’t see it that way. (The idea of malware attacking Chrome by code injection is scary, not to mention dozens of other programs the technique can work on.) If enSilo is right and Microsoft can’t patch this out, we may be looking at a future where the security arms race runs even closer than right now and users can’t/won’t just turn to antivirus as a silver bullet.

    1. seeprime said on October 29, 2016 at 8:39 pm
      Reply

      Working on computers for a living it seems very likely that a high percentage of PC’s have some malware, PUP’s/spyware, browser hijacks on them. If AtomBombing is possible in many of these cases there is going to be a spate of uncleanable infections occurring soon, possibly next year. Keeping recent drive images and offline file backups is more important than ever. I expect that some of our less computer savvy customers will actually want to move to Linux or Chromebooks (Andromeda will be a great option), as long as they aren’t running any Windows-only programs. Of course, MS might have a workable mitigation technique that hasn’t been revealed yet.

      1. jern said on October 29, 2016 at 9:12 pm
        Reply

        For anyone interested, the news website’s report is here…
        =================================
        The Inevitability of Being Hacked

        https://www.theatlantic.com/technology/archive/2016/10/we-built-a-fake-web-toaster-and-it-was-hacked-in-an-hour/505571/

        Matthew Prince, the cofounder and CEO of Cloudflare, said anyone hooking up a poorly secured IP device to the internet can expect to see that gizmo hacked within a week, if not much sooner.

        “Assuming it’s publicly accessible, the chance [of being hacked] is probably 100 percent,” he said. “The IPv4 address space just isn’t that big. You can now run a scan across that entire space in hours, especially if you have a big botnet. The scans for vulnerability are continuous, and if anything, have accelerated over the last couple of years.”

      2. jern said on October 29, 2016 at 9:06 pm
        Reply

        “Working on computers for a living it seems very likely that a high percentage of PC’s have some malware…”

        You’re probably right. A news website recently set up a honeypot. There were 300 attempted hacks from different addresses in 11 hours. I can’t imagine how much web traffic is just hacker robo-tools looking for open ports on unprotected devices – which they are finding.

  16. Tom Hawack said on October 29, 2016 at 6:01 pm
    Reply

    I’ve read about this AtomBombing code injection technique the other day over at thehackernews.com. Frightening, together with cryptoware and boot-sector manipulation, but considering AtomBombing relies on the very architecture of all Windows platforms… cry, pray, hope. Hope that something will be done even if all experts I’ve read agree on this one thing : nothing can be done in this particular case. On the other hand we’ve often heard/read desperate analysis appearing to be wrong when a solution was later on found, or at least a workaround. At this time it’s called hope.

  17. John in Mtl said on October 29, 2016 at 6:00 pm
    Reply

    I remember clearly freaking out the day I found out you could imbed malicious code in a jpeg file. “This time, it has gone too far”, I told myself; “now I’ll even have to virus-scan pictures, how ridiculous”.

    This latest exploit has me just as freaked out, and then some. Is there no place safe anymore, in the MS ecosystem?

    Could some of you that are real security experts (IOW its your day job to keep systems secure), chime in on this Atombombing exploit and maybe opine on how hard (or easy) it is to implement?

    1. ilev said on October 31, 2016 at 8:04 am
      Reply

      The thousands security bugs in Adobe apps (flash, reader…) are just a small example what can be done with files.

    2. PantsHunt42 said on October 29, 2016 at 7:34 pm
      Reply

      I’m not an expert, but you can “embed” malicious code in ANY file if you wanted to. The trick is to get it to execute.

      “There have been some cases where a maliciously crafted image or other media file can exploit a vulnerability in a viewer application, but these cases are rare and are patched quickly” – from How To Geek 3 years ago, so a little out of date.

      The first comment+thread on here is a good little read
      https://www.reddit.com/r/computers/comments/3n14f9/can_a_jpeg_file_contain_a_virus_and_harm_your/

      “… it’s still possible for a JPEG file to cause malicious behavior on a higher level (if not to run completely arbitrary code) by structuring the data to exploit a bug in the program trying to read it. It just depends on the program, and who’s using it.”

      Might pay to see if your image viewer uses NX? Like I said, I am not an expert. If anyone else can enlighten us to where/how/what this NX is, please do.

      1. earthling said on October 30, 2016 at 4:29 pm
        Reply

        NX just means that shellcode on the stack can not be executed. On Windows it’s called DEP, Data Execution Prevention or something like that. So a simple buffer overflow vulnerability would not be as simple to exploit with NX enabled. But it’s nothing that can’t be easily worked around.

  18. T J said on October 29, 2016 at 5:26 pm
    Reply

    I found a blog at Volatility Labs dated September 17, 2012.
    This blog concentrates on how to analyze atom tables to find out how malware works.
    It stands to reason that malware writers can reverse the process.
    I am surprised that it took 6 years for hackers to latch on to this weakness in Windows.

    http://volatility-labs.blogspot.com/2012/09/movp-21-atoms-new-mutex-classes-and-dll.html

  19. Henk van Setten said on October 29, 2016 at 5:26 pm
    Reply

    To be honest, not being a core-level programmer, I had never even heard of Atom tables. So I looked it up. Here is a page at Microsoft that (more or less) explains how they work:

    https://msdn.microsoft.com/en-us/library/windows/desktop/ms649053(v=vs.85).aspx

    An example they give themselves is this: “Dynamic Data Exchange (DDE) applications use the global atom table to share item-name and topic-name strings with other applications. Rather than passing actual strings, a DDE application passes global atoms to its partner application. The partner uses the atoms to obtain the strings from the atom table.”

    So actually it looks like some kind of feature that allows processes to share common data more quickly without the need to duplicate them. To me this looks a bit like something that may have been especially useful back in the days of limited memory and processor power. I can imagine it would be almost impossible to remove such a basic interwoven system feature now.

  20. Brutus said on October 29, 2016 at 5:24 pm
    Reply

    IF Microsoft cannot patch this zero day exploit doesn’t it then imply using Microsoft would be in general highly insecure for everyone who is using it ?

    This would affect private and business customers plus organizations and government. Wondering if this could be a major blow for MS. But maybe they are already shopping around for a very big carpet so they can hush down this matter.

  21. Lurking About said on October 29, 2016 at 5:09 pm
    Reply

    I just did a quick search on atom tables. This looks like it is Windows only exploit. I did not find anything about for Linux yet. If this is relatively easily used exploit then there are no secure Windows installs until MS completely rewrites it. This will put a premium on leaky edge defences and users never making a mistake.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.