AtomBombing: Zero-Day Windows exploit - gHacks Tech News

AtomBombing: Zero-Day Windows exploit

Ensilo security researchers have discovered a new zero-day exploit in Windows that attackers can make use of to inject and execute malicious code.

The researches call the exploit AtomBombing because of its use of a Windows function called Atom Tables.

What's particularly interesting about the exploit is that it does not rely on security vulnerabilities in Windows components but native Windows functions.

This means, according to the researchers, that Microsoft won't be able to patch the issue.

Unfortunately, this issue cannot be patched since it doesn’t rely on broken or flawed code – rather on how these operating system mechanisms are designed.

It is particularly worrying that the issue affects all versions of Windows, and that security programs that run on the system -- firewall or antivirus for instance -- won't stop the execution of the exploit.

atombombing chrome
via Breaking Malware

The technique works in the following way on an abstract level:

  1. Malicious code needs to be executed on a Windows machine. A user might run malicious code for instance.
  2. This code is blocked usually by antivirus software or other security software or policies.
  3. In the case of AtomBombing, the malicious program writes the malicious code in an atom table (which is a legitimate function of Windows and won't be stopped therefore).
  4. It then uses legitimate processes via APC (Async Procedure Calls) , a web browser for instance, to retrieve the code from the table undetected by security software to execute it.

What we found is that a threat actor can write malicious code into an atom table and force a legitimate program to retrieve the malicious code from the table. We also found that the legitimate program, now containing the malicious code, can be manipulated to execute that code.

The researchers have released a -- very technical -- explanation of how AtomBombing works. If you are interested in the details, I suggest you check it out as it may answer all the questions that you may have.

ZDnet had a chance to talk to Tal Liberman, security research team leader at Ensilo, who mentioned that executing malicious code on a Windows machine was but one of the many ways attackers could use AtomBombing.

Attackers could use the technique to take screenshots, extract sensitive information and even encrypted passwords.

Accord to the research, Google Chrome encrypts stored passwords using the Windows Data Protection API. Any attack that is injected into a process that runs in the context of the active user could gain access to the data in plain text.

Ensilio believes that Microsoft cannot patch the AtomBombing exploit. Microsoft has yet to respond to the revelation.

Now You: What's your take on AtomBombing?

Summary
AtomBombing: Zero-Day Windows exploit
Article Name
AtomBombing: Zero-Day Windows exploit
Description
Ensilo security researchers have discovered a new zero-day exploit in Windows that attackers can make use of to inject and execute malicious code.
Author
Publisher
Ghacks Technology News
Logo




  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. Lurking About said on October 29, 2016 at 5:09 pm
      Reply

      I just did a quick search on atom tables. This looks like it is Windows only exploit. I did not find anything about for Linux yet. If this is relatively easily used exploit then there are no secure Windows installs until MS completely rewrites it. This will put a premium on leaky edge defences and users never making a mistake.

    2. Brutus said on October 29, 2016 at 5:24 pm
      Reply

      IF Microsoft cannot patch this zero day exploit doesn’t it then imply using Microsoft would be in general highly insecure for everyone who is using it ?

      This would affect private and business customers plus organizations and government. Wondering if this could be a major blow for MS. But maybe they are already shopping around for a very big carpet so they can hush down this matter.

    3. Henk van Setten said on October 29, 2016 at 5:26 pm
      Reply

      To be honest, not being a core-level programmer, I had never even heard of Atom tables. So I looked it up. Here is a page at Microsoft that (more or less) explains how they work:

      https://msdn.microsoft.com/en-us/library/windows/desktop/ms649053(v=vs.85).aspx

      An example they give themselves is this: “Dynamic Data Exchange (DDE) applications use the global atom table to share item-name and topic-name strings with other applications. Rather than passing actual strings, a DDE application passes global atoms to its partner application. The partner uses the atoms to obtain the strings from the atom table.”

      So actually it looks like some kind of feature that allows processes to share common data more quickly without the need to duplicate them. To me this looks a bit like something that may have been especially useful back in the days of limited memory and processor power. I can imagine it would be almost impossible to remove such a basic interwoven system feature now.

    4. T J said on October 29, 2016 at 5:26 pm
      Reply

      I found a blog at Volatility Labs dated September 17, 2012.
      This blog concentrates on how to analyze atom tables to find out how malware works.
      It stands to reason that malware writers can reverse the process.
      I am surprised that it took 6 years for hackers to latch on to this weakness in Windows.

      http://volatility-labs.blogspot.com/2012/09/movp-21-atoms-new-mutex-classes-and-dll.html

    5. John in Mtl said on October 29, 2016 at 6:00 pm
      Reply

      I remember clearly freaking out the day I found out you could imbed malicious code in a jpeg file. “This time, it has gone too far”, I told myself; “now I’ll even have to virus-scan pictures, how ridiculous”.

      This latest exploit has me just as freaked out, and then some. Is there no place safe anymore, in the MS ecosystem?

      Could some of you that are real security experts (IOW its your day job to keep systems secure), chime in on this Atombombing exploit and maybe opine on how hard (or easy) it is to implement?

      1. PantsHunt42 said on October 29, 2016 at 7:34 pm
        Reply

        I’m not an expert, but you can “embed” malicious code in ANY file if you wanted to. The trick is to get it to execute.

        “There have been some cases where a maliciously crafted image or other media file can exploit a vulnerability in a viewer application, but these cases are rare and are patched quickly” – from How To Geek 3 years ago, so a little out of date.

        The first comment+thread on here is a good little read
        https://www.reddit.com/r/computers/comments/3n14f9/can_a_jpeg_file_contain_a_virus_and_harm_your/

        “… it’s still possible for a JPEG file to cause malicious behavior on a higher level (if not to run completely arbitrary code) by structuring the data to exploit a bug in the program trying to read it. It just depends on the program, and who’s using it.”

        Might pay to see if your image viewer uses NX? Like I said, I am not an expert. If anyone else can enlighten us to where/how/what this NX is, please do.

        1. earthling said on October 30, 2016 at 4:29 pm
          Reply

          NX just means that shellcode on the stack can not be executed. On Windows it’s called DEP, Data Execution Prevention or something like that. So a simple buffer overflow vulnerability would not be as simple to exploit with NX enabled. But it’s nothing that can’t be easily worked around.

      2. ilev said on October 31, 2016 at 8:04 am
        Reply

        The thousands security bugs in Adobe apps (flash, reader…) are just a small example what can be done with files.

    6. Tom Hawack said on October 29, 2016 at 6:01 pm
      Reply

      I’ve read about this AtomBombing code injection technique the other day over at thehackernews.com. Frightening, together with cryptoware and boot-sector manipulation, but considering AtomBombing relies on the very architecture of all Windows platforms… cry, pray, hope. Hope that something will be done even if all experts I’ve read agree on this one thing : nothing can be done in this particular case. On the other hand we’ve often heard/read desperate analysis appearing to be wrong when a solution was later on found, or at least a workaround. At this time it’s called hope.

    7. kktkkr said on October 29, 2016 at 7:23 pm
      Reply

      As the Microsoft response in the ZDnet article mentions: “…A user’s system must already be compromised before malware can utilize code-injection techniques.”

      For AtomBombing to work, you must already have run malware. In other words, from the OS point of view this may not be a bug. Antivirus vendors and users certainly won’t see it that way. (The idea of malware attacking Chrome by code injection is scary, not to mention dozens of other programs the technique can work on.) If enSilo is right and Microsoft can’t patch this out, we may be looking at a future where the security arms race runs even closer than right now and users can’t/won’t just turn to antivirus as a silver bullet.

      1. seeprime said on October 29, 2016 at 8:39 pm
        Reply

        Working on computers for a living it seems very likely that a high percentage of PC’s have some malware, PUP’s/spyware, browser hijacks on them. If AtomBombing is possible in many of these cases there is going to be a spate of uncleanable infections occurring soon, possibly next year. Keeping recent drive images and offline file backups is more important than ever. I expect that some of our less computer savvy customers will actually want to move to Linux or Chromebooks (Andromeda will be a great option), as long as they aren’t running any Windows-only programs. Of course, MS might have a workable mitigation technique that hasn’t been revealed yet.

        1. jern said on October 29, 2016 at 9:06 pm
          Reply

          “Working on computers for a living it seems very likely that a high percentage of PC’s have some malware…”

          You’re probably right. A news website recently set up a honeypot. There were 300 attempted hacks from different addresses in 11 hours. I can’t imagine how much web traffic is just hacker robo-tools looking for open ports on unprotected devices – which they are finding.

        2. jern said on October 29, 2016 at 9:12 pm
          Reply

          For anyone interested, the news website’s report is here…
          =================================
          The Inevitability of Being Hacked

          https://www.theatlantic.com/technology/archive/2016/10/we-built-a-fake-web-toaster-and-it-was-hacked-in-an-hour/505571/

          Matthew Prince, the cofounder and CEO of Cloudflare, said anyone hooking up a poorly secured IP device to the internet can expect to see that gizmo hacked within a week, if not much sooner.

          “Assuming it’s publicly accessible, the chance [of being hacked] is probably 100 percent,” he said. “The IPv4 address space just isn’t that big. You can now run a scan across that entire space in hours, especially if you have a big botnet. The scans for vulnerability are continuous, and if anything, have accelerated over the last couple of years.”

    8. HACKED said on October 29, 2016 at 8:51 pm
      Reply

      Ready for Atombombing based malware, Microsoft?

    9. paflegeek said on October 29, 2016 at 8:53 pm
      Reply

      Time to use Qubes OS…

      1. Torro said on October 29, 2016 at 10:19 pm
        Reply

        Does Cubes support online gaming??

        1. The Flash said on October 30, 2016 at 1:42 am
          Reply

          The only online game that will run on Pubes is TF2.

    10. Shawn said on October 29, 2016 at 9:04 pm
      Reply

      How fast do you think ATM machines running windows are gonna get hit?

      Banks are gonna freak out on this one this time.

    11. Torro said on October 29, 2016 at 10:11 pm
      Reply

      What about WinAntiRansomware?
      Would this help protect a PC from atombombing?

      https://www.winpatrol.com/winantiransom/

    12. Parker Lewis said on October 29, 2016 at 10:14 pm
      Reply

      That smells like overblown sensationalism from people who want to market their skills and name.

    13. Steve Jobs said on October 30, 2016 at 1:23 am
      Reply

      Get a Mac.

      1. Anonymous said on October 30, 2016 at 12:53 pm
        Reply

        @Steve Jobs
        Get a therapy.

        1. Tom Hawack said on October 30, 2016 at 2:59 pm
          Reply

          Therapies are even more expensive than a Mac.
          @Anonymous, I’m still laughing, lol lol & lol. Just sounds so nice in English, “Get a therapy”…. lol!

        2. Jeff said on October 30, 2016 at 10:48 pm
          Reply

          zero day or macos/linux

    14. RANDOMBOT said on October 30, 2016 at 5:06 am
      Reply

      You still need to download and run the malicious application, just like any other virus or malware executable, There are plenty of ways to create malicious applications, and I imagjne this is just another way to make a malicious app for windows, I think its overreacting since you should not be downloading and running applications that you don’t trust anyway. There are plenty of ways to make malicious Mac apps too, its up to the developer of the malicious programs to get users to execute them. I haven’t read too much about this, but since DDE and atom tables are a way for 2 applications to access each other, it should require creating little dde applications using atom tables that will need to be downloaded and executed by users. This rings true for all malicious applications, Unless they have found a way to create a driveby download with this hack, I;m not worried.

      1. Christoph Wagner said on November 1, 2016 at 8:33 pm
        Reply

        Yeah, at first I thought this was scary. But then I realized it just works around programs protecting you from your own mistakes. Considering how often Project Zero releases bugs in those same programs that actually widen the attack surface, I’m feeling quite safe with common sense and all AV tools disabled.

    15. Jeff said on October 30, 2016 at 7:58 am
      Reply

      Sure it can be patched. Microsoft will re-architect that part of the OS.

    16. kalmly said on October 30, 2016 at 2:23 pm
      Reply

      “Ensilo security researchers have discovered a new zero-day exploit in Windows that attackers can make use of to inject and execute malicious code.”

      OK. I am not a computer geek. So I am surely missing something here. This says, “researchers have discovered . . .” My question is: has anyone actually been A-bombed? And if not, why announce to the slimeballs of the world exactly where to aim their malicious payloads?

      Just asking.

      1. Hy said on November 2, 2016 at 12:19 am
        Reply

        @kalmly “…why announce to the slimeballs of the world exactly where to aim their malicious payloads?”

        My thoughts exactly. If a new zero-day has been discovered for which no solution exists and which may never exist, why on earth announce it to the world? Don’t say, “These kinds of exploits have been around forever, blah, blah…”—the fact is that now that this story is out there, likely thousands of folks who had not heard about this particular vulnerability have now heard about it or will hear about it, and may thus seek to exploit it and other vulnerabilities similar to it.

        I understand announcing a vulnerability when the patch is available but I really cannot see the good that came out of announcing this particular exploit which has no fix. Maybe Ensilo are helping themselves somehow, their reputation, etc., at the expense of every Windows user? I don’t know…

        1. chesscanoe said on November 2, 2016 at 11:01 am
          Reply

          My understanding is Google announced the problem to pressure Microsoft to fix it, which Microsoft will now do on 11/08.

        2. Hy said on November 2, 2016 at 7:40 pm
          Reply

          No, that was something else. That was the Windows flaw Russian hackers used to break in to the American Democratic Party computers. Google apparently discovered the flaw and gave Microsoft ten days to fix it, and then Google announced it. And yes, Microsoft is apparently trying to get a fix out on November 8, which, ironically enough, is election day in the US.

          This article above is referring to something else, discovered by Ensilo security researchers, and which is built into Windows itself and which, according to the same researchers, means that Microsoft will not be able to patch the issue.

    17. CHEF-KOCH said on October 30, 2016 at 3:12 pm
      Reply

      Since Windows Defender is activated and integrated in each new Windows version the real threat is not as dangerous as it might sounds. The question is also what privileges the code needs, normally you need for such level administrative privileges which is also a hint/warning for the user.

      This entire idea is also not new, malware can and use NtQueueApcThread for years now.

      1. ilev said on October 31, 2016 at 8:09 am
        Reply

        Windows Defender is the worse ever written security application in the history of computers. There no other security app worse than Windows Defender.

      2. Hy said on November 2, 2016 at 12:24 am
        Reply

        @CHEF-KOCH “The question is also what privileges the code needs, normally you need for such level administrative privileges which is also a hint/warning for the user.”

        So as usual, yet another reminder to never run Windows as an Administrator, but rather create a standard limited user account and run Windows in that account, with UAC protection jacked up to the maximum setting. And never approve any UAC prompts for something you don’t recognize…

    18. JR said on October 31, 2016 at 12:05 am
      Reply

      I guess this means that if your computer becomes infected then you MUST reformat and re-install. To be safe.

    19. SecurityBopp said on October 31, 2016 at 9:12 am
      Reply

      Windows Defender on windows 10 is not worse ever security application, it is built into the operating system so as not to slow down everything with extra added bloatware in the kernel like Symantec or extra code that is bound to cause blue screens everytime Microsoft upgrades the OS. I have never gotten malware using windows defender on windows 10. If you know what you are doing, you don’t need to install extra antivirus like Kaspersky or Symantec or Intel or MacAfee, it all just slows you down and scans every file you have on your system against signatures that they have so it is so easy to get around a-v these days it is just about not running any code that you don’t trust. Its up to the user to be smart enough not to click on links and download attachments in emails. Its up to you!

      1. Pete said on November 1, 2016 at 12:40 pm
        Reply

        There are several independent tests made that show that Windows Defender is much heavier on the system than 3rd party AVs. You’re totally wrong.

    20. evaristecrypto.com said on November 3, 2016 at 12:37 pm
      Reply

      You cannot enqueue foreign code to another process/thread without elevated privilege. You can
      obviously enqueue your own process/thread. Obviously unless some malware has already
      compromised your system and can get your process/thread to run whatever code it likes – it is embellishment to say you can get your malware code to call ntqueueapc().

    21. Felipe said on December 24, 2016 at 6:04 pm
      Reply

      Why the hell the most obvious aplication of this hack isn’t mentioned?
      FREAKING GAMES!
      could you imagine what a wonder it would be if we can inject arbitrary code completely undetectable to the game? a completely secure BANPROOF ESP hack for freaking ANY GAME? and i’m not even being creative.
      In my opinion that blackbox code would benefit a lot of users if used right.

    Leave a Reply