Process Doppelganging: a new type of malware

[NumLock21]

At this years Black Hat Europe, security experts from enSilo, Eugene Kogan and Tal Liberman, demonstrated how a malware is able to use windows NTFS file system to its advantage from being detected. Called "Lost in transaction: Process Doppelganging" the process is done by,

Quote

 

Process hollowing is the creation of a process for the sole purpose of running a malicious executable inside.

Attackers who favor this method load a process in a suspended state, replace elements of memory with crafted code and then resume the process -- tricking a system into believing the process is legitimate and safe to run.

Many security solutions today now take hollowing into account and are able to detect these attacks.

However, the new technique, dubbed Process Doppelgänging, is harder to detect and defend against.

Transactionable NTFS integrates transactions into the NTFS file system to allow for improved error handling and data integrity preservation in Windows systems. The duo's technique works by masking a crafted executable through a process to make changes to an executable file that is never committed to disk by overwriting a legitimate file in the context of a transaction.

 

A section of this transaction is overwritten with malicious code, pointing to the malicious executable.

The process loading mechanism is then harnessed using "undocumented implementation details" to load the modified executable which resulted in creating a process based on the modified executable, hoodwinking security products in the process and avoiding detection.

The transaction is then rolled back to its legitimate state so no trace of the attack is left behind, which the team says "effectively removes our changes from the file system."

In addition, the researchers say AV products will not scan for this kind of attack at all, or will only scan clean files

enSilo says the goal of the technique is to run arbitrary code in the content of a legitimate process on the target machine. While the researchers' attack method is a twist on process hollowing, it manages to compromise systems without using suspicious processes and tipping off traditional security software

This technique does not require any files to be created during the process, and it cannot be patched as "it exploits fundamental features and the core design of the process loading mechanism in Windows," according to the team.

They tested on almost all the common antivirus products out on the market and none of them are able to detect it, not only that the exploit works on all version of Windows. The security experts said it's not a vulnerability but a evasion technique and have submitted their findings to Microsoft. Microsoft agreed because it's not a vulnerability, there will be no patch.

 

http://www.zdnet.com/article/dancing-around-security-products-to-execute-code-on-windows/

https://www.bleepingcomputer.com/news/security/-process-doppelg-nging-attack-works-on-all-windows-versions/

[mr moose]

So it's more of a malware infection technique than malware itself.  So long as the AV programs can detect the malware this shouldn't be too much of an issue.

 

[captain_to_fire]

Great! One more massive data breach thanks to advanced persistent threats. I guess it's time for anti-virus vendors to run outside the OS to detect sophisticated APTs just like how some VMs in datacenters have memory scanning from outside the OS. Since AV programs for home users and most workstations run inside the OS, they are also in-guess when detecting malware running in privileged state unlike most malware like run-of-the-mill viruses that run on unprivileged level which makes it easy for AV programs to detect it.

13 minutes ago, NumLock21 said:

Microsoft agreed because it's not a vulnerability, there will be no patch.

Maybe it's time for Microsoft to ditch NTFS and come up with another file system? ¯\_(ツ)_/¯

 

This is probably one of the laziest things Microsoft has said. 

Edited December 9, 2017 by hey_yo_

[suicidalfranco]

11 minutes ago, NumLock21 said:

Microsoft agreed because it's not a vulnerability, there will be no patch.

 

typical MS. Focus on useless stuff like sets, not the thing that really matters like security

[Guest]

6 minutes ago, hey_yo_ said:

Maybe it's time for Microsoft to ditch NTFS and come up with another file system? ¯\_(ツ)_/¯

Maybe once ReFS reaches feature parity with NTFS. Too bad we are unlikely to see ZFS or some other open source file systems supported on Windows.

Edited December 9, 2017 by Guest
RFS -> ReFS

[Guest]

Just now, Nicholatian said:

I thought it was called ReFS?

Yah, typo there.

[captain_to_fire]

5 minutes ago, Nicholatian said:

If your system is so badly designed that third-party software is supposed to fix it, you need to redesign it completely.

That's how computers has been going on for many years already since the first documented data breach to the US government https://medium.com/@chris_doman/the-first-sophistiated-cyber-attacks-how-operation-moonlight-maze-made-history-2adb12cc43f7

 

2 minutes ago, tjcater said:

Maybe once RFS reaches feature parity with NTFS. Too bad we are unlikely to see ZFS or some other open source file systems supported on Windows.

But at the moment Windows can't boot to a ReFS partition. Maybe what they need is a change in kernel kinda like how Windows 2000 uses NT whereas older ones like 98 and the awful Me are MS-DOS.

[mr moose]

2 minutes ago, tjcater said:

Maybe once RFS reaches feature parity with NTFS. Too bad we are unlikely to see ZFS or some other open source file systems supported on Windows.

 

The problem is that even if ZFS did overtake NTFS and became  more supported, then virus creators would just turn their attention to it and to anything running it. Systems becoming so complex that creating one that doesn't have these flaws is almost impossible/unusable.   

[Guest]

2 minutes ago, hey_yo_ said:

But at the moment Windows can't boot to a ReFS partition. Maybe what they need is a change in kernel kinda like how Windows 2000 uses NT whereas older ones like 98 and the awful Me are MS-DOS.

I think this had to do with Windows relying on a few features of NTFS that are not included/stable on ReFS

[captain_to_fire]

3 minutes ago, tjcater said:

Maybe once ReFS reaches feature parity with NTFS

Here's a blog post from Microsoft when Windows 8 is still in beta: https://blogs.msdn.microsoft.com/b8/2012/01/16/building-the-next-generation-file-system-for-windows-refs/

Quote

The key features of ReFS are as follows (note that some of these features are provided in conjunction with Storage Spaces).

• Metadata integrity with checksums
• Integrity streams providing optional user data integrity
• Allocate on write transactional model for robust disk updates (also known as copy on write)
• Large volume, file and directory sizes
• Storage pooling and virtualization makes file system creation and management easy
• Data striping for performance (bandwidth can be managed) and redundancy for fault tolerance
• Disk scrubbing for protection against latent disk errors
• Resiliency to corruptions with "salvage" for maximum volume availability in all cases
• Shared storage pools across machines for additional failure tolerance and load balancing

In addition, ReFS inherits the features and semantics from NTFS including BitLocker encryption, access-control lists for security, USN journal, change notifications, symbolic links, junction points, mount points, reparse points, volume snapshots, file IDs, and oplocks.

I think some of these features are already found in NTFS

[Guest]

4 minutes ago, hey_yo_ said:

<Snip>

On the bright side, it doesn't support Transactionable NTFS

[captain_to_fire]

15 minutes ago, tjcater said:

On the bright side, it doesn't support Transactionable NTFS

Shouldn't that make things better? https://msdn.microsoft.com/en-us/library/windows/desktop/aa363764(v=vs.85).aspx

Edited December 9, 2017 by hey_yo_

[Guest]

Just now, hey_yo_ said:

Shouldn't that make things better? https://msdn.microsoft.com/en-us/library/windows/desktop/aa363764(v=vs.85).aspx

Yes (I did say "On the bright side")

[captain_to_fire]

1 minute ago, tjcater said:

Yes (I did say "On the bright side")

[Linus_torvalds]

Maybe it's time to move to much more stable and secure OS like GNU/Linux?

 

I always think that there is a universe in our multiverse where LINUX rules the world including Desktop PCs What a nice plays to live.

[Bananasplit_00]

39 minutes ago, mate_mate91 said:

Maybe it's time to move to much more stable and secure OS like GNU/Linux?

 

I always think that there is a universe in our multiverse where LINUX rules the world including Desktop PCs What a nice plays to live.

I'd move the instant I could run at least my favourite games on Linux, which I can't. All of them fail to run properly using Wine and everything I know of that's like Wine. I really like Linux but it's just not an option when you play games for 3+h a day

[Linus_torvalds]

1 hour ago, Bananasplit_00 said:

I'd move the instant I could run at least my favourite games on Linux, which I can't. All of them fail to run properly using Wine and everything I know of that's like Wine. I really like Linux but it's just not an option when you play games for 3+h a day

What about GPU passthrough?

[Matu20]

Would these vulnerabilities ever affect the average Joe?

[captain_to_fire]

14 minutes ago, Matu20 said:

Would these vulnerabilities ever affect the average Joe?

I think so as the vulnerability is shared by both regular Windows used by consumers and Windows Server but attacks using this vulnerability is mostly targeted to big corporations or governments especially state sponsored attacks. 

[Bananasplit_00]

1 hour ago, mate_mate91 said:

What about GPU passthrough?

not sure how you mean that would help? Linux has proper drivers for my GPU, thats not the problem here, its that Paladins for example(though it looks like they are really trying to kill the game as hard as possible in the next patch) starts a few background things you cant start yourself without breaking it, and i think it has further problems with stuff Wine cant emulate. Wine just will not work here, and its not the only thing i have tried either but im pretty sure everything i HAVE tried has been built from Wine lol. 

[Arika]

47 minutes ago, Matu20 said:

Would these vulnerabilities ever affect the average Joe?

no more vulnerable than before you read this thread. as always, dont go to dodgy websites and down download dodgy shit

[Doobeedoo]

Meh, no patch cause it's not a vulnerability but a bypass. Ok what. 

Anyway I really though they'd move to ReFS eventally or something new. 

[WereCat]

9 hours ago, tjcater said:

Maybe once ReFS reaches feature parity with NTFS. Too bad we are unlikely to see ZFS or some other open source file systems supported on Windows.

Since they removed ReFS from the Windows 10 Pro after the recent big Creators Uptade and now is available only on Windows 10 Pro for Workstations ... I dont have much hope for ReFS anymore.

[AresKrieger]

Well in my experience malware detectors often miss malware anyway so how this differs from that in terms of security threat I fail to see, if it manages to get on your storage security has already failed (unless you installed the malware via user input like a moron in which case you are the failure)

 

Regardless it is likely considered "not a vulnerability," due to it being endemic to modern file systems in general.

[captain_to_fire]

6 hours ago, thunar said:

isnt ReFS available to use right now??

No. It’s only available to Windows 10 Pro for Workstations and Windows Server 2016