Attackers Can Abuse Underlying Windows Mechanisms to Attack ALL Versions – Can’t Be Patched

Author Photo
Oct 28, 2016

Hackers can attack Windows systems – regardless of the version – by injecting malicious code into a computer and avoid detection by security products. Even if you have installed the latest security patches on your Windows PC, it is still vulnerable to this attack strategy.

Researchers have discovered a way that attackers could use to attack Windows computers. Named AtomBombing, the strategy enables attackers to launch man-in-the-middle attacks and access encrypted passwords.

Related [Update: Already Fixed!] Google Discovers “Crazy Bad” & “Wormable” RCE Flaw in Windows

The latest discovery works on all versions of Windows, including Windows 10. The research team says that no antivirus program is capable of detecting this attack plan, putting millions of PCs at risk. The problem cannot be solved by Microsoft with a security patch either, because it doesn’t exploit a Windows vulnerability. “Unfortunately, this issue cannot be patched since it doesn’t rely on broken or flawed code – rather on how these operating system mechanisms are designed,” Tal Liberman, security researcher at EnSilo said.

What’s this mysterious strategy that enables hackers to attack Windows systems?

AtomBombing abuses system-level Atom Tables, a function of the operating system that allows applications to store, access and share temporary data, Liberman explained. Since these are shared tables, all applications can access and modify data inside these tables. This is a design flaw in Windows that allows attackers to inject malicious code and trick legitimate applications into executing malicious actions.

“What we found is that a threat actor can write malicious code into an atom table and force a legitimate program to retrieve the malicious code from the table,” says Liberman. “We also found that the legitimate program, now containing the malicious code, can be manipulated to execute that code.”

Once an attacker manages to inject code into a legitimate process, it becomes easier for it to bypass security mechanisms of the Windows PCs. The attack process could start with a malicious download or an email attachment. Just another reminder never to click on attachments from unknown sources, or those annoying malware-infected ads.

Related Hackers Are Using Leaked NSA Backdoors to Hack Tens of Thousands of Vulnerable Windows PCs

Attackers can use infected applications to decrypt stored passwords, inject code into a browser in a man-in-the-middle (MitM) attack, and inject code to take screenshots of target computer. “For example, in a banking transaction process, the customer will always be shown the exact payment information as the customer intended via confirmation screens,” Liberman said. “However, the attacker modifies the data so that the bank receives false transaction information in favor of the attacker, i.e. a different destination account number and possibly amount.”

Since AtomBombing is carried out by simply using the underlying Windows mechanisms, there can be no patches to fix this. EnSilo suggested that the only mitigation can be provided by security professionals by monitoring for code injection in API calls to avoid possible attacks.

For more details of this attack mechanism, EnSilo – more details on atom tables, Microsoft