The security researchers from enSilo discovered a new injection method that inserts malicious code into legitimate processes by using Windows Atom tables.
SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter
Windows Atom Tables Abused
The technique has been named AtomBombing by the security researchers as it involves the atom tables feature of the Microsoft Windows operating systems. Atom tables are by definition system-defined tables that store specific strings and corresponding identifiers. The applications places strings in an atom table and receives a 16-bit integer called the atom which is used to access the string. A sting in an atom table is called an atom name. In short this means that these are shared tables which apps use to store information on various objects, strings and other types data, accessed on a regular basis.
Sophisticated malware can alter the atom tables so that the apps can execute malicious code. This is a dangerous action that bypasses many security measures. Most policies rely on white lists of trusted processes – usually system protected applications and services and security solutions. This is turns enables malware code to be injected into these trusted processes.
The technique can be used by malicious programs to launch man-in-the-browser (MitB) attacks which are often used by banking Trojans. These are attacks that can capture screenshots from virtual keyboards used by banks, access encrypted passwords or manipulate important programs. A recent example of one such threat is the CloudFanta malware (read more about it here).
Windows Atom Tables Are a Design Flaw
The Atom Bombing vulnerability affects all versions of the Windows operating system. This is a design flaw in the design of the system and it cannot be changed without modifying how everything works.
The researchers do not describe the precise mechanism of the attack in details. However from the released reports we can conclude that like most other code injections, the hackers rely on the users into running a malicious executable file that contains the malware instructions. In most cases this means using various social engineering tricks against the victims. The demonstration shows an example scenario that could be leveraged by the hackers:
- The First Step Is to Bypass the Process Level Restrictions – In this stage of the attack the attackers inject the code into one of the trusted processes.
- Access to Context-Specific Data – Acquisition of private data is done through a variety of mechanisms – screenshots, keylogging and etc.
- Execution of Other Malicious Functions – This includes the Man-in-the-browser (MitB) attacks which we mentioned earlier.
- Accessing Sensitive Information – The malware is capable of injecting its code into system processes that can access encrypted passwords stored on the victim computers.
The Windows Atom Tables is merely the last uncovered design flaw of the Microsoft Windows operating system.
