Windows-AtomBombing-attack

The name “AtomBombing” sounds lurid, but is derived from the name of abused as an attack vector Windows mechanism. This is the “Atom Tables”, where store processes short strings and can exchange so called. Concerns should be, according to the US security company enSilo all Windows versions. They have, however, in particular Windows 10 examined. Against the attack to help any security updates usual way since the attack method is not based on a programming error in the Windows code.

The nature of this attack is to bring about it aloud enSilo that antivirus software, firewalls and other safeguards could not protect them, The attack was indistinguishable from normal basically legitimate store operations innocent software. Briefly, an attacker would have to first user of the attacked machine to bring executed a malicious program, such as a mail attachment. This program then creates executable code in the atom table from where to only data should be cached.

Then further code is in an ongoing process of a legitimate program injected (about browser or Instant Messenger). This should cause the hijacked program to read the data from the alleged atom table and perform as a code. Since it is a legitimate program that carries out the otherwise suspected exciting because potentially dangerous code, to beat an alarm firewalls and other protection programs. The attacker could then make screenshots, read stored passwords, and so on – depending on the application hijacked. The sending of data scouted accepts the legitimate program without this auffiele.

In the company’s blog, the attack is described only superficially, in somewhat greater detail, it is elsewhere, where Tal Liberman explained he developed type of attack in detail. Example code is provided on GitHub Liberman. It also sounds a reproach to Microsoft at the data exchange mechanism on the nuclear-tables is knit too simplistic. A novel feature of the method of attack, if at all, only the way over the nuclear Tables. Everything else is standard from the arsenal of advanced attacker. How dangerous is AtomBombing in practice? In order to break, an attacker must therefore first the users to bring execute a specially crafted program. That this is not hard on, shows conventional malware daily thousandfold. But it is also the place could stop at the antivirus software the attack before it started really.

Ultimately, every program file is detected, antivirus companies need to make sure that they do not produce false alarms or system slow down through to intensive analysis. Safeguards as whitelisting (only explicitly allowed programs can be started) could prevent the attack in the form presented. The attacker would have a more realistic scenario, so another method add is executed with the injected code, without starting a previously stored on the computer program file to have to. So we are back to traditional vulnerabilities à la Remote Code Execution, that could be used for. Such gaps can however be closed by the usual security updates, exploit attempts are detected and blocked by security software, provided that the exploited vulnerability is already known.

It remains to wait and see whether AtomBombing will prove viable method of attack and whether the claim who exploited weakness was “unpatchable” can endure. On the part of Microsoft, there is to date no official comment. It is quite possible that AtomBombing ultimately only a mocking Pwnie Award for the “Most Over-hyped Bug” enters. This is what happened in this summer of Badlock gap.

LEAVE A REPLY

Please enter your comment!
Please enter your name here