AtomBombing exploits design flaw in Windows

By Dylan Bushell-Embling
Monday, 31 October, 2016

Security researchers have discovered a vulnerability endemic to the design of all versions of Windows that could potentially allow attackers to bypass security systems to inject malicious code.

The method, discovered by researchers at security company EnSilo, has been named AtomBombing after the technique used to inject the malicious code.

Because the issue is based on how Windows operating system mechanisms are designed, it cannot be patched.

EnSilo researchers have found that by exploiting atom tables — the tables provided by Windows to allow applications to store and access data, and to share data between applications — attackers can write malicious code into one of these tables and force legitimate programs to retrieve this code.

These legitimate programs can then be executed to execute the code, bypassing typical security mechanisms such as application-based firewalls.

Because it is a new code injection technique, AtomBombing can also bypass antivirus and other endpoint infiltration prevention technologies.

“Since the issue cannot be fixed, there is no notion of a patch for this. Thus, the direct mitigation answer would be to tech-dive into the API calls and monitor those for malicious activity,” EnSilo Security Research Team Leader Tal Liberman said in a blog post announcing the company’s findings.

“It’s important though at this point to take a step back. AtomBombing is one more technique in the attacker’s toolbox. Threat actors will continuously take out a tool — used or new — to ensure that they bypass anti-infiltration technologies (such as AV, NGAV, HIPS, etc). Obviously we need to find a different way to deal with threat actors.”

This will involve building defences in a way that “prevents the consequences of the attack once the threat actor has already compromised the environment”, he said.

Image courtesy of _Gavroche_ under CC