Process Doppelgänging Attack allows evading most security software on all Windows Versions

Discussion in 'other security issues & news' started by Minimalist, Dec 7, 2017.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,530
    Location:
    Slovenia
    http://securityaffairs.co/wordpress/66440/hacking/process-doppelganging-attack.html
     
  2. IvoShoen

    IvoShoen Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    636
    Process Doppelgänging attack works on all modern versions of Microsoft Windows operating system, starting from Windows Vista to the latest version of Windows 10.

    It runs undetected by most av's including Windows Defender, Kaspersky Labs, ESET NOD32, Symantec, Trend Micro, Avast, McAfee, AVG, Panda, and Qihoo 360.

    https://thehackernews.com/2017/12/malware-process-doppelganging.html
     
    Last edited: Dec 7, 2017
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,481
    Location:
    U.S.A.
    o_O
    I suspect if one is using one of the bypassed AVs that has a HIPS and the process whose memory is being injected is protected by a process modification rule, it will be detected. We will have to wait until presentation details are released to determine what built-in Windows process is being injected.
    https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf

    Also of note is both NOD32 and Bitdefender were mentioned. I assume that Eset and Bitdefender IS versions would detect.
     
    Last edited: Dec 7, 2017
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,481
    Location:
    U.S.A.
    A bit more detail:
    https://www.scmagazineuk.com/market...roken-by-doppelganging-attack/article/712522/

    First as expected, the malware has to be downloaded. Next, the malware is going after virtual storage using existing NTFS methods to access same. Actually, I am surprised that it took someone this long. I have always considered VS to be vulnerable and an ideal place for malware to hide.

    Wonder if purging VS at shutdown would at least get rid of the persistence aspect of the exploit?
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,869
    Location:
    The Netherlands
    There are too many ways to inject code, the Windows OS should really be rewritten, with only the most important API's. On the other hand, every process should be restricted as much as possible, so even if it has been infected it can not perform stuff like making outbound connections and getting access to protected folders.
     
  6. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,530
    Location:
    Slovenia
    That's most likely not going to happen. They prefer to add more code and not to remove it. They don't follow "Less is more" logic.
     
  7. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,049
    Location:
    Europe then Asia
    +1
     
Loading...