Market-leading security products broken by Doppelganging attack

News by Davey Winder

New Doppelganging attack process memory attack methodology not only defeats market-leading security products but breathes new life into old threats at the same time.

New attack process memory attack methodology not only defeats market-leading security products but breathes new life into old threats at the same time.

Two researchers from enSilo, Eugene Kogan and Tal Liberman, revealed the 'Process Doppelgänging' attack methodology at Black Hat Europe on this morning (Thursday).

The researchers were able to demonstrate how this attack method exploits gaps in how cyber-security products scan for malware and how they interface with process memory.

By subtly changing how executable files such as an email attachment or a web download interact with disk memory, the researchers were able to succeed where older 'process hollowing' attacks had long since failed; bypassing detection by such products as AVG Internet Security, Bitdefender, ESET NOD 32 and Windows Defender under Windows 10. What's more, Avast and Panda were both left in the dark under Windows 8.1, and when it came to Windows 7.1 SP1 machines Kaspersky Antivirus 18 and Endpoint Security 10, McAfee VSE 8.8 Patch 6 and Symantec Endpoint Protection were also bypassed. Just to add more urgency into the threatscape, these process doppelgänging attacks have also proved to be invisible as far as investigative recording and forensic tools such as Volatility are concerned.

Rather than focus on complex memory manipulation to avoid scanning engines, the researchers took advantage of the Windows Loader itself. The attack can be broken down into four steps: transaction (overwriting legitimate executable with malicious code), loading (of that malicious executable), rollback (to the original executable) and animation (where the doppelgänger is brought to life.)

Because the malicious code itself will never be saved to any file on disk, it remains invisible to most recording tools. "This method could be used to bypass all the major AV products we tested" enSilo security research team leader, Tal Liberman, told SC Media UK, "using Process Doppelgänging, an attacker can masquerade the loading of a malicious executable by manipulating AVs to scan a legitimate executable."

Ian Trump, chief technology officer with Octopi Research Lab, isn't surprised that process memory threats remain such a popular attack vector. "Traditional and even more advanced Anti-malware solutions are generally focused on file based attacks, not process hijacks" Trump said in conversation with SC Media UK, "when I think about the attack surface it makes sense to spawn or hide in an existing process on an end point, that's something very hard to see."

And how can vendors and enterprises mitigate this kind of doppelgänging threat? "Security vendors should make sure their scanning engines handle NTFS transactions correctly" says Tal Liberman "and like many other attack vectors, the end user needs to rely on the capabilities of their AV product."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews