A new type of attack against Microsoft's Windows platform has been discovered by researchers. Called “AtomBombing” the threat targets the Windows operating system on PCs. It can compromise a machine by injecting malicious code into the system, according to cybersecurity firm enSilo.
Researchers from the company revealed the AtomBombing method. Worryingly, the threat can be enacted against any version of the Windows PC platform. It is able to bypass all current Microsoft security measures because of the way it is implemented.
In a blog post, enSilo says the method is called AtomBombing because it targets the underlying Windows atom tables. These tables are a fundamental of the operating system, storing strings and identifiers which help with application functionality.
As mentioned, this threatens all Windows versions, but the company tested specifically on Windows 10.
EnSilo points out that attackers can write malicious code directly into an atom table and current security methods would not spot it. This written code will then be retrieved by a legitimate program which will then infect the system.
The blog says:
“The issue we revealed presents a way for threat actors to inject code. Attackers use code injection to add malicious code into legitimate processes, making it easier to bypass security products, hide from the user, and extract sensitive information that would otherwise be unattainable.
For example, let's say an attacker was able to persuade a user to run a malicious executable, evil.exe. Any kind of decent application level firewall installed on the computer would block that executable's communication. To overcome this issue, evil.exe would have to find a way to manipulate a legitimate program, such as a web browser, so that the legitimate program would carry out communication on behalf of evil.exe.”
Code Injection Malware
Injecting code with malicious content is not a new technique, even if AtomBombing itself is. These other methods can be combatted by antivirus software, but that is not the case with the new method. However, a discovered threat is a good thing and it allows antivirus vendors to update their software with a fix.
Not that a fix is incoming for AtomBombing. EnSilo says there is no fix or patch available because it exploits important Windows mechanisms.
“Obviously we need to find a different way to deal with threat actors. Under the assumption that threat actors will always exploit known and unknown techniques, we need to build our defenses in a way that prevents the consequences of the attack once the threat actor has already compromised the environment.”