Software companies everywhere, especially tech giants like Microsoft, are used to releasing patches for vulnerabilities. One very common, and often dangerous, vulnerability involves code injection. Through code injection, the hacker can escalate to root privileges and load malicious content or steal data. What if, however, there was a brand-new way to perform code injections, a way without exploiting any vulnerabilities? The scary part: Because there are no vulnerabilities exploited, there are no vulnerabilities that can be patched.
This is what researchers at enSilo have stumbled upon and revealed in a recent blog. Calling it “a code injection that bypasses current security solutions,” the researchers have nicknamed the technique “AtomBombing.” This name comes from the fact that the code injections are employed via “the first code injection technique that is based on atom tables.” In an Atom Bombing attack, the code injection targets a process within the atom table. It can then force the machine, which assumes the code is legitimate, to execute the malicious code and do the attacker’s bidding.
Atom tables have existed in Windows operating systems since 2000, so this issue just has not been discovered until now. There is absolutely no way to patch it because AtomBombing takes advantage of how the OS, as enSilo put it, uses the “legitimate building blocks of Windows.” The key now is attempting to determine how future Windows OS can exist without atom tables, or allow a mechanism to exist that sets off an “alarm” of sorts when AtomBombing is attempted. According to enSilo, the only measure that can be taken at this point is performing a “tech-dive into the API calls and monitor those for malicious activity.”
Since the ability to inject code into atom tables has existed for more than 16 years, it really makes me wonder if this is the future of code injection? To be able to use legitimate processes at the core level of an operating system in a hack is pretty hair-raising stuff. As security experts, we tend to think in terms of vulnerabilities, things that can be patched with tweaks in the code. With something like AtomBombing, we are effectively powerless against the attack.
What else don’t we know how to prevent as InfoSec experts?