EnSilo Researchers: Your NTFS Transactions Belong to Us

  /     /     /  
Publicated : 22/11/2024   Category : security


EnSilo Researchers: Your NTFS Transactions Belong to Us


A pair of researchers from enSilo have disclosed how they created a new vulnerability within Windows-based systems that can compromise NTFS transactions, and the worst part is that security vendors are not prepared.



Security researchers from enSilo told attendees at the recent London Black Hat conference that they had some good news and some bad news for many of them.
The bad news, according to the
enSilo
researchers, is that they figured out a way to inject malicious rogue code into Windows-based machines that is both unstoppable and undetectable by current security software. The researchers noted that the it cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows.
The good news is that there are a lot of technical challenges in making this code work, and would-be attackers need to know a lot of undocumented details on process creation in order for anything to happen.
The researchers, Tal Liberman and Eugene Kogan, have not yet released the gory details of how this little gem works, but it should be available soon on the
Black Hat website
.
(Source:
Geralt via Pixabay
)
Their way of creating this type of malicious code is somewhat similar to another technique called Process Hollowing, but the two researchers utilizes the Windows mechanism of New Technology File System (NTFS) transactions in their attack.
Liberman and Kogan describe their as-yet-undelimitated method this way:

We make changes to an executable file that will never actually be committed to disk. We will then use undocumented implementation details of the process loading mechanism to load our modified executable, but not before rolling back the changes we made to the executable. The result of this procedure is creating a process from the modified executable, while deployed security mechanisms remain in the dark.

The two researchers told
Bleeping Computer
that the challenge was conducting the attack without using suspicious process and memory operations such as SuspendProcess, NtUnmapViewOfSection.
Security products will look for unmapped code as an indicator of an attack, however, these security products do not scan the file while it is in a transaction, which is where this attack lives.
Liberman and Kogan tested that this new method would be ignored by security products from Kaspersky, Bitdefender, ESET, Symantec, McAfee, Windows Defender, AVG, Avast, Qihoo 360 and Panda.
If this type of malicious code can fool all of these guys, the end user is pretty stuck for a solution.
Knowing that the attack vector is possible and keeping an eye on the Black Hat site for details may help somewhat. However, finding a security solution vendor that is actively protecting against this kind of attack would help the most.
Related posts:
Email Bug Shows Flaws in Reporting System
Intel Management Engine Has a Big Problem
Microsoft Misses Memory Mistake: The Security That Wasnt
— Larry Loeb has written for many of the last centurys major dead tree computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Last News

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
EnSilo Researchers: Your NTFS Transactions Belong to Us