Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Attacks On Volatile Memory Can Be Detected, Researchers Say

In-memory attacks create processing delays that give hackers away, Triumfant research says

Elusive attacks on a computer's volatile memory can be detected through a detailed analysis of processor behavior, according to new research.

Researchers at security vendor Triumfant have discovered that in-memory attacks create a significant delay in system calls that is typically beyond the normal variance of processing time. The ability to detect such attacks -- which have generally eluded most security tools because they attack data that is not stored -- could enable enterprises to interrupt the attacks before they can do any damage, Triumfant says.

"There's a temporal dimension to in-memory attacks that is detectable," says John Prisco, CEO of Triumfant. "We're seeing delays in system calls that are two or three times the norm, and it's possible to isolate those processes and shut them down."

In-memory attacks, recently referred to as Advanced volatile threats (AVTs), enable an attacker to access a computer's random access memory (RAM) or other volatile memory processes to redirect a computer's behavior. AVTs allow attackers to steal data or insert malware, but because they are never stored in long-term memory, they can be difficult to detect.

Industry experts suspect that in-memory attacks are on the increase because they evade the prevalent defenses that rely on attack signatures and malware behavior analysis. Oded Horovitz, CEO and founder of security firm PrivateCore, last month presented his company's findings on server in-memory attacks (PDF) and recommended tools for encrypting such data.

"Hacking hasn't changed,” said Daniel Clemens, owner of Packetninjas, in a recent Dark Reading report on low-level memory threats. "We still have code, we still have data. Exploiting memory corruption vulnerabilities is effectively flipping data to code for creative execution."

So far, however, there is little industry data to back up experts' suspicions about in-memory threats because most security analysis tools focus on stored data. Triumfant hopes its new research will help identify in-memory attacks and provide trend data over time.

"So far, we've only tested it in our own environment, but we've been able to see a clear pattern," Prisco says. "System calls that take 20 or 25 milliseconds consistently go up to 50 milliseconds or more when there's an in-memory attack. When you have processing delays like that -- delays that are two or three deltas beyond the norm -- then you know that something is not right."

Triumfant is also working on a way to identify the memory objects responsible for the delays and remove them before they can execute, Prisco says.

"These in-memory attacks are going to become more attractive to the bad guys as conventional malware detection tools get better," Prisco predicts. "It's a way to execute the same attacks without being detected."

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...