Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/1/2017
06:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New Version Of Dridex Banking Trojan Uses AtomBombing To Infect Systems

It's the first malware to use a newly disclosed code-injection method to break into to Windows systems

Security researchers at IBM have discovered a new version of the Dridex banking Trojan that takes advantage of a recently disclosed code injection technique called AtomBombing to infect systems.

The modified version of the malware is already being used in online banking attacks across Europe and poses a fresh threat to organizations because it is harder to detect than previous versions.

“The new code injection method shuffles things up on detection mechanisms,” says Limor Kessem, executive security advisor at IBM Security. “It means that unless adapted protection layers are added to endpoints, it's going to be much harder to detect what Dridex does once its deployment flow starts rolling,” Kessem says.

AtomBombing is a technique that security vendor enSilo demonstrated last October for injecting malicious code into the “atom tables” that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Attackers have long used such code injection tactics to try and bypass security controls and carry out malicious activity without being detected.

What enSilo demonstrated was a method to sneak malicious code into Windows atom tables without being detected by the usual security mechanisms and then to get applications to retrieve and execute the code.

enSilo has stressed that its approach does not exploit any vulnerability in Windows and instead simply takes advantage of how the operating system functions. Since the technique does not rely on flawed or broken code, there is little that Microsoft can do to patch against it, the company has previously noted.

The new version of Dridex (Dridex v4) is the first malware that uses the AtomBombing process to try and infect systems. It uses atom tables to copy its payload and some other related data into the memory space of a target process. But then, in a departure from the rest of enSilo’s approach, the new version of Dridex uses a different method to ensure it gets executed.

“From [previous] experience with Dridex, its authors favor writing their own code, using their own ideas,” Kessem says. In this case, since a lot of details about the AtomBombing technique is already out there, the authors of Dridex probably felt it was safer to put a twist on it, he said. “Also, many times developers who know the code most intimately choose the features that work best with it, or that will suit future development plans.”

The code injection feature is one of several tweaks, including new encryption and persistence mechanisms, that the authors of Dridex have made available with the latest version of the malware.  But it is the most important one because it allows Dridex a way to propagate in an infected system in a minimally observable manner, an alert on the new malware noted.

In a statement, a Microsoft spokeswoman said for malware like Dridex to be able to use code-injection techniques, the user’s system needs to have already been compromised. “To help avoid malware infection, we encourage our customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers.”

Tal Liberman, a security researcher at enSilo, says it is no surprise at all that malware authors are attempting to use the AtomBombing method. “I’m actually surprised that it took so long for something like this to surface,” he says.

Typically, when 0-day vulnerabilities are disclosed, attackers try to use them as soon as possible, before software vendors roll out patches. “This pattern holds true for new injection techniques such as AtomBombing,” he says. In fact, others have likely used the technique already and the latest version of Dridex is only the first to be detected using it, he says.

AtomBombing takes advantage of Microsoft Windows' built-in atom tables that allow specific API calls to inject code into the read-write memory space of a targeted process, he says. This is a legitimate part of the operating system performing as designed and cannot be patched against, Liberman says.

However, average security products can block most known code injection techniques. When new techniques like AtomBombing are used, the products need to be updated to neutralize that specific technique, he says.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
garrytroomen
50%
50%
garrytroomen,
User Rank: Apprentice
3/6/2017 | 6:04:22 AM
192.168.l.l
I have a MacBook and it does not cling to the viruses in general
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .