Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint Security //


11:05 AM
Larry Loeb
Larry Loeb
Larry Loeb

enSilo Researchers: Your NTFS Transactions Belong to Us

A pair of researchers from enSilo have disclosed how they created a new vulnerability within Windows-based systems that can compromise NTFS transactions, and the worst part is that security vendors are not prepared.

Security researchers from enSilo told attendees at the recent London Black Hat conference that they had some good news and some bad news for many of them.

The bad news, according to the enSilo researchers, is that they figured out a way to inject malicious rogue code into Windows-based machines that is both unstoppable and undetectable by current security software. The researchers noted that the "it cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows."

The good news is that there are a lot of technical challenges in making this code work, and would-be attackers need to know a lot of undocumented details on process creation in order for anything to happen.

The researchers, Tal Liberman and Eugene Kogan, have not yet released the gory details of how this little gem works, but it should be available soon on the Black Hat website.

Their way of creating this type of malicious code is somewhat similar to another technique called Process Hollowing, but the two researchers utilizes the Windows mechanism of New Technology File System (NTFS) transactions in their attack.

Liberman and Kogan describe their as-yet-undelimitated method this way:

We make changes to an executable file that will never actually be committed to disk. We will then use undocumented implementation details of the process loading mechanism to load our modified executable, but not before rolling back the changes we made to the executable. The result of this procedure is creating a process from the modified executable, while deployed security mechanisms remain in the dark.

The two researchers told Bleeping Computerthat the challenge was conducting the attack without using suspicious process and memory operations such as SuspendProcess, NtUnmapViewOfSection.

Security products will look for unmapped code as an indicator of an attack, however, these security products do not scan the file while it is in a transaction, which is where this attack lives.

Liberman and Kogan tested that this new method would be ignored by security products from Kaspersky, Bitdefender, ESET, Symantec, McAfee, Windows Defender, AVG, Avast, Qihoo 360 and Panda.

If this type of malicious code can fool all of these guys, the end user is pretty stuck for a solution.

Knowing that the attack vector is possible and keeping an eye on the Black Hat site for details may help somewhat. However, finding a security solution vendor that is actively protecting against this kind of attack would help the most.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-06
The parse_report() function in whoopsie.c in Whoopsie through 0.2.69 mishandles memory allocation failures, which allows an attacker to cause a denial of service via a malformed crash file.
PUBLISHED: 2020-07-06
PlayerGeneric.cpp in MilkyTracker through 1.02.00 has a use-after-free in the PlayerGeneric destructor.
PUBLISHED: 2020-07-06
It's possible to inject JavaScript code via the html method.
PUBLISHED: 2020-07-06
It's possible to use <<script>script> in order to go over the filtering regex.
PUBLISHED: 2020-07-06
An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists.