Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint Security //


11:05 AM
Larry Loeb
Larry Loeb
Larry Loeb

enSilo Researchers: Your NTFS Transactions Belong to Us

A pair of researchers from enSilo have disclosed how they created a new vulnerability within Windows-based systems that can compromise NTFS transactions, and the worst part is that security vendors are not prepared.

Security researchers from enSilo told attendees at the recent London Black Hat conference that they had some good news and some bad news for many of them.

The bad news, according to the enSilo researchers, is that they figured out a way to inject malicious rogue code into Windows-based machines that is both unstoppable and undetectable by current security software. The researchers noted that the "it cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows."

The good news is that there are a lot of technical challenges in making this code work, and would-be attackers need to know a lot of undocumented details on process creation in order for anything to happen.

The researchers, Tal Liberman and Eugene Kogan, have not yet released the gory details of how this little gem works, but it should be available soon on the Black Hat website.

Their way of creating this type of malicious code is somewhat similar to another technique called Process Hollowing, but the two researchers utilizes the Windows mechanism of New Technology File System (NTFS) transactions in their attack.

Liberman and Kogan describe their as-yet-undelimitated method this way:

We make changes to an executable file that will never actually be committed to disk. We will then use undocumented implementation details of the process loading mechanism to load our modified executable, but not before rolling back the changes we made to the executable. The result of this procedure is creating a process from the modified executable, while deployed security mechanisms remain in the dark.

The two researchers told Bleeping Computerthat the challenge was conducting the attack without using suspicious process and memory operations such as SuspendProcess, NtUnmapViewOfSection.

Security products will look for unmapped code as an indicator of an attack, however, these security products do not scan the file while it is in a transaction, which is where this attack lives.

Liberman and Kogan tested that this new method would be ignored by security products from Kaspersky, Bitdefender, ESET, Symantec, McAfee, Windows Defender, AVG, Avast, Qihoo 360 and Panda.

If this type of malicious code can fool all of these guys, the end user is pretty stuck for a solution.

Knowing that the attack vector is possible and keeping an eye on the Black Hat site for details may help somewhat. However, finding a security solution vendor that is actively protecting against this kind of attack would help the most.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I can't find the back door.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-25
The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of Medi...
PUBLISHED: 2021-01-25
ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a "zip-slip" vulnerability. The directory support feature allows the ...
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting