enSilo Researchers: Your NTFS Transactions Belong to Us

A pair of researchers from enSilo have disclosed how they created a new vulnerability within Windows-based systems that can compromise NTFS transactions, and the worst part is that security vendors are not prepared.

Security researchers from enSilo told attendees at the recent London Black Hat conference that they had some good news and some bad news for many of them.

The bad news, according to the enSilo researchers, is that they figured out a way to inject malicious rogue code into Windows-based machines that is both unstoppable and undetectable by current security software. The researchers noted that the "it cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows."

The good news is that there are a lot of technical challenges in making this code work, and would-be attackers need to know a lot of undocumented details on process creation in order for anything to happen.

The researchers, Tal Liberman and Eugene Kogan, have not yet released the gory details of how this little gem works, but it should be available soon on the Black Hat website.

Their way of creating this type of malicious code is somewhat similar to another technique called Process Hollowing, but the two researchers utilizes the Windows mechanism of New Technology File System (NTFS) transactions in their attack.

Liberman and Kogan describe their as-yet-undelimitated method this way:

We make changes to an executable file that will never actually be committed to disk. We will then use undocumented implementation details of the process loading mechanism to load our modified executable, but not before rolling back the changes we made to the executable. The result of this procedure is creating a process from the modified executable, while deployed security mechanisms remain in the dark.

The two researchers told Bleeping Computerthat the challenge was conducting the attack without using suspicious process and memory operations such as SuspendProcess, NtUnmapViewOfSection.

Security products will look for unmapped code as an indicator of an attack, however, these security products do not scan the file while it is in a transaction, which is where this attack lives.

Liberman and Kogan tested that this new method would be ignored by security products from Kaspersky, Bitdefender, ESET, Symantec, McAfee, Windows Defender, AVG, Avast, Qihoo 360 and Panda.

If this type of malicious code can fool all of these guys, the end user is pretty stuck for a solution.

Knowing that the attack vector is possible and keeping an eye on the Black Hat site for details may help somewhat. However, finding a security solution vendor that is actively protecting against this kind of attack would help the most.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Editors' Choice
Jeffrey Schwartz, Contributing Writer, Dark Reading
Jai Vijayan, Contributing Writer, Dark Reading