francis de lorraine 0 Posted December 7, 2017 Share Posted December 7, 2017 (edited) https://www.bleepingcomputer.com/news/security/-process-doppelg-nging-attack-works-on-all-windows-versions/ Edited December 7, 2017 by francis de lorraine Link to comment Share on other sites More sharing options...
itman 1,786 Posted December 8, 2017 Share Posted December 8, 2017 Quote "In order to achieve this goal we leverage NTFS transactions. We overwrite a legitimate file in the context of a transaction. We then create a section from the modified file (in the context of the transaction) and create a process out of it. It appears that scanning the file while it's in transaction is not possible by the vendors we checked so far (some even hang) and since we rollback the transaction, our activity leaves no trace behind." Everything looks OK to security products because the malicious process will look legitimate, and will be mapped correctly to an image file on disk, just like any legit process. There will be no "unmapped code," which is usually what security products look for. Some more detail from Ensilo is needed. For starters, what is the file being overwritten? On Win 10, most system processes are pretty much locked down; even if running as a limited admin. On the other hand, there are system processes that can access files in the system directories. Defrag.exe is an example of one. And defrag is scheduled to run as hidden with highest privileges bypassing any UAC alerts. It's a given fact that Windows syatem processes are increasingly being exploited by malware developers to carry out their attacks. Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,176 Posted December 13, 2017 ESET Moderators Share Posted December 13, 2017 Hello guys, thank you for sharing this research I posted our statement on this in the other thread https://forum.eset.com/topic/14038-process-doppelgänging-new-malware-evasion-technique/?do=findComment&comment=70032 Regards, P.R. Link to comment Share on other sites More sharing options...
Recommended Posts