Jump to content

Process Doppelgänging: New Malware Evasion Technique


khairulaizat92
 Share

Recommended Posts

  • Most Valued Members

Read this article on a few different sites now. What i did notice was that if you are running windows 10 fall update or later then the method does NOT work and will cause a BSOD

Another reason to update to windows 10 :ph34r:

Suppose the blue screen is the better option :lol:

Link to comment
Share on other sites

3 hours ago, cyberhash said:

Read this article on a few different sites now. What i did notice was that if you are running windows 10 fall update or later then the method does NOT work and will cause a BSOD

Another reason to update to windows 10 :ph34r:

Suppose the blue screen is the better option :lol:

I thinks its also stated in the same article that the recent Windows 10 update fix the issues with BSOD. Which means now the malware freely can running accross all windows platform.

Link to comment
Share on other sites

  • ESET Moderators

Hello guys,

 

thank you for sharing this research.

Our statement current statement on this topic is following: 

 

"Recently, ESET was informed about the findings published at: https://www.bleepingcomputer.com/news/security/-process-doppelg-nging-attack-works-on-all-windows-versions/

The report describes that in very specific cases an evasion technique might exist that allows malware to avoid scanning by one of ESET’s scanning layers. The evasion in question applies to security products of all vendors since it is an underlying issue in the operating system itself, rather than being a product-specific problem that causes it. We need to stress, that to achieve this, a malicious dropper would already have to be deployed on the system. 
 
It is also important to note that ESET's multi-layered technology is already prepared for such cases. This means that when an attacker manages to avoid one layer, another layer can step in and detect the attack: e.g., if the malware in question were to attempt the encryption of files, ESET Ransomware Shield would step in; if the malware would try to act across an ESET protected network, our ESET Network Protection module would activate, etc. 
 
We will consider communicating further steps as soon as complete information about the attack scenario is published. Protecting our customers is always our top priority and we greatly value the commitment to responsible disclosure and the collaborative nature of the IT security industry."
 

Note: our technology team is still analyzing the technical details.

 

Regards, P.R.

Link to comment
Share on other sites

14 hours ago, Peter Randziak said:

We will consider communicating further steps as soon as complete information about the attack scenario is published.

Scroll down to the section titled 'Doppelganging - Motivation' in this Blackhat 2017 .pdf https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...