AtomBombing

Topic

New Reply

Tara Seals at InfoSecurity Magazine has a scary post, which relies on research published last week from EnSilo. It  appears that Microsoft can’t fix t
[See the full post at: AtomBombing]

Reply | Quote

Replies

IMHO, this is another example of a bogus security exposure. There is no need to resort to AtomBombing. Once you convince the user to run evil.exe its game over. There’s no need for code injection or all of the other machinations.

Reply | Quote

Good point. I don’t know if there are any other exposures.

Reply | Quote

Here is another interesting article from the same site.

http://www.infosecurity-magazine.com/news/browsers-ability-to-block-malware-downloads/

It compares and analyzes browsers’ ability to block malware downloads.

I use both IE and Firefox so I take no sides here.

Reply | Quote

The accounts indicate that at least for now, this is like other code injection exploits in Windows. Either the PC has to be infected already, or else the attacker must have physical access to the PC to inject the code to run this exploit. Nothing posted yet about over-the-Internet or Drive-By applications. But true, it seems this exploit is not going to be easily patched.

Linux has been accused of harboring allegedly unpatchable vulnerabilities for years, and again, most of the exploits until recently, required physical access to the PC. But this may be changing for both Windows and Linux.

Worth watching, but I don’t think the sky is falling.

Reply | Quote

So is this something I should be worried about?

Reply | Quote

I don’t think so, but I wanted to give a heads-up, in case it turns out to be more nefarious than it appears.

Security holes have a nasty habit of doing that.

Reply | Quote

So the assumption here is that if you can be tricked into running unverified code, that you can be owned.

The prospect of no patch for this appears real. This seems to be related to built-in Windows functionality, where changes could break existing applications.

Reply | Quote

That article is more than 3 years old… I’d love to see an up-to-date one.

Reply | Quote

Switch to Linux for banking transactions.

Reply | Quote

I’ll be very interested to see how Microsoft addresses the issue. I’ll wager that even if it is eventually addressed it won’t be considered a security hole since the discussed AtomBombing exploit has not demonstrated that it is capable of privilege escalation or violating any other security barriers within Windows. If you can run code, you can run code.

Reply | Quote

The point of AtomBombing is remain undetected by anti-virus software, the same anti-virus software that gets false positives from memory editors as they edit memory regions of other programs. Thus the victim wouldn’t even know they are infected.

Reply | Quote

While that’s not a bad idea that’s something most people can’t be bothered to do.

Reply | Quote

This “Atombombing” thing sounds more like hype than substance to me, TBH.

Common-sense computing and security measures apply:

1. Think first. Avoid risky computing practices, such as running any old stuff you find online.

2. Create a computing environment that helps you avoid malware sources. Keep in mind that out of the box, Windows does NOT help you do this.

The above two items can be completely effective at keeping you safe. However, if you feel exposed still, there are additional measures…

3. Use active protection. All recent Windows systems come with such protection, which isn’t bad.

4. Scan with a different product to ensure nothing has gotten past the above measures.

5. Make backups!

-Noel

Reply | Quote

Is this really something new? Firewall leak-testing programs like Thermite, Tooleaky, Firehole, HijackThis, etc., have been around for more than a decade.

The leak-testing programs represent a new or undetected malware process that has not been detected by signature-based scanners, and is already running on the system. Each of them uses a different technique to attempt to bypass process firewalling, where only trusted applications are permitted internet access (and thus an unknown piece of malware that manages to get on the system will not be allowed to communicate).

While it might seem that something like a browser would be the obvious choice for hijacking, those are also much more likely to be scrutinized or sandboxed. Hijacking a smaller program that also has net access (perhaps to check for updates to itself) works just as well, and is more likely to succeed without being detected.

It’s easy to say that “if the executable code is running on the system already, it’s too late.” While every precaution should (of course) be taken to prevent that from happening, it does no good to concede defeat in advance in such cases. The best defenses are multi-layered; do all you can to prevent an unknown malware from executing, but have countermeasures in place in case such a malware DOES manage to get started on the system.

I’ll post the anecdote I have about that in a moment here. I’ve had this site fail to post my longer messages without telling me anything, so I guess there is a length limit that is somehow not being communicated when I exceed it.

Reply | Quote

I don’t know of any length limit. That said, it makes comments more readable if you “reply to” yourself.

Reply | Quote

For many years, I ran a now-defunct software firewall/antimalware/HIPS (host intrusion prevention system) called Agnitum Outpost. It saved my bacon one time when I was browsing information about guitar strings.

The guitar site had apparently been compromised, as it didn’t contain the information as described by the search engine (which would have been Altavista at the time, I think). It redirected to what seemed like a blank page on some site whose URL had to do with legalizing pot or something.

Outpost popped up a message asking if I wanted to allow an unknown executable to run. In a moment of sphex-like robotic behavior (force of habit of having seen such dialogs many thousands of times for perfectly mundane events), I saw myself hit “allow” on the dialog while some inner part of me seemed like it was screaming to stop.

I knew I had made a mistake almost before I made it. As soon as I got done allowing the unknown program to run, I quickly hit the tray icon and set Outpost to block all net traffic, then I unplugged the ethernet cable to be certain.

Outpost immediately popped up another message after I hit allow; this time, the unknown process was trying to install a registry value to run itself on boot. I hit “block and terminate,” and it did.

I looked at the Outpost log to see the location and name of the file. I found the executable and scanned it with Outpost’s on demand malware scanner– nothing. I tried again with one of the free malware scanners I had (this was a long time ago; I have no idea which one it was then), and it still didn’t trigger an alert.

I zipped the file and password-protected it (after I moved it to a USB drive and restored a full system image, to be sure it was gone), then sent it to a couple of the white hat companies. A couple of days later, I received an email from one that this was a new malware that had not been discovered yet, and that it was now in the database.

The compromised web site had used one of the many zero-days in the Java plugin to execute a drive-by download and execution of the malware. Now it is very well-known that Java is a nightmare (and it’s also nearly totally obsolete, thankfully), but back then… well, if it was common knowledge that Java was a disaster looking for a place to happen, I wasn’t aware of it.

Other than having the Java plugin set to “enabled” in Firefox (I don’t remember if it had the “ask for permission” option then), I hadn’t done any of the risky things like go to warez sites or run programs sent to me in email.

What would that malware have done if Outpost had not discovered it? How long would it have been there before it was discovered? I have no idea.

Reply | Quote

Somewhat long time reader, but first time poster here, and this seemed like a good time to stick my head up and offer an additional viewpoint on this topic.

I’ve been disenchanted with Micro$oft for a long time and have used only their OS for many years. Open source software has been, and continues to be, available for most other needs, e.g., Firefox, Open Office, Libre Office, Thunderbird, etc. I have a Macbook Air that I love and can recommend highly. Others have mentioned their Macbook Pros as non-Windows choices.

But the last moves by M$ were the final straw and pushed me to take a further step that I had been mulling over for months. I installed linux and set up my desktop pc to dual boot Linux Mint and windows 7 and I’ve never been happier.

I think this is noteworthy because I have read comments here from various posters that the “typical pc user” couldn’t and wouldn’t do such things as switch to linux. And, as a card-carrying member of the Middle-aged Woman demographic, I think it’s important for “typical” pc users to know that it is possible to completely sever ties with M$ and have a more secure system without the additional costs of Apple products.

I realize that for many people this will seem daunting. And there can be some hurdles in the process, but if one is able to conduct internet searches and follow step-by-step instructions (as any follower of Woody’s blog is clearly able to do), then that person can install linux.

It’s definitely a viable option for people who are just completely fed up and don’t want to use their PCs as doorstops. I’ve read comments from many folks here who clearly have already stepped outside of their respective comfort zones. So what’s another few steps 🙂

Reply | Quote

Browsers only block downloads by comparing the urls to a blacklist. With the default settings Mozilla Firefox actively sends the download links to a Google service to do this. Enjoy your privacy. 🙂

Reply | Quote

Good on ya!

I have a feeling that ChromeOS is going to fill the needs of many people, in the not-too-distant future.

Reply | Quote

If you are not running a top tier AV package, consider either Avira Free or Bitdefender Free, for basic AV and malware protection, plus Malwarebytes Anti-Expoit Free to prevent browser exploits. The latest AV-Comparatives test results show that Avira, Bitdefender, and Kaspersky consistently score at 99.9% detection rate of known malware samples.

Then If you are running either Firefox or Chrome as your browser, you should consider the uBlock Origin browser add-on. They incorporate a number of active blacklists that will prevent your browser from connecting to known malware domains …

Then don’t run or install anything that you are not 100% sure about 🙂

Reply | Quote

Yup. Which you can turn off by the way, as i have, and rely on things like noscript and good browsing practices to protect yourself. Using chrome though? It’s baked in and not so easy to get out from under G’s yoke.

Reply | Quote

I do respect your opinion. But the problem with Linux is that a lot of software like Adobe Photoshop simply isn’t on there. Also for PC gamers like myself, a lot games won’t work on there either. And that’ll kill it for a lot of people. Now you might say that I can dual boot. But really it takes up more time than it’s worth for me personally. I do play around with Linux sometimes in a VM. And if I were to completely get rid of Windows them I would lost the ability to play half my Steam games.
But you do have some valid points Virginia.

Reply | Quote

I understand completely. I play some PC games, as well, which is the only reason that I am keeping Windows 7 as my dual boot. But, as I’m sure you know, Steam is linux friendly with increasing numbers of games that work on linux. And GOG is another good repository for linux and drm-free games. But I know that many very good games are not linux compatible. I honestly believe that the major impetus for more game developers to make their games linux compatible will be their observation that increasing numbers of people are using that platform. Afterall, the tail never wags the dog 🙂

I also have work software that is only PC compatible and for which there is no open source alternative. My solution to that was to use Windows 7 in a VM on my Macbook.

We consumers collectively have largely acquiesced to the M$ hegemony for decades now. If we truly want or expect things to change in this landscape, we need to make the first move.

Reply | Quote