Code injection has been around for a while, but recently popped up in the news again with AtomBombing code injection.
What Is Code Injection?
“Code injection is a technique that attackers often use to execute malicious code by inserting it into a legitimate application or process. The Open Web Application Security Project (OWASP) describes it as an attack that is typically made possible because of a failure by the application or process to properly validate input and output data, like allowed characters, data format, and amount of expected data,” says Jai Vijayan from DARKReading.com
While most antivirus programs will keep a downloaded rogue executable from being executed on a computer, code injection takes legitimate programs, like a web browser, and injects them with malicious code.
Since it injects a legitimate program or process, it allows a normally whitelisted application that has been injected with malicious code to bypass antivirus programs.
Once this is done, the affected program is able to perform many activities that are allowed by normal whitelisted processes like screenshots of your computer and gaining access to confidential information such as encrypted passwords.
What Is AtomBombing Code Injection?
AtomBombing code injection can affect all versions of Microsoft Windows (including Windows 10), allowing hackers to inject malicious code into processes using the operating system’s atom tables (legitimate system-defined tables that store strings and identifiers).
The code is injected into a target process using the atom tables. Once this occurs, the hacker can control the actions of the whitelisted process. Since this type of code injection does not rely on a bug or flaw in the system, it cannot be patched.
“Since the ability to inject code into atom tables has existed for more than 16 years, it really makes me wonder if this is the future of code injection? To be able to use legitimate processes at the core level of an operating system in a hack is pretty hair-raising stuff,” says Derek Kortepeter at techgenix.com
Is It A Real Threat?
An unprotected machine, even with the latest security patches from Microsoft, is at risk of being compromised using AtomBombing code injection.
However, the good news is that with next-generation endpoint security it is not a real threat. While AtomBombing does introduce a new variation on the injection technique, it doesn’t give the hacker any more access than with previous injection techniques.
As stated above, AtomBombing is not an exploit to a vulnerability or bug that needs to be fixed. Therefore, a direct approach to detecting when a computer has the threat would be to monitor API calls and watch for malicious activity amongst all programs (including the whitelisted ones).
You need a solution that monitors every event and the relationship around those events to identify attack sequences and watch for malicious behavior. Once found, it can prevent the process from running.
AtomBombing code injection is another tool in a hacker’s arsenal that can be used to extract confidential information from computers. It is a real threat for machines that are not protected with software which actively monitors the behavior of threats to find patterns of attack. Listen to this On-Demand Webinar, Beyond Files: The Full Spectrum of Attacks to discover the types of attacks you should include in your evaluation testing.