enSilo Researchers: Your NTFS Transactions Belong to Us

A pair of researchers from enSilo have disclosed how they created a new vulnerability within Windows-based systems that can compromise NTFS transactions, and the worst part is that security vendors are not prepared.

Larry Loeb, Blogger, Informationweek

December 11, 2017

3 Min Read

Security researchers from enSilo told attendees at the recent London Black Hat conference that they had some good news and some bad news for many of them.

The bad news, according to the enSilo researchers, is that they figured out a way to inject malicious rogue code into Windows-based machines that is both unstoppable and undetectable by current security software. The researchers noted that the "it cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows."

The good news is that there are a lot of technical challenges in making this code work, and would-be attackers need to know a lot of undocumented details on process creation in order for anything to happen.

The researchers, Tal Liberman and Eugene Kogan, have not yet released the gory details of how this little gem works, but it should be available soon on the Black Hat website.

(Source: Geralt via Pixabay)

(Source: Geralt via Pixabay)

Their way of creating this type of malicious code is somewhat similar to another technique called Process Hollowing, but the two researchers utilizes the Windows mechanism of New Technology File System (NTFS) transactions in their attack.

Liberman and Kogan describe their as-yet-undelimitated method this way:

"We make changes to an executable file that will never actually be committed to disk. We will then use undocumented implementation details of the process loading mechanism to load our modified executable, but not before rolling back the changes we made to the executable. The result of this procedure is creating a process from the modified executable, while deployed security mechanisms remain in the dark."

The two researchers told Bleeping Computerthat the challenge was conducting the attack without using suspicious process and memory operations such as SuspendProcess, NtUnmapViewOfSection.

Security products will look for unmapped code as an indicator of an attack, however, these security products do not scan the file while it is in a transaction, which is where this attack lives.

Liberman and Kogan tested that this new method would be ignored by security products from Kaspersky, Bitdefender, ESET, Symantec, McAfee, Windows Defender, AVG, Avast, Qihoo 360 and Panda.

If this type of malicious code can fool all of these guys, the end user is pretty stuck for a solution.

Knowing that the attack vector is possible and keeping an eye on the Black Hat site for details may help somewhat. However, finding a security solution vendor that is actively protecting against this kind of attack would help the most.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Read more about:

Security Now

About the Author

Larry Loeb

Blogger, Informationweek

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet protocol. His latest book has the commercially obligatory title of Hack Proofing XML. He's been online since uucp "bang" addressing (where the world existed relative to !decvax), serving as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. His first Mac had 128 KB of memory, which was a big step up from his first 1130, which had 4 KB, as did his first 1401. You can e-mail him at [email protected].

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights