Unpatchable Windows AtomBombing Attack Plugged By Hypervisor Introspection

Liviu Arsene

November 01, 2016

Unpatchable Windows AtomBombing Attack Plugged By Hypervisor Introspection

A new type of attack using a legitimate Windows mechanism rather than code vulnerabilities has been found by security researchers, potentially used to carry code injection attacks that would go completely unnoticed by traditional security software.

Making matters worse, not only are all Windows versions susceptible to this type of attack – including Windows 10 - but it can’t even be patched as it’s considered a design flaw. With security researchers advising companies to assume they could already be compromised, Microsoft’s approach is advising customers to adhere to online best practices and avoid opening suspicious URLs or downloading unknown files.

While the attack needs to be exploited on each computer within the organizations, the fact that it can bypass traditional security solutions turns it into an appealing tool for cybercriminals. Considering APTs usually involve compromising a single target within an organization, using this method to stealthily deploy data exfiltration tools turns AtomBombing into a new attack vector that’s bound to be exploited in the wild.

As traditional endpoint security risks are bypassed by this technique, an outside-the-OS approach such as hypervisor-based introspection can catch AtomBombing exploits at raw memory level.


What Does This Mean for Organizations?

Any organization that uses Windows-running VMs (Virtual Machines) is susceptible to this type of attack. With cybercriminals and cybercrime increasing the cost to businesses to a potential $6 trillion by 2021, data exfiltration and APTs (Advanced Persistent Threats) gunning for a company’s data, intellectual property, or even financial assets, remain major concerns.

Intelligence-gathering APTs and cyber-espionage malware targeting government institutions, telecommunication, e-crime services and aerospace companies have become a reality, with more cybercriminals shifting towards targeted rather than opportunistic attacks.

Targeted attacks, such as the Bangladesh $81 million heist or the Yahoo 500 million user account data breach, are just some of incidents that hit the media. What’s worrying is, that while detection time of a data breach or APT averages 201 days, the vulnerability that allowed the Yahoo breach went undetected for 2 years, raising concerns as to how many organizations could be infiltrated by cybercriminals without triggering any bells and whistles.


Describing the Design Flaw

Atom Tables are responsible for storing strings and their corresponding identifiers, so that applications can share information between each other only by calling the atom – a 16-bit integer that uniquely identifies a string in the table. Applications usually rely on atom tables to share information much quicker between each other, rather than querying long strings.

For example, by exploiting this design flaw an attacker could effectively use legitimate applications, such as browsers or media players, to either steal passwords, take desktop screenshots and upload them to an attacker-controlled server, or even download additional malicious components that would allow complete and full takeover of the targeted system. Because this technique can successfully be used as an initial attack vector for stealthily infiltrating an organization, a cybercriminal’s next steps could involve anything from malware deployment to industrial espionage. The AtomBombing attack involves writing malicious code that could be retrieved from the atom table and executed by legitimate applications. To achieve this, three main stages have been described for successful exploitation.

The first step involves writing the arbitrary data, or malicious code in the same address space as the targeted process or application. This means that any application, even those whitelisted and implicitly trusted by security vendors or an organization’s IT department, can be targeted.

The second step of the attack involves hijacking the thread for a legitimate application and making it execute the injected code – or string - stored in the atom table. This is the part where the legitimate application can be rigged to run any code without raising suspicions from traditional security solution.

The last step in the attack chain for AtomBombing involves cleaning up the malicious code and restoring the targeted application to its normal behavior, as not to arouse any suspicions. This way, an attacker could use a legitimate application, such as a popular browser or any internet-connected application, to exiltrate company data without triggering any alarms.


AtomBombing Mitigation with Hypervisor Introspection

Because Bitdefender Hypervisor Introspection (HVI) is a technology that can scan raw memory at the hypervisor level, without requiring any agents to be present in the virtual environment (VM), it can detect these types of memory-tampering attacks and block them before causing any damages to businesses.

After testing the AtomBombing proof-of-concept against Bitdefender Hypervisor Introspection, it was able to kill the exploit in real time from the hypervisor-layer, rendering the attack inert and stopping the malicious code from being injected and executed. That means that hidden attacks, such as this one, will be prevented, effectively stopping organizations from being breached. If, traditionally, an attack would remain undiscovered for months or years, HVI could completely prevent it from occurring if cybercriminals were to use this method.

While traditional security mechanisms could be oblivious to the attack, HVI leverages the Citrix XenServer API to analyze raw memory from outside the virtual machine and look for any memory tampering techniques – including AtomBombing – that could alter the normal behavior or in-guest applications.

Mitigating this proof-of-concept attack with HVI for virtualized environments running Citrix XenServer, proves that organizations will not risk having this issue exploited to exfiltrate data or deploy additional APTs (Advanced Persistent Threats). With threats becoming more sophisticated, targeted and complex, Bitdefender Hypervisor Introspection offers a more in-depth approach to protecting a company’s virtualized critical assets.

Focusing on memory introspection techniques, HVI was designed to complement endpoint security solutions.

Currently in technical preview, more information about Bitdefender Hypervisor Introspection can be found here.

Contact an expert



Liviu Arsene

Liviu Arsene is a Global Cybersecurity Researcher for Bitdefender, with a strong background in security and technology. Researching global trends and developments in cybersecurity, he focuses on advanced persistent threats and security incidents while assessing their impact in critical public and private business infrastructures. His passions revolve around innovative technologies and gadgets, focusing on their security applications and long-term strategic impact.

View all posts

You might also like