Windows Atom Tables Can Be Abused for Code Injection Attacks

Attackers can leverage a design weakness in all versions of Windows to carry out code injection attacks that bypass detection by security software.

Researchers have identified a way attackers could use atom tables in all versions of Windows to inject malicious code into a computer and bypass detection by security products at the same time.

The technique has been nicknamed AtomBombing by researchers at enSilo, and opens the door to perform man-in-the-browser attacks, access encrypted passwords, or remotely take screenshots of targeted systems.

AtomBombing does not exploit a Windows vulnerability and cannot be fixed with a patch. EnSilo urges security professionals to monitor for code injection in API calls to fend off possible attacks.

Unfortunately, this issue cannot be patched since it doesn’t rely on broken or flawed code – rather on how these operating system mechanisms are designed,” Tal Liberman, security research team leader at enSilo, said.

Atom tables, Liberman describes, are a function of the operating system that allows applications to store and access temporary data and to share data between applications.

“What we found is that a threat actor can write malicious code into an atom table and force a legitimate program to retrieve the malicious code from the table,” he wrote. “We also found that the legitimate program, now containing the malicious code, can be manipulated to execute that code.”

The prerequisite for the attack requires a target be tricked into running a malicious executable, either via a malicious download or executing a malicious email attachment. Once that is achieved, attackers can inject code into legitimate processes to “remain stealth in a system to do things like evade security products,”  enSilo said.

“Any kind of decent application level firewall installed on the computer would block that executable’s communication,” Lieberman notes. The AtomBombing technique is able to bypass protections built into programs, such as a web browser.

Many security products employ a white list of trusted processes. If the attacker is able to inject malicious code into one of those trusted processes, the security product can easily be bypassed,” Liberman wrote.

Impacted programs can be leveraged to decrypt any stored passwords by the program. An attacker could also inject code into a web browser to modify content accessed by the user in the context of a man-in-the-middle browser attack. In another attack scenario, code injection could be used to take screenshots of a targeted user’s desktop, Lieberman said.

Several similar  code injection techniques have been identified by researchers earlier this year. In April, an obscure Windows Server 2003 feature called hotpatching was being targeted by a group called Platinum which figured out how to inject malicious code into running processes without having to reboot the server.

Suggested articles