Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Last Daily Podcast (Fri, Oct 28th):Small Changes to Ransomware E-Mails;

Latest Diaries

Windows "Atom Bombing" Attack

Published: 2016-10-28
Last Updated: 2016-10-28 14:00:57 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

Earlier this week, Ensilo released a blog describing a new code injection attack via Windows Atom Tables [1]. The attack is pretty ingenious and could be used to inject malicious code into running processes or read data from running processes.

Overall, the problem of code injection isn't new, and there are different methods to accomplish code injection. Code injection in its simple form doesn't lead to privilege escalation, nor does it expose your system to new exploits. However, it is a technique that an attacker may use to hide code they are executed as a result of an exploit. Most security tools will whitelist software that you commonly run. Some will even check if the software is modified after it is executed.

Atom tables are a Windows feature meant to allow software to store data, and in some cases to share data with other applications. A user has read/write access to all atom table data created by processes that the user initiated. The result is that malware that the user runs may retrieve data stored to atom tables by other software, or it may modify it to execute malicious code.

Overall, there is no fix expected for this problem. This isn't even a security vulnerability in its current form. Users can always run code and code a user runs typically does have some access to other processes run by the same user (sometimes limited by sandboxing). 

So what does this all mean for you? Not much. It was always bad to run malware, and this is yet another way how malware can hide on your system. There is nothing you have to change in the way you are doing things due to this issue. Future versions of anti-malware may be able to intercept respective API calls to inspect any read/write access to these atom tables.


Johannes B. Ullrich, Ph.D.

1 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Your Bill Is Not Overdue today!
1 day ago by Johannes (5 comments)

Critical Flash Player Update APSB16-36
2 days ago by Johannes (2 comments)

Another Day, Another Spam...
3 days ago by Xme (3 comments)

A few Mirai Updates: MIPS, PPC version; a bit less scanning
4 days ago by Johannes (2 comments)

ISC Briefing: Large DDoS Attack Against Dyn
5 days ago by Johannes (7 comments)

Request for Packets TCP 4786 - CVE-2016-6385
6 days ago by Guy (0 comments) DDoS Attack
1 week ago by Johannes (9 comments)

How Stolen iOS Devices Are Unlocked
1 week ago by Johannes (0 comments)

View All Diaries →

Latest Discussions

created 3 days ago by SYNERGYUSALLC (0 replies)

Any experience with hyper-v ram forensic?
created 1 week ago by DrGreen (0 replies)

Question about faux news websites
created 2 weeks ago by Marko (0 replies)

Event Logging Requirements
created 4 weeks ago by Circadian (4 replies)

Configuring 'cvtwin': Windows 10 and Norton 360 Premier
created 1 month ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries DDoS Attack
1 week ago by Johannes (9 comments)

Critical Cisco ASA IKEv1/v2 Vulnerability. Active Scanning Detected
8 months ago by Johannes (25 comments)

How Stolen iOS Devices Are Unlocked
1 week ago by Johannes (0 comments)

New tool:
2 weeks ago by Jim (4 comments)

The Short Life of a Vulnerable DVR Connected to the Internet
3 weeks ago by Johannes (8 comments)