CyberArk Discovers New Rootkit-Enabling Hooking Technique For Intel Processors

CyberArk Discovers New Rootkit-Enabling Hooking Technique For Intel Processors

The Enterprise CyberArk recently discovered a . It would allow attackers to install rootkits to a compromised Windows systems and this new hooking technique is called BoundHook.

BoundHook Technique: Hooking techniques give you control over the way an operating system or a piece of software behaves. Hooks are used by software security tools, system utilities, programming tools, and malicious software such as rootkits. BoundHook is not an exploitation technique, which means the attacker can’t directly take advantage of the BoundHook vulnerability to take over a system. Instead, it allows the attacker to maintain persistence on a system as a rootkit and bypass any operating system-level security measures that may try to get rid of it. However, before all of that, the attacker would need a different way to infect a user’s system (email attachments, malicious ads, etc).

Technical Details: The BoundHook technique can be used to cause an exception (an anomalous condition requiring special processing) in a very specific location in a user-mode context and catch the exception to gain control over the thread execution. The exception can be created via a BOUND instruction, which is part of Intel’s . The instruction is designed to increase software security by checking pointer references, which can be exploited at runtime due to memory corruption bugs.

The CyberArk researchers said that most anti-virus solutions will not be able to detect when the attacker uses the BoundHook technique because they have to look specifically for it (this could change now that this research is published, though). The technique is also invisible to most Windows PatchGuard kernel protection mechanisms, for the same reason. The PatchGuard protections would have to look specifically for hooks that bypass the Copy-on-Write (COW) mechanism.

Microsoft’s reply about Fixing the Vulnerability: Microsoft told CyberArk that it will not address this issue in the current versions of Windows, but it will consider fixing it in a future Windows version: ‘We have completed our investigation of this issue and have found that it is not a vulnerability but a technique to avoid detection once the machine is already compromised. Because it’s a post-exploitation technique it doesn’t meet the bar for servicing in a security update but we will consider fixing it in a future version of Windows’.

Similar to GhostHook, it is possible that Microsoft cannot fully fix the issue on its own, and it may have to wait for Intel to fix it or mitigate it in hardware first.


[amazon_link asins=’B01MAXF88R,B075FXGFSX,B06WW4TJHL,B00W3MFEP4,B01M74WZAE,B0751DJMFP,B01M4RSTO0,B0751DHGYF’ template=’ProductGrid’ store=’softcarecs-21′ marketplace=’IN’ link_id=’28ae3266-bfda-11e7-904f-41d61c02193a’]


Linux & Windows Geek, Blogger & System Administrator

You must be logged in to post a comment.

Scroll Up