sb-au logo
Story image

New GhostHook attack technique outsmarts Microsoft PatchGuard

26 Jun 2017

A new attack technique called GhostHook may be the first malware ever to completely bypass Microsoft's PatchGuard, enabling it to gain rootkit on 64-bit Windows 10 devices.

CyberArk Labs researchers made the proof-of-concept last week, saying that GhostHook could be a major threat. Microsoft PatchGuard was designed to make Windows 10 more secure by preventing attackers from hooking a rootkit at the kernel level.

According to CyberArk Labs blog, hooking techniques gives attackers control over how software or an operating system behaves.

Researchers say that this kind of control is not part of an initial attack or elevation technique; rather it is something that can be used once attackers have control over the device. Essentially, it's a stealth mechanism.

While hooking is used for legitimate purposes such as programming, debugging and system utilities, it can also be exploited for malicious use.

Attackers are now able to easily bury a rootkit in the kernel - an area where security solutions such as antivirus, firewalls, endpoint products and PatchGuard itself can't detect the malware.

This kind of potential attack could pave the way for sophisticated 64-bit malware such as Shamoon. Attackers will be able to make network attacks longer for reconnaissance and conduct more devastating attacks, researchers warn.

However researchers contacted Microsoft about the vulnerability - only to be shrugged off. The blog details Microsoft's response, which said that the attacker must already be running kernel code on a system.

Because of that, it doesn't meet requirements for a security update - but it may be fixed in future Windows operating systems.

"Microsoft does not seem to realize that PatchGuard is a kernel component that should not be bypassed, since PatchGuard blocks rootkits from activities such as SSDT hooking, not from executing code in kernel-mode," researchers counter.

Story image
Investing in digital trust for the post-pandemic business landscape
Business leaders in 2021 need to make sustainable investments to give their organisations a much-needed resilience boost to tackle new disruptions, while still enabling growth.More
Story image
Kaseya acquires RocketCyber to bring SOC solutions to more businesses
"With this acquisition, we've doubled down on our security investments to provide our customers with access to experts who can continuously monitoring their IT environments without the cost and complexity of disparate tools.”More
Story image
Essential tools for managing user identity and how they impact your bottom line
Customer identity and access management (CIAM) is how companies give their end-users access to their digital properties, as well as how they govern, collect, analyse, and securely store data for those users.More
Story image
CSO Group scores AU$16m deal with NSW Government
The deal focuses on the refresh and uplift of cybersecurity capabilities and technologies for the cloud, endpoint and email, leveraging the recently launched CSO Managed Security Service.More
Story image
Ping Identity announces appointment of new VP of R&D
In his new role as head of research and development, Burke will be expected to drive product strategy and development across Ping Identity’s entire suite of solutions.More
Story image
Women in tech: Equality journey not over
The idea of gender equality represents more than just physical bodies through doors. It is also the notion of perceptions, feelings, stereotypes and opportunity.More