Process Doppelganging is a technique that allows bypassing real-time file scanning of all tested AV and NGAV products on Microsoft Windows starting from Windows Vista. It was first shown by a team of researchers from enSilo during BlackHat Europe 2017on December 7th in London.
Process Doppelganging impacts enterprises relying on AV and NGAV security defenses against cyber criminals that use fileless attacks to deliver malware and breach organizations. Customers of enSilo are protected post-infection by real-time blocking at the kernel level.
Process Doppelganging is a new discovery that demonstrates a fileless evasion technique that can bypass popular AV and NGAV pre-infection security defenses.
Most AV and NGAV software has many parts. The most traditional part is the file scanning engine which can detect a file that is a known malware. It can also detect malware similar to malicious programs that are already known. This is the part which was called “antivirus” even 25 years ago. It scans all new files on your storage and ensures that no file can run if it has not been scanned.
Most new security products, however, have other parts. These parts integrate into different applications and components of software that you use and provide you with additional layers of protection. For example, most security software can protect Internet browsers and email programs.
No. It is not enough. But to understand why we need to separate malware into two logical parts. The core of a malware is a complex harmful program that takes over the infected computer. As this part is big and complex, it takes time to build and develop. As a result we seldom see a completely new malware, but rather we usually see an existing malware with some modifications applied to it. On the contrary, the part which infects your computer, called a dropper, is usually very small and dynamic. Droppers are distributed using some sort of exploit – usually very recent problems found in one of your programs, for example, a vulnerability in your Internet browser. The dropper is much less complex than the one described earlier and once it gets into your system it will execute in turn the bigger part which is the main malware. In some cases, the dropper is not small, but rather big and contains the larger malware inside it in an encrypted form that prevents antiviruses from identifying it.
The problem with droppers is that they change constantly. They have a relatively narrow purpose of evading your computer defenses and deploying the main malware. Along with exploits, utilizing a bug in one of your programs, droppers are specially designed to bypass security measures. Their authors know well what they are up against and as as result they have relatively a high success rate.
We have already mentioned why droppers are hard to detect. But the rest of the malware should be detected as soon as it is written to disk and executed. That’s why advanced malware tries to avoid writing it’s main part to disk. Such malware is called “fileless” malware. But we all know that in order to run we need something saved to disk – this is true for all widely spread operating systems including Microsoft Windows.
In order to run, the fileless malware will usually use an existing legitimate application and “inject” itself into it, for example by using “AtomBombing” technique. It can also run a new process from a legitimate application and replace the executable in memory with malicious file. The former technique is called “code injection” while the latter is called “Process Hollowing.”
Before Process Doppelganging, malware had to be either written to disk or run completely from memory and over time, security products developed tools to fight such malware. In case the malware had a file on disk, the file could be scanned. Software which runs without file is suspicious and could also be detected. Process Doppelganging changes the rules. With Process Doppelganging, the malicious software can run from a file, but this file will be invisible to security software. Not only is it invisible – but it is can be very easily mistaken for another legitimate signed file.
On most Windows computers the files are stored on disks that use NTFS file system. This file system is relatively old, although Microsoft updates it from time to time. In 2007, with the release of Windows Vista, Microsoft introduced a new feature to NTFS – transactions. NTFS transactions allow many file operations to be performed and at the end to either accept those operations or to cancel them. This way, any application could make many changes to many files on disk and return all files to the original state if an error is detected. The most common use of transactions is during installations of Windows updates. If everything goes well – the transaction is accepted or as it is called in transaction language - committed. On error, the transaction is cancelled or rolled back. Process Doppelganging utilizes this mechanism to hide the main malware payload, it chooses an innocent file, overwrites it and runs malware. Just before letting the malware run – it rejects or rolls back all changes thus preventing antivirus software from scanning the file content that is really being executed. Note that the malware process can still be run in such a case. If opened, the file on disk will contain no suspicious content. Moreover, this file can be a well-known, digitally signed application.
Usually, a process is created using special system command which takes a filename as an argument. With this command it is impossible to create a process from a transacted file. However, there is another system command which is left from the days of Windows XP This system command allows running a process from a file which had previously been opened. Process Doppelganging takes advantage of this old system command to create a process from a transacted file. This old Windows XP command cannot create a running program on its own – so some manipulations are required to make the newly created process work.
This is completely unrelated – ALL security vendors try to block early stages of infection in one way or another. If it was enough – they wouldn’t need to have other layers of protection. If you still wonder why it is not enough, see the question about droppers above.
Yes. enSilo’s own NGAV pre-infection mechanism is also susceptible to Process Doppelganging. However, because enSilo also offers post-infection protectionwith real-time blocking at the kernel level, the second line of protection (post-infection) blocks Process Doppelganging.
enSilo offers a free Process Doppelganging audit to help enterprises determine if their AV and NGAV products can detect it.