Blog Process Doppelgänging Can’t be Detected, but Isolation Will Keep You Protected

Technical Blog

December 20, 2017 Category: Threats By: Adrian Taylor Comments: 0

Process Doppelgänging Can’t be Detected, but Isolation Will Keep You Protected

  • Process Doppelgänging is a new code injection technique that bypasses most security tools and works on all Windows versions.
  • Relying on detect-to-protect security solutions will leave you vulnerable to Process Doppelgänging.
  • Bromium executes untrusted tasks in a hardware-isolated virtual machine, so you are always protected, even from zero-days and new, undetectable technique.

What is Process Doppelgänging?

For starters, it’s a phrase that requires you to figure out how to type an umlaut (Alt – 0228, if that helps). And no, it’s not the name of the latest heavy metal band.

Process Doppelgänging a stealthy new technique in a growing list of attack methods that are notoriously hard to detect and mitigate for modern anti-virus (AV) solutions.

The news of this beast broke at the Black Hat 2017 security conference in London. Full details haven’t been published, but experts suggest that it resembles a technique called Process Hollowing – a cunning practice that works by using common, legitimate, and inconspicuous processes, such as iexplore.exe (browser) or explorer.exe (file manager) as containers for hostile code.

As soon as the process is started, the malicious code forces it to pause, wipes its memory, and injects alternative code. Even though the file on disk (explorer.exe) is unchanged, the process and its data have now been hijacked by the malware.

Watch us stop a threat: see Bromium contain malware.

Process Hollowing has been around for years, and most detection tools are able to spot this dodgy activity – which is not easy because sometimes legitimate software performs similar actions. It takes a lot of tricky manipulations to detect when the code is likely to be malicious.

Process Doppelgänging doesn’t hit the disk, avoiding AV detection.

Process Doppelgänging takes the process hijacking method a step further. Instead of writing instructions for a new executable directly to memory (which might be detected), the malware goes directly for the disk. Except it doesn’t write anything on the disk; instead, it initiates a disk “transaction” – a kind of promise that instructions are about to be written on the disk. The transaction is then promptly abandoned, ensuring that nothing hits the disk.

In the meantime, the sneaky malware starts a new process using the file contents that it almost wrote onto the disk during the discarded transaction. And there you have it –malicious code is now running in a new process – without touching the disk, and without using the old-hat Process Hollowing technique that could easily be spotted by AVs.

In fact, nobody can detect Process Doppelgänging, yet.

A BleepingComputer article about Process Doppelgänging reports that “researchers have successfully tested their attack on products from Kaspersky, Bitdefender, ESET, Symantec, McAfee, Windows Defender, AVG, Avast, Qihoo 360, and Panda. Furthermore, even advanced forensics tools such as Volatility will not detect it.”

Bromium cannot detect it either. For now, our detection engine is just as powerless as everyone else, and we are all working to update our detection capabilities to deal with the new threat.

Bromium doesn’t rely on detection, so you are still protected.

Rather than relying on detection, Bromium always protects. With Bromium, untrusted tasks execute in a hardware-isolated virtual machine, essentially invisible to the end user. This means every time a user downloads an attachment from an email, opens a tab in a browser, executes an untrusted Office or PDF document, or runs an untrusted executable, Bromium isolates that activity in a micro-VM.

If no malware is present, it’s invisible protection for your employees. If malware is being delivered, it does so inside the micro-VM, running as the attacker intended – including fileless malware – and its activities are meticulously cataloged for kill-chain analysis. When the micro-VM is closed, the malware is gone. Malware cannot reach the actual host PC, the operating system, the file system, the network, or any critical enterprise resources.

If Bromium can detect the malware, you get a bonus forensic report on the event. When you are dealing with a new, undetectable technique or zero-day, your endpoints are still safe.

Protect before you detect is the only safe approach.

Doppelgänging may be new to cyber-defenders and researchers, but there’s no telling how long the bad actors have been using it to breach enterprise and government networks. And the next round of malware is already out there, yet to be detected.

Our advice:

  • For untrusted tasks, such as email attachments, email links, web links, and executables, assume the worst.
  • For detection capabilities (including ours), assume the worst.
  • Rely on isölatiön – it will keep you protected against threats that you didn’t even know existed (or couldn’t spell, anyway.)

To learn more about Bromium’s innovative micro-VM approach to application isolation, visit our website or contact us.

About the Author

Adrian Taylor

Adrian Taylor
CTO, Protected Apps at Bromium

Recent Techinical Blog Posts

2019-06-11T09:40:58-07:00December 20th, 2017|Threats|

Leave A Comment

See Bromium in Action

Request a demo and see how Bromium isolation will put an end to malware and attacks once and for all.

Request a Demo

By continuing to use the site, you agree to the use of cookies. More information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.