'Doppelganging' Attack Evades Antivirus, Hits All Windows Versions

A newly discovered malware attack affects all versions of Windows, often isn't detected by antivirus software and can't be patched. This isn't a riddle: it's the Process Doppelganging attack, which was presented today (Dec. 7) at the Black Hat Europe 2017 security conference in London.

Eugene Kogan and Tal Liberman, two researchers at enSilo, a security firm based in San Francisco, said Process Doppelganging abuses NTFS mechanisms to silently sneak malware into a Windows system without leaving a trace. (NTFS has been the default file system for all versions of Windows since 2001.)

Kogan and Liberman explained that the attack replaces code in an open file, creates a malicious process out of the altered code, then reverts the original file to its previous state so that nothing is ever written to disk.

The researchers didn't describe exactly how they did this, but told Bleeping Computer that the attack "cannot be patched since it exploits fundamental features and the core design of the process-loading mechanism in Windows."

The Process Doppelganging attack "is not a vulnerability, but an evasion technique," Liberman said to ZDNet. "We did submit a description of the technique to Microsoft and as they, too, do not deem it to be a vulnerability, they will not address it."

MORE: Best Antivirus Software

The pair said they'd tested the Process Doppelganging attack against several top antivirus brands, including Kaspersky, Bitdefender, ESET, Symantec and McAfee, and it had successfully evade each one. However, they specified that Kaspersky, Symantec and McAfee failed to detect Process Doppelgänging on Windows 7, which may imply that those brands did catch it on the generally more secure Windows 10.

One product that apparently does protect against the attack, naturally, is enSilo's own "next-generation" antivirus solution, available to its corporate customers.

On the upside, Kogan and Liberman said the Process Doppelganging attack is pretty hard to pull off.

"There are a lot of technical challenges," they told Bleeping Computer, and the attack uses "a lot of undocumented details on process creation."

In an enSilo press release, Liberman said that the Process Doppelgänging attack requires "intimate knowledge of the inner workings of AVs' file-scanning engines."

Like many firm selling their "next-gen" antivirus products to enterprise clients, enSilo aims to demonstrate the failings of "traditional" antivirus software. In February 2016, two other enSilo researchers showed how malware could attack a Windows machine by abusing the "hooks" that regular antivirus products create to monitor applications and system processes.

Image credit: Petr Malyshev/Shutterstock

Windows 10 Security and Networking