Microsoft’s Response to AtomBombing is Post Infection Detection
The Microsoft update that addresses both “Process Hollowing” and “AtomBombing” will only be available for those that have purchased Windows Defender and will only be available in October or November 2017. Windows Defender ATP has only been addressing security issues for less than a year and Windows customers have to purchase Windows Defender ATP.
The Impact of AtomBombing Endpoint Infection
enSilo researchers discovered AtomBombing back in October 2016. At the time of AtomBombing’s release, AtomBombing went undetected by most security solutions, due to the attacker hiding the injected malicious code within an atom table. Once AtomBombing is used successfully, the attacker has the ability to hide within legitimate processes, making it more difficult to detect them. AtomBombing opens a new route for attackers to move freely within an infected device.
AtomBombing Attributions and Impact
- Atom tables lie within Windows’ operating systems and allow applications to store and share data. The name AtomBombing is derived from the use of Atom tables and the “bombing” part is self-explanatory. AtomBombing is stealthy and avoids detection by using innocent looking API’s to pass code into the target process, through the global atom table.
- AtomBombing has the ability to fool whitelisted apps into executing malicious operations, which go undetected with most security products.
- AtomBombing can’t be patched.
- AtomBombing evades detection.
- AtomBombing is another tool for an attacker to add to their toolbox.
AtomBombing was also found in a version of a notorious banking Trojan of Dridex that evaded detection and took part in a malicious campaign targeting UK banks.
Beyond Detection - The Need for Real-Time, Post Infection Protection
According to Microsoft, “even the best pre-infection endpoint defenses will be breached eventually, as cyberattacks become more sophisticated and targeted. Windows Defender Advanced Threat Protection (ATP) helps our enterprise customers detect, investigate, and respond to advanced attacks and data breaches on their networks.”
enSilo takes both a pre-infection (NGAV) and post-infection (automated EDR)- approach that goes beyond detection but also offers real-time protection and blocking of malware on infected endpoints. enSilo's post-infection capabilities reside inside of the operating system and will stop attackers from stealing, or maliciously encrypting your data. enSilo is the only comprehensive endpoint security solution that provides real-time protection, pre and post infection.
Malware/cyberattacks are evolving and modifying intrusion techniques at a rate that even an overcrowded market of security products is continuously getting bypassed daily. We read in data breach forensic reports that malware causing the most significant data breaches went undetected for usually months and in some cases years without being detected. Isn’t it time to look at information security differently? Keeping up with the different malware strands and the new malicious techniques that are constantly being developed is beyond manic. Simply prevent the consequences.