Traps Prevents AtomBombing attack
0
Created On 09/25/18 18:19 PM - Last Modified 07/19/22 23:09 PM
Resolution
Recently a cybersecurity company made the claim they had discovered a design flaw (not a vulnerability which could be fixed) in Windows that made users vulnerable to malware. The company that discovered the flaw also claimed that security solutions would not be able to this type of attack which they called AtomBombing.
AtomBombing is the name of an attack technique which uses Windows atom tables to exploit a system via code injection techniques. Microsoft defines atom tables as: “a system-defined table that stores strings and corresponding identifiers.”
Once the malicious code has been injected into atom tables, attackers can leverage legitimate programs to execute this malicious code. However, before code injection takes place, the endpoint first needs to be compromised. In other words, the code injection sequence is part of the attack chain that happens post infection.
Unlike solutions that rely heavily on detection and response capabilities, with its multi-method malware prevention capabilities (WildFire analysis, Local Static Analysis, policy-based execution restrictions, etc) Traps is capable of stopping these types of attacks even before they can infect an endpoint and start to inject code.
If for some reason the attack was able to bypass Traps malware prevention, based on the technique cited by the company, Traps would also prevent the code injection with our ROP and JIT exploit prevention modules which prevents exploit attacks based on their techniques, not on signatures or pattern