A bug allows viruses to infect Windows computers

A team of researchers has discovered a new technique by which malware could bypass antivirus controls and enter Windows computers. In this way, managing to infect the computer in question. It has been dubbed the Doppelgänging process and is a new technique that takes advantage of a Windows function and the process loader.

Crash allows viruses to infect Windows computers

The researchers have presented their findings at the 2017 Black Hat security conference. This process seems to work on all versions of Windows. Also, this malware evasion technique resembles the Process Hollowing discovered a few years ago.

How Doppelgänging works in Windows

In this case, the technique is different from Process Hollowing. Mainly because all computers and antivirus already have protection against it. In this case, the process has a different approach, although the objective is the same. Windows NTFS Transactions and an older implementation of the operating system process manager are used. This manager was originally designed for Windows XP, but all versions have it.

NTFS Transactions allows you to create, modify, rename, and delete partitioned files and directories. This gives developers the option to create exit routines. First, the attack processes a valid executable. But then it proceeds to overwrite it with a malicious file. It creates a memory section from this malicious file and deletes the changes that are made in the valid one. The memory section is the one that actually has the malicious code, but it manages to be invisible to antivirus.

It has managed to skip the main antivirus programs in the different analyzes carried out by the researchers. So this is a problem that needs to be fixed. It seems that all versions of Windows, with the exception of Fall Creators Update are victims of this possible failure.