VXers eyeing 'undetectable' codeless code-injection technique

Cyber Defence Summit enSilo founder Udi Yavo has detailed a new code injection technique he claims will become commonplace in coming months.

The codeless code injection system is the latest in a series that is critical to the operation of malware and security software.

Yavo revealed the attack at the Cyber Defence Summit in Washington DC today, but did not release the code.

“It's complex but we will soon see it out in the wild,” Yavo told El Reg.

“We don't want to give it straight to malware writers ... but attacks we released January without code were still adopted by malware writer six months later."

“There is no easy way to detect the [codeless] injection techniques, no easy way to see that the injection has happened – only memory forensics can detect it," he said.

Generic defensive techniques will not work, Yavo said, since discovering the attacks requires identification of artifacts.

enSilo founder Udi Yavo

Those detection problems are becoming more common as injection techniques evolve.

The attacks are becoming more specific since the creation of Powerloader, the first technique to use return oriented programming to change small code sequences to execute arbitrary operations.

The enSilo founder offered a deep technical history of injection techniques covering classic code injection methods, advanced injections, and kernel mode injections including Trap Frame and codeless code injections. ®

Darren Pauli travelled to Washington DC as a guest of FireEye.