Microsoft PatchGuard flaw could let hackers plant rootkits on x64 Windows 10 boxen

Redmond shrugs, says PC would already need to be thoroughly pwned

businessman shrugging - illustration via shutterstock

Flaws in Microsoft PatchGuard create a means for hackers to plant rootkits on Windows 10, 64-bit OS devices.

The newly discovered attack technique, dubbed GhostHook, allows attackers to completely bypass PatchGuard, security researchers at CyberArk Labs warn.

PatchGuard (formally known as Kernel Patch Protection) was developed to prevent Windows users patching the kernel, and by extension make the OS more secure by preventing hackers from running rootkits at the kernel level. CyberArk Labs reckons GhostHook is the first technique that thwarts the defensive technology to bypass PatchGuard and hook a rootkit at the kernel level.

Hooking techniques, which have both benign applications in debugging and the like or malicious uses, give users control over the way an operating system or a piece of software behaves.

GhostHook is neither an elevation nor an exploitation technique. "This technique is intended for post-exploitation scenarios where the attacker has control over the asset," CyberArk explains. "Since malicious kernel code (rootkits) often seeks to establish persistence in unfriendly territory, stealth technology plays a fundamental role."

GhostHook is nonetheless dangerous because it runs under the radar at such a low level that it avoids detection by antivirus or personal firewall technologies. Attack scenarios would include using malware or a hacking tool to compromise a target system before deploying GhostHook to establish a permanent, stealthy presence on a compromised x64 Windows 10 computer.

Attackers might be able to use the method to plant a rootkit in the kernel – completely undetectable to third-party security products and invisible to Microsoft's PatchGuard itself.

64-bit malware currently makes up less than 1 per cent of the current threat landscape. Notable examples include Shamoon, the disk-wiping malware used in the Saudi Aramco attack, and Flame, a nation state-grade espionage malware discovered in 2012 and associated with the Stuxnet attacks on Iran's nuclear program.

GhostHook opens the door for the proliferation and commoditisation of more sophisticated 64-bit malware previously reserved for use by nation states in advanced attacks, CyberArk warns.

In response to CyberArk's research, Microsoft played down the flaw's significance, essentially arguing that it only came into play on systems that were already comprehensively pwned. Redmond has no immediate plans to patch PatchGuard, though it might revamp the technology in future releases.

The engineering team has finished their analysis of this report and determined that it requires the attacker already be running kernel code on the system. As such, this doesn't meet the bar for servicing in a security update, however it may be addressed in a future version of Windows. As such I've closed this case.

"This technique requires that an attacker has already fully compromised the targeted system. We encourage our customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers," a Microsoft spokesperson told El Reg.

CyberArk expressed disappointment with this response. "Microsoft does not seem to realize that PatchGuard is a kernel component that should not be bypassed, since PatchGuard blocks rootkits from activities such as SSDT hooking, not from executing code in kernel-mode." ®

Sponsored: The Joy and Pain of Buying IT - Have Your Say


Biting the hand that feeds IT © 1998–2017