Malware developers can abuse a programming error in the Windows kernel to prevent security software from identifying if, and when, malicious modules have been loaded at runtime.
The bug affects PsSetLoadImageNotifyRoutine, one of the low-level mechanisms some security solutions use to identify when code has been loaded into the kernel or user space.
The problem is that an attacker can exploit this bug in a way that PsSetLoadImageNotifyRoutine returns an invalid module name, allowing an attacker to disguise malware as a legitimate operation.
The issue came to light earlier this year when enSilo researchers were analyzing the Windows kernel code. Omri Misgav, Security Researcher at enSilo and the one who discovered the issue, says the bug affects all Windows versions released since Windows 2000.
Misgav’s tests showed that the programming error has survived up to the most recent Windows 10 releases.
Microsoft introduced the PsSetLoadImageNotifyRoutine notification mechanism as a way to programmatically notify app developers of newly registered drivers. Because the system could also detect when a PE image was loaded into virtual memory, the mechanism was also integrated with antivirus software as a way to detect some types of malicious operations.
Right now, the biggest problem is that security software relies on this method to detect some types of malicious operations.
“We did not test any specific security software,” Misgav told Bleeping Computer via email. “We are aware that some vendors do use this mechanism, however at this point in time we cannot say if and how the use of the faulty [PsSetLoadImageNotifyRoutine] information affects them.”
“We [also] contacted MSRC [Microsoft Security Response Center] about this issue at the beginning of this year,” Misgav told Bleeping. “They did not deem it as a security issue.”
“Some references online indicate that the bug was somewhat known, but as far as we can tell its root cause and full implications weren't described in detail up until now,” the researcher also said.
For technical details, an enSilo blog post details the fine intricacies of how PsSetLoadImageNotifyRoutine works and how the bug alters its normal, supposed behavior.