Security researchers discovered a series of implementations of an old type of exploit known as code hooking. These implementations are increasing and becoming more dangerous. Operating under the name of Captain Hook, these exploits make use of code injection techniques that could cause numerous vulnerabilities and potentially affect thousands of products.

On the Hook

Let’s take a closer look at what’s going on with this exploit. Code hooking is a very intrusive coding operation where mainly OS function calls are intercepted by a program to alter or augment their behavior. Antivirus programs do this all the time when they discover a piece of malware or when some modified routine is behaving badly.

However, code hooking has other purposes too, such as general program debugging, monitoring and intercepting messages, according to the SecurityXploded blog.

A Double-Edged Hook

The problem is that hooking can be used for both good and evil; it can be used not just to detect malware, but also to help malware authors perform their dirty business. Code hooking can hide a rootkit, for example, so it looks more benign, or make it harder to detect what the malware is actually doing on a system.

Code hooking is essentially how most man-in-the-browser attacks occur. In this case, the “normal” program calls a hook, stops what it is doing and passes control to the malware, which picks up its operation and continues to execute the exploit. One of the first instances of this kind of behavior was the Duqu malware.

Typically, these hooks allow intrusive software to intercept and monitor API calls. According to Breaking Malware, “most anti-exploitation solutions monitor memory allocation functions, such as VirtualAlloc and VirtualProtect, in an attempt to detect vulnerability exploitation.” The rest of the article goes into further detail how hooking is accomplished and how a typical hooking engine is constructed for evil purposes.

Code Hooking Is Here to Stay

Code hooking will likely be with us a long time. It’s an incredibly tempting target for malware authors, who will continue to use it for their criminal activities. Prepare to protect your enterprise by studying the malware’s actions and recognizing the attack when your scans detect it.

Read the IBM white paper to learn more about the thriving malware industry

More from Mainframe

How Dangerous Is the Cyberattack Risk to Transportation?

If an attacker breaches a transit agency’s systems, the impact could reach far beyond server downtime or leaked emails. Imagine an attack against a transportation authority that manages train and subway routes. The results could be terrible. Between June of 2020 and June of 2021, the transportation industry witnessed a 186% increase in weekly ransomware attacks. In one event, attackers breached the New York Metropolitan Transportation Authority (MTA) systems. Thankfully, no one was harmed, but incidents like these are cause…

Low-Code Is Easy, But Is It Secure?

Low-code and no-code solutions are awesome. Why? With limited or no programming experience, you can quickly create software using a visual dashboard. This amounts to huge time and money savings. But with all this software out there, security experts worry about the risks. The global low-code platform market revenue was valued at nearly $13 billion in 2020. The market is forecast to reach over $47 billion in 2025 and $65 billion in 2027 with a CAGR of 26.1%. Very few,…

Starting From Scratch: How to Build a Small Business Cybersecurity Program

When you run a small business, outsourcing for services like IT and security makes a lot of sense. While you might not have the budget for a full-time professional on staff to do these jobs, you still need the services.However, while it might be helpful to have a managed service provider handle your software and computing issues, cybersecurity for small and medium businesses (SMBs) also requires a personal, hands-on approach. While you can continue to outsource some areas of cybersecurity,…

A Journey in Organizational Resilience: Supply Chain and Third Parties

The next stop on our journey focuses on those that you rely on: supply chains and third parties.  Working with external partners can be difficult. But, there is a silver lining. Recent attacks have resulted in an industry wake-up call when it comes to cybersecurity resilience. You see, the purpose of using external partners is to take advantage of a capability that your organization did not have, or the vendor was just better at than you. In turn, there was…