Security researchers discovered a series of implementations of an old type of exploit known as code hooking. These implementations are increasing and becoming more dangerous. Operating under the name of Captain Hook, these exploits make use of code injection techniques that could cause numerous vulnerabilities and potentially affect thousands of products.
On the Hook
Let’s take a closer look at what’s going on with this exploit. Code hooking is a very intrusive coding operation where mainly OS function calls are intercepted by a program to alter or augment their behavior. Antivirus programs do this all the time when they discover a piece of malware or when some modified routine is behaving badly.
However, code hooking has other purposes too, such as general program debugging, monitoring and intercepting messages, according to the SecurityXploded blog.
A Double-Edged Hook
The problem is that hooking can be used for both good and evil; it can be used not just to detect malware, but also to help malware authors perform their dirty business. Code hooking can hide a rootkit, for example, so it looks more benign, or make it harder to detect what the malware is actually doing on a system.
Code hooking is essentially how most man-in-the-browser attacks occur. In this case, the “normal” program calls a hook, stops what it is doing and passes control to the malware, which picks up its operation and continues to execute the exploit. One of the first instances of this kind of behavior was the Duqu malware.
Typically, these hooks allow intrusive software to intercept and monitor API calls. According to Breaking Malware, “most anti-exploitation solutions monitor memory allocation functions, such as VirtualAlloc and VirtualProtect, in an attempt to detect vulnerability exploitation.” The rest of the article goes into further detail how hooking is accomplished and how a typical hooking engine is constructed for evil purposes.
Code Hooking Is Here to Stay
Code hooking will likely be with us a long time. It’s an incredibly tempting target for malware authors, who will continue to use it for their criminal activities. Prepare to protect your enterprise by studying the malware’s actions and recognizing the attack when your scans detect it.