Protect against the undetectable Process Doppelgänging with Bromium
- Process Doppelgänging is a new code injection technique that bypasses most security tools and works on all Windows versions.
- Relying on detect-to-protect security solutions will leave you vulnerable to Process Doppelgänging.
- Bromium executes untrusted tasks in a hardware-isolated virtual machine, so you are always protected, even from zero-days and new, undetectable technique.
What is Process Doppelgänging?
For starters, it’s a phrase that requires you to figure out how to type an umlaut (Alt – 0228, if that helps). And no, it’s not the name of the latest heavy metal band.
Process Doppelgänging a stealthy new technique in a growing list of attack methods that are notoriously hard to detect and mitigate for modern anti-virus (AV) solutions.
The news of this beast broke at the Black Hat 2017 security conference in London. Full details haven’t been published, but experts suggest that it resembles a technique called Process Hollowing – a cunning practice that works by using common, legitimate, and inconspicuous processes, such as iexplore.exe (browser) or explorer.exe (file manager) as containers for hostile code.
As soon as the process is started, the malicious code forces it to pause, wipes its memory, and injects alternative code. Even though the file on disk (explorer.exe) is unchanged, the process and its data have now been hijacked by the malware.
Read the entire article here, Protect against the undetectable Process Doppelgänging with Bromium
via the fine folks at Bromium