Hackers Weaponize Obscure Windows Feature

John Lister's picture

Microsoft has detailed the intricate and carefully crafted attack techniques of a longstanding group of online spies. They include taking advantage of a now-retired Windows feature for easier updates.

Thankfully for home users, the attacks from the group Microsoft dubs "Platinum" have been highly targeted at government, defense, communications and intelligence agencies and organizations. That's promoted speculation a government may be behind the attacks.

The details come in a report by Microsoft's Windows Defender Advanced Threat Hunting. It notes that while some attacks are indiscriminate and rely on sheer force of numbers to find targets, the Platinum group is highly organized, targets very specifically, and places great emphasis on remaining undetected. It's been operating since 2009 and mainly goes after Asian organizations.

Attackers Abused 'Hot patching' Feature

What makes the report so interesting is that it's the first time a previously theorized technique has been detected in real world use. That technique is known as "hot patching" and takes advantage of a feature introduced to Windows in 2003 and dropped after Windows 7. (Source: arstechnica.com)

The hot patching feature allowed Windows to execute software updates that could take immediate effect without needing to restart a computer or even close any running programs. It only worked on computers running in administrator mode and was only ever used by Microsoft 10 times, all for Windows Server 2003, though the capability to use it was there in desktop editions of Windows as well. (Source: microsoft.com)

The biggest difference in regular patching versus hot patching is that attackers were able to inject malware without having to write actual the malware executable to disk (or to inject DLLs) - both of which are typically visible to anti-malware and antivirus software.

Researchers Warned of Risk

Security researchers had warned of the possibility of hackers seizing control of the feature to distribute malicious software, and that's what happened with the Platinum group, who primarily used it to remotely install espionage software and access confidential data.

Using the hot patches in this way meant many security software applications couldn't spot anything was amiss. It also meant the attackers could install the malware during the working day, making it much less likely the activity would stand out in system logs.

What's Your Opinion?

Should Microsoft have foreseen that hot patching could be abused in such a way? If it's possible to do so, should Microsoft disable the hot patch capability in Windows 7? Is it a relief to know such sophisticated attacks tend not to be targeted at home users?

Rate this article: 
Average: 4.9 (11 votes)


Dennis Faas's picture

It's always interesting to hear of stories like this. That said, since this type of exploit was already discussed in a conference a number of years ago, I'm guessing that the Platinum group is not the only one using hot patching to stealthily install malware onto unsuspecting systems. Only time will tell if Microsoft or other anti-malware / anti-hacking organizations are able to catch more of the bad guys using this technique.