These are quick first looks and trend and threats


Read More >>
Written by the security and AV professionals from team K7, meant for the general audience
Read More >>
These are usually articles that go into internals of a virus or deal with security issues
Read More >>
Senior managers speak on areas of interest to them, inside and outside the industry
Read More >>

Archive for the ‘Security news’ Category

Rooting for Trouble

Friday, May 22nd, 2015


Despite device manufacturers’ announcement to the user about the void warranty on rooting Android phones, users still root their phones for various reasons such as installing special applications that runs only on a rooted device, removing built-in apps, USB tethering, turning the device into a Wi-Fi hotspot, etc., compromising on the features of security, performance and at the potential cost of the phone itself, as the user might fail at any step in the device-dependent process of rooting the device without a warranty safety net.

Apart from the traditional rooting methods, there are tools available online to root the device that can be run through either ADB or installed directly on the device.

One should also be aware that many Android malware require root access (administrative power) to execute the desired malefide functions on the victim’s device. They acquire root access by bundling with other good applications that require root access, by triggering an application in the victim device that requires root access, or by invoking exploits that they carry within themselves, as in the case of Android/DroidDream that carries the exploits RageAgainsttheCage and Exploid. In addition the recent Android PowerOffHijack malware exemplifies the ill-effects on the Android operating system if administrative power is acquired by a malware.

Security enhancements in Android notwithstanding, there are still new vulnerabilities and exploits for the OS being identified regularly. As per the recent Microsoft report that includes statistics on vulnerabilities and exploits reported in the second half of 2014, lots of the non-Windows exploits found on Windows computers are for the Android operating system and Open Handset Alliance.

All this implies that Android smartphone users should:

  • Ponder whether they really need to root the device
  • Be vigilant about the applications downloaded to root the device
  • Download the required application only from the official Google Playstore
  • Turn on the feature of “Verify apps” that is available with Android 4.2 or higher

Images courtesy of:
Talkandroid.com
Rootmyandroid.org
www.techlegends.in

V.Dhanalakshmi, Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Online Shopping Tips for Fashionistas

Monday, May 11th, 2015

This is the third part of the blog series on women’s cyber safety, discussing “ONLINE SHOPPING”, the popular term doing the rounds in recent times, continuing from the second part which described cyberbullying and its consequences in one’s life . A survey states that the majority of the goods sold online are of fashion categories, which in turn could suggest that there are a huge number of women customers indulging in online/mobile shopping.

The convenience of online shopping is coupled with its own risk. Online shoppers should be aware of the possibility of online fraud as cyber criminals continue to engage cyber space to target credit/debit cards, bank accounts and miscellaneous user credentials to carry out financial transactions.

Online buyers should be aware of the following:

  1. Phishing attacks where a fraudulent website resembles a popular legitimate website enticing the user to carry out financial transactions which results in both monetary and data loss to the user or causes the download of a malware hosted on the crafted website.
  2. One should also be careful about the online portal at which she/he opts to shop, as there are online fraud campaigns reported where the purchased goods are either never delivered or a different product is delivered to the buyer with a time delay. In either case ultimately it is a financial loss to the buyer.
  3. Shop online only through the portals whose website address starts with “https://” (‘s’ stands for secure) with a lock symbol appearing next to it (or sometimes on the bottom right corner of the browser window), which indicates that the portal uses SSL encryption.

With the increasing usage of smart devices, shopping is being made mobile- “SHOPPING ON THE GO”. The number of Indian customers for mobile shopping is growing given the special deals on purchases and the reduced time factor. In addition, the concept of e-wallet has attracted a large user base by presenting the shopper with additional deals and discounts.

E-wallet portals or mobile shopping applications are seen to:

  1. Provide the choice of saving the buyer’s credit/debit card details in their database for future use. This raises the question “how secure is the data stored at the merchant’s end?”
  2. Auto-login with Facebook or Google account. In case of the mobile being stolen or lost, auto-logging in along with saved credit/debit card details might be a recipe for disaster.

Regardless of whether the shopping is through online computers or mobile devices, one should always:

  • Choose a reputed portal by reading through the reviews available and its track record
  • Download the mobile shopping/banking apps from the official app store
  • Think twice before saving your banking information or credit/debit cards details
  • Avoid opening advertisements or mails from an unknown seller or portal

Images courtesy of:

Dealwithus.co.in
betanews.com
globaldatacompany.com
thinglink.com

V.Dhanalakshmi, Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

TeslaCrypt Can Affect You, Gamer or Not!

Monday, April 20th, 2015

Following positive feedback on our blog a couple of months ago describing CTB Locker we have been requested to do a piece on another ransomware, TeslaCrypt.

Ransomware is a type of malware, becoming more common by the day, which denies access to your computer resources, e.g. by encrypting your personal documents, etc., until a hefty sum is paid to the criminal gang which caused the infection. Ransomware is terribly destructive which is why my colleague Gregory and I have decided to present our views on how to curb this scourge at the international Virus Bulletin security conference later this year.

Now then, TeslaCrypt. There has been plenty of publicly-available data on TeslaCrypt since its emergence in February. It is possible that many currently believe that TeslaCrypt attacks only gamers and gaming software. This is not the case, of course. Similar to most other ransomware TeslaCrypt encrypts documents, music and photos. In addition to these common filetypes it also encrypts files with extensions which are used specifically by gaming software.

A fresh sample of TeslaCrypt from a couple of days ago reveals that its functionality has not changed much from its first avatar, even as it is enveloped in new robes to evade detection, which it fails to do, by the by. This “latest version” (VV3) of TeslaCrypt encrypts files with the following extensions:

.sql;.mp4;.7z;.rar;.m4a;.wma;.avi;.wmv;.csv;.d3dbsp;.zip;.sie;.sum;.ibank;.t13;
.t12;.qdf;.gdb;.tax;.bc6;.bc7;.bkp;.qic;.bkf;.sidn;.sidd;.mddata;.itl;.itdb;
.hplg;.hkdb;.mdbackup;.syncdb;.gho;.cas;.svg;.map;.wmo;.itm;.sb;.fos;.forge;
.ztmp;.sis;.sid;.ncf;.menu;.layout;.dmp;.blob;.esm;.vcf;.vtf;.dazip;.fpk;.wb2;
.vpk;.tor;.psk;.rim;.w3x;.fsh;.ntl;.arch00;.lvl;.snx;.cfr;.ff;.vpp_pc;.lrf;.ltx;
.vfs0;.mpqge;.kdb;.db0;.dba;.rofl;.hkx;.bar;.upk;.das;.iwi;.litemod;.asset;.xf;
.bsa;.apk;.re4;.sav;.lbf;.slm;.bik;.epk;.rgss3a;.pak;.big;.unity3d;.wotreplay;
.py;.m3u;.flv;.js;.css;.rb;.png;.jpeg;.txt;.p7c;.p7b;.p12;.pfx;.pem;.crt;.cer;
.srw;.pef;.ptx;.r3d;.rw2;.rwl;.raw;.raf;.orf;.nrw;.mrwref;.mef;.erf;.kdc;.dcr;
.bay;.sr2;.srf;.arw;.3fr;.dng;.jpe;.jpg;.cdr;.indd;.ai;.eps;.pdf;.pdd;.psd;.dbf;
.rtf;.wpd;.dxg;.dwg;.pst;.accdb;.mdb;.pptm;.pptx;.ppt;.xlk;.xlsb;.xlsm;.xlsx;
.xls;.wps;.docm;.docx;.doc;.odb;.odc;.odm;.odp;.ods;.odt;.pkpass;.mov;.vdf;
.icxs;.hvpl;.m2;.mcmeta;.mlx;.kf;.iwd;.xxx;.desc;.der;.x3f;.cr2;.crw;.mdf;


A diff between the extension list then (February-end) and now shows the following entries:

> .sql
> .mp4
< .sc2save

> .zip
< .mcgame

> .mov
< .001

> .vcf
< .DayZProfile

> .dba
< .dbfv

> .dbf

“>” indicates a new entry and “<” indicates a removed entry. Interestingly it appears there’s now a reduced emphasis on gamers and more on the general public, targeting ZIP archives and database-related files, etc.

The main ransom demand splash screen and “help” message remain relatively unchanged:

Note, the threat to double the decryption price is somewhat different from the previous one which, as usual, claimed that the private key would be deleted after the time counter has run down to 0.

Encrypted files still appear as <original file name with original extension>.ecc:

TeslaCrypt still masquerades as the infamous Cryptolocker, a year after its demise, by continuing to create a shortcut on the desktop with the said name:

As can be seen from the above image TeslaCrypt continues to execute itself as a randomly-named EXE at the root of the Application Data directory. It still drops a file called key.dat in the same location. It has been reported that key.dat contains the 256-bit AES symmetric key used to encrypt the target files, which is eminently possible. It is worth mentioning that TeslaCrypt contains references to OpenSSL functions, e.g. BN_CTX_new(), which must be used to perform the encryption. The exact format of key.dat is as yet unknown so we are unsure which part of it may be the AES key.

Thus far we have covered several indicators of compromise, and we hope you are not experiencing an uncomfortable sense of déjà vu whilst reading this blog. Let’s now address the typical queries related to malware, with the focus on TeslaCrypt and other ransomware:

  • How did it get on my computer?

TeslaCrypt’s modus operandi vis-à-vis spreading itself is via hacked websites which trigger exploits for your browser, typically referred to as a drive-by-attack. Other ransomware tend to spread via mass-mailed attachments.

  • How should I prevent an infection?

The malware should be arrested as soon possible before any damage is done. As in the case of any other malware, we would recommend the usual hygienic best practices:

  1. Surf only known, highly-reputable sites
  2. Don’t open email attachments from unknown sources
  3. Keep your security software up-to-date. Some security software such as K7’s Total Security contains Carnivore Technology to heuristically block attempts to exploit your browser
  • Now that I am infected, what should I do?

We’ll have to be brutally honest. In the case of modern ransomware you have found yourself in a difficult situation. It is typically impossible to decrypt the targeted files without the appropriate key. We strongly discourage paying any ransom to potentially obtain the key and recover your files, though, since this would only serve to fund and encourage further criminal activity.

Restoring a previous known good state from OS system restore points is sometimes an option but TeslaCrypt attempts to prevent this escape by deleting the restore points by executing the following command:

vssadmin delete shadows  /all

Instead it is hoped that you would have backed up your important files in a disciplined fashion on external media and/or on online repositories. If you are not in the habit of backing up your files, we would highly recommend this practice. Please note, a general hard disk failure is much more likely to strike you than a ransomware infection!

We hope this content helps build awareness about malware in general and ransomware in particular, with an emphasis on TeslaCrypt, thus aiding the relentless battle against innumerable cyber bandits.

Generic ransomware image (first) courtesy of:
files.itproportal.com

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

Surge in Unauthorized Access Grabbing

Monday, March 30th, 2015

Authorization, an access control system, is all about administering and providing sensitive system access to a process or an application or a class of users based on their privilege level. Privacy and security concerns arise when system resources are accessed by an unauthorized process, application, or user.

Application and system developers always strive to incorporate secure authorization systems in their software. On the other hand, hackers come forth with new exploit techniques to elevate the access privilege associated with a specific process, system, or user. Many of the attacks start with an entry into the targeted systems with limited privileges and then an attempt to elevate privileges by exploiting a vulnerability in the OS itself or in third-party installations.

We conducted a short piece of research work on Elevation of Privilege (EoP) vulnerabilities using publicly available information on vulnerabilities discovered in operating systems, desktop applications and browsers. Interestingly the data indicates a significant rise in EoP vulnerabilities over the past two–and-half years.

From our research set on Microsoft Windows operating system vulnerabilities found over the time period mentioned earlier, we found that out of 700 vulnerabilities, 115 vulnerabilities were Privilege Escalation vulnerabilities, i.e. approximately 16%. It is clear from the research data set that attackers or malware writers are focusing more on EoP vulnerabilities to carry out their malicious attack as silently as possible.

Standalone exploitation of EoP vulnerability might not be sufficient for the attacker to achieve the required destructive behavior thus forcing the attacker to look for yet more vulnerability in the system to exploit.

The following is a list of commonly exploited Windows components:

The Group Policy Service
Windows kernel-mode driver (Win32k.sys)
Cryptography Next Generation kernel-mode driver (cng.sys)
WebDAV kernel-mode driver (mrxdav.sys)
TS WebProxy Windows component
Windows User Profile Service (ProfSvc)
Microsoft IME
TypeFilterLevel Checks
Windows audio service component
Windows TCP/IP stack (tcpip.sys, tcpip6.sys)
Kerberos KDC
FASTFAT system driver, FAT32 disk partitions
Message Queuing service
.NET Framework
Windows Task Scheduler
Windows Installer service
DirectShow
Ancillary Function Driver
On-Screen Keyboard
ShellExecute API
TypeFilterLevel checks
Group Policy preferences
NDProxy component
Local Remote Procedure Call
Windows audio port-class driver (portcls.sys)
Hyper-V
USB drivers
Windows App Container
DirectX graphics kernel subsystem (dxgkrnl.sys)
Service Control Manager (SCM)
NT Virtual DOS Machine (Ntvdm.exe)
asynchronous RPC requests handling (Rpcss.dll)
TrueType font files handling
Windows Print Spooler (Win32spl.dl)
NTFS kernel-mode driver (ntfs.sys)
Windows CSRSS (cmd.exe)
Remote Desktop ActiveX control (mstscax.dll)
Windows USB drivers

We see that the attackers often aim at a relatively highly destructive attack by exploiting privilege escalation and code execution vulnerabilities together.

Techniques employed by malware writer constantly evolve to achieve the desired privilege escalation undetected. There are many privilege elevation techniques publicly available online, such as:

  1. METHOD OF PROVIDING A COMPUTER USER WITH HIGH LEVEL PRIVILEGES, PATENT 7,945,947
  2. Exploiting The Known Failure Mechanism in DDR3 Memory referred to as Row Hammer to gain kernel privilege with the only “patch” being a replacement of the DRAM!

Sometimes it is simply not possible to patch a vulnerability.

Elevation of Privilege is not limited only to operating systems but is also witnessed in desktop applications, browsers, web applications and even in hardware. With the increasing popularity of Internet of Things across devices everywhere, the effect of exploiting an  Elevation of Privilege vulnerability in just one of the links in Internet of Things could give the attacker complete control of the whole system.

Image courtesy of:

tompattersontalks.blogspot.in

Priyal Viroja, Vulnerability Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Your Computer Too Can Catch World Cup Fever!

Monday, March 23rd, 2015

The internet is abuzz with live scores, statistics, predictions and match highlights of ICC Cricket World Cup 2015 as it gets closer to the final. A simple “2015 World Cup” keyword search can equip an avid cricket enthusiast with all the latest on the World Cup. Yet, the majority of cricket fans are unaware that the top search results could list malicious websites through the attack vector SEO (Search Engine Optimization) poisoning that cyber criminals employ to rank their websites in the top search engine results for a related keyword search.

A cricket fan should be aware about the risk in accessing an unknown website that is ranked highly in the search result. For example, by building a legitimate-looking website that is in sync with the latest information on the World Cup and incorporating their social engineering expertise the attackers could manipulate search engines to feature their website prominently.  This specially crafted website might carry a link to a malware file download to infect the victim’s computer.

SEO poisoning attacks are subtle, hard to detect by laymen and tend to occur every time a global event happens. This could even serve as an entry point to large organizations. Hence, every internet user is advised to access only known reputed websites for the latest happenings to ensure safe computing.

Bleed Blue!

Images courtesy of:

quoteimg.com
4to40.com

Archana Sangili, Content Writer

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Editor of Virus Bulletin Magazine Publishes K7’s Live Conference Presentation Online

Wednesday, March 18th, 2015

In the interest  of sharing VB2014 conference papers and presentations the editor of Virus Bulletin magazine has blogged about Gregory Panakkal’s paper titled “Leaving our ZIP undone: How to Abuse ZIP to Deliver Malware Apps” on VB’s information portal on recent security trends.

This paper explores the ZIP file format, specifically as an APK as handled by the Android OS and details the new malformations that can be imposed on the APK file format to bypass AV engine unarchiving and scanning, whilst keeping the APK valid for the Android OS. This paper also describes the concept of a “chameleon ZIP” that is application specific, and the challenges for the AV engine components that scan content based on the identified package type.

A Chameleon Zip Example

Archana Sangili, Content Writer

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Shell Team Six:Zero Day After-Party (Part IV)

Friday, March 13th, 2015

This is the fourth part of a six-part blog based on the paper submitted by my colleague Gregory and myself on Advanced Persistent Threats (APT), for AVAR 2014.

Continuing from the third part of our paper…

Security Solutions Bypass

The next layer of defense that an attacker confronts is the end point security provided by third party vendors. Host Intrusion Prevention Systems (HIPS) for example, detect ROP exploitation and prevent shell code execution by injecting their modules into commonly exploited applications and placing hooks at various operating system APIs. However, these inline hooks meant to monitor suspicious activities and detect exploitation attempts are placed under the same privilege as the rest of the code in the process, thereby undermining the security solution’s ability to maintain and intercept all the required APIs.

Hook Hopping

This technique involves the attackers executing standard function prologues of intercepted APIs within self and then transferring control just past the JMP instruction intended to intercept the call.

Fig.10: Control flow depicting bypass of JMP instruction in a hooked API

The DeputyDog campaign [6] which exploited the CVE-2013-0389 vulnerability, employed the above technique to bypass the interception of WinExec() API calls by security software.

Direct SYS Calls

These are a sequence of CPU instructions that transfer control to the kernel directly from the application code instead of using the OS provided user mode APIs.

Payload Delivery via Documents or Sparse Encrypted Fetches

Shell code used as part of the exploitation chain may need to execute a larger payload to establish a backdoor on the machine. To prevent this payload from being detected by security scanners, the attackers can:

  • Embed the payload in popular document formats like PDF, DOC, etc. The shell code when run, locates this payload in the document by scanning for specific magic markers, extracts it and executes it, or
  • Download smaller encrypted chunks of the larger payload stealthily onto the victim’s machine. These chunks are later reassembled and executed on the victim’s machine.

Anti-Virus Bypassing

The attackers use custom cryptors to encrypt their malicious code and attempt to defeat traditional signature based Anti-Virus scanners. At times, these files are digitally signed using trusted stolen certificates to appear legitimate and to circumvent local system policies.

The notorious Stuxnet malware for instance used malicious kernel drivers signed with valid stolen digital certificates to bypass Anti-Virus scanners.

Equipped with information about the security solutions installed in the organization’s end point, these payloads are often tested for detection by the vendor’s security scanner before they are deployed onto the victim’s machine.

Volatile Threats

The attackers execute their malicious payloads directly on the victim’s machine without ever writing the file on the machine’s disk. Traditional security solutions that scan only files on the disk in real-time cannot see these malicious payloads that are directly written and executed in memory. Behavioral analysis systems do not intercept these operations either fearing additional performance overheads.

In the BaneChant APT campaign [7], the shell code downloaded an innocuous XOR encoded binary as the first level payload. This binary in turn downloaded a second level payload which was an executable impersonating an image file meant to bypass security scanners. Once downloaded, this binary was executed directly in memory.

Indicators of Compromise

The initial compromise stage of an APT represents an attacker’s attempts to gain entry into the target organization’s network.  In an environment defended by multiple layers of logging and security, it becomes quite a challenge for an attacker to be successful without leaving behind digital footprints. Provided below are some symptoms that could indicate a compromise in an organization’s network:

Suspicious System Changes

The presence of unauthorized applications that start from uncommon auto-start locations could indicate a compromise. Files names that resemble popular/operating system files like svchost.exe, acrord32.exe, etc. and dwell in unusual locations should also raise suspicion levels.

Fig.11: System file name present in an unusual auto-startup location

Hidden instances of popular applications like Internet Explorer, code-injection attempts into trusted operating system related processes, installation of unauthorized software, loading of driver files without an entry in the Service Control Manager, etc. could also indicate compromise.

Unusual Disk Activity

Exploitation attempts using heap spray techniques tend to use significant amounts of memory.

At times this can lead to high disk activity due to frequent page-file access. Attempts to sweep a user’s profile area for personal or confidential data could also result in increased disk activity, which could indicate compromise.

Compromised Security Components

Partially enabled security features or completely disabled security solutions on endpoints, even for a brief period of time, could indicate that something is wrong.

Loading of Unsigned Drivers in x64 Systems

x64-based Microsoft Windows verifies and allows only digitally signed driver binaries to load during system boot-up. Unsigned malware that want to load early on during the boot process will have to disable this verification process.

Boot kits for instance, tend to bypass the driver signing policy by making persistent system wide changes. Successful loading of a custom unsigned “test” driver on a machine infected with such a boot kit could indicate a compromise.

Fig.12: Windows alerting on loading an unsigned driver

Prevention/Detection

Mock Phishes

Since human behaviour is manipulated to the attacker’s advantage during this stage of an APT, training programs should be conducted at regular intervals to educate the users on the latest intrusion techniques. These programs should aim at explaining the importance of security along with adequate examples, as well as changing user behaviour such that they follow security policies correctly.

Pen test emails mimicking a spear phishing attack could be used to improve the employees’ resilience towards such attacks [8].

Virtualization

Email applications and web browsers could be run in a virtualized environment that is automatically reverted during startup.


Malicious email attachments and drive by downloads would be contained within this environment and reboot resilient code would not survive a revert-to-clean-snapshot assuming that the malware cannot escape the guest VM and infect the host.

Intent to View

Suspicious or unknown email attachments should explicitly be stripped by security solutions.

These attachments should be released to a user only if he/she explicitly requests them.

Detecting Bypassing Attempts

Evasion techniques such as hook-hopping can be identified by breaking some basic assumptions made by the attacker. The security solution can replace the random number of instructions from the function prologue with its own code sequence. This way, shell code that attempts to bypass the initial JMP instruction would still land on the code sequence controlled by the security solution.

Few security solutions use multiple int 0×3 instructions past the initial JMP instruction to trigger a debug exception when executed, breaking the flow of execution.

Hook bypass attempts using direct system calls from user-mode processes can be flagged using a kernel module, if this user-mode to kernel-mode transition does not originate from the native layer.

Click here to read the fifth part of this blog

References:

[6] http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-part-2-zero-day-exploit-analysis-cve-2013-3893.html
[7] http://www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html
[8] http://phishme.com/product-services/what-is-phishme

Lokesh Kumar
K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

Women Can Say “No” to Cyberbullying

Friday, March 6th, 2015

This is the second part of the blog series on women’s cyber safety, discussing cyberbullying and describing the consequences of cyberbullying in one’s life, continuing from the first part which covered guidelines to women on social networking, the possible risks associated with it and a few precautionary steps to take.

We witness that women across different age groups have been increasingly trolled, bullied, and harassed on the internet based on the personal information visible on their social networking profiles. This trend is now at an all-time high.

Cyberbullying generally involves intimidating or harassing someone via online posts, emails or SMS. This includes activities such as posting hateful or unpleasant comments on one’s online profile, spreading rumors and/or inappropriate personal images through email or SMS to damage one’s reputation. Compared to traditional bullying, cyberbullying is open to an anonymous, or even unknown, person since one’s personal information is primarily posted as “public” on a social networking site. The aggressor remains anonymous and the victim can be taunted anytime , anywhere.


Women on the internet are at a higher risk of encountering cyberbullies at some point during their internet experience. As victims they have a tough time coping with the antagonizing behavior towards them and recovering from the resultant low spirits. This leaves many women hurt, humiliated, depressed and in some extreme cases it has led to taking one’s own life.

Women should be acutely aware that the information shared on the internet is open, free for public viewing and stays forever. As discussed in the previous blog, internet users in India can register a complaint against such cyberbullying issues at Computer Emergency Response Team (CERT).

Let the kids and the teens around you be informed about cyberbullying and its impact on life. To reiterate what was mentioned in the first part of this blog series here are some tips to educate teens and kids on how to avoid falling prey to offenders:

  1. Never share your phone number or email address with strangers or on online public forums.
  2. Refrain from sharing any personal information such as your birthday, where you live, etc on the internet.
  3. Never open or respond to messages from unknown/unauthorized users.
  4. Carefully adjust privacy settings to prevent strangers from contacting you.
  5. Never add strangers to your contacts or friends lists.
  6. Seek immediate help from the trusted people to help solve your cyberbullying problems.

to third part…

Images courtesy of:

walmsley.bolton.sch.uk/files/images/cyber-bullying-finalcolor.png
bullyinglte.files.wordpress.com/2014/12/cyberbullying.png

Archana Sangili, Content Writer
V.Dhanalakshmi, Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Shell Team Six:Zero Day After-Party (Part III)

Monday, February 23rd, 2015

This is the third part of a six-part blog based on the paper submitted by my colleague Gregory and myself on Advanced Persistent Threats (APT), for AVAR 2014.

Continuing from the second part of our paper…

Exploiting Popular Applications

Popular applications such as web browsers, word processors, etc. in an attempt to provide rich functionality, at times fail to handle untrusted data properly. The attackers probe these applications with a variety of mechanisms such as fuzzing, reverse-engineering, study of any stolen code, etc. in order to discover bugs that allow them to execute malicious code without any user interaction.

Lack of buffer boundary checks in the application’s code is exploited, critical memory area is over written to hijack the control flow of the program and  execute the attacker’s shell code.

Likewise, bugs in handling multiple references to the same object have lead to Use-After-Free class of vulnerabilities which after seeding memory areas with malicious code can be exploited to execute the attacker’s shell code.

Data Execution Prevention (DEP) Bypass

DEP is a security feature provided by the operating system to thwart buffer overflow attacks that store and execute malicious code from a non-executable memory location. The OS leverages the No-eXecute technology in modern day CPUs to enforce hardware assisted DEP that prevents memory areas without explicit execute-privilege from executing. Attempts to transfer control to an instruction in a memory page without execute-privilege will generate an access fault, thereby rendering the attack ineffective.

Bypassing the DEP feature in a process involves locating already existing pieces of executable code from process memory space and manipulating them to use attacker controlled data to achieve arbitrary code execution. This is accomplished using one of the following techniques:

  • Return-to-libc
  • Branch Oriented Programming (BOP)
    • Return Oriented Programming (ROP)
    • Jump Oriented Programming (JOP)

Return-to-libc

This evasion technique involves replacing the return address on the call stack with that of an existing routine in a loaded binary. The parameters/arguments that are passed to such routines are controlled by the exploit data strategically placed on the stack.  A system function like WinExec() can be invoked to load and run a malicious component without running non-executable exploit data.


Fig.6: The stack layout when using return-to-libc attack to invoke system() in GNU Linux (32-bit).

Branch Oriented Programming

This bypassing method involves an attacker gaining control of the call stack and executing carefully stitched pieces of executable code called “gadgets”. These gadgets contain one or two instructions which typically end in a return instruction (ROP) or a jump instruction (JOP) and are located in a subroutine within an existing program or a shared library. Chained together, these gadgets allow an attacker to perform arbitrary operations on a machine.

Fig.7: ROP gadget execution sequence based on exploit controlled stack layout

Address Space Layout Randomization (ASLR) Bypass

In order to thwart BOP attacks, the concept of randomizing executable code locations, by randomizing the base address of the loaded binary, on every system reboot was introduced. This security measure known as ASLR made it difficult for the attacker to predict where the required gadget sequence resides in memory. However, APTs have been observed bypassing this protection using the following techniques:

Loading Non-ASLR modules

Dynamic-Link Libraries compiled without the dynamic-base option cannot take advantage of the protection offered by ASLR and as a result, are usually loaded at a fixed memory space. For example, Microsoft’s MSVCR71.DLL shipped with Java Runtime Environment 1.6 is usually loaded at a fixed address in the context of Internet Explorer making it easy to construct the required gadget chain in memory.

Fig.8: An ASLR incompatible version of MSVCR71.dll

DLL Base Address calculation via Memory Address Leakage

This technique involves determining the base address of any loaded ASLR-compatible DLL based on any leaked address of a memory variable or API within that DLL. Based on the address of this known entity, the relative addresses of all the required gadgets can be calculated and a ROP attack constructed.

Attack techniques such as modifying the BSTR length or null termination allows access to memory areas outside the original boundaries, leading to the memory address of known items being revealed to the exploit code. This can then be used to pinpoint the DLL’s location to use ROP gadgets within it. Array() object also has a length component that can be overwritten to leak memory addresses beyond its bounds.

Browser Security Bypass

Leveraging the operating system’s security, popular web browsers run certain parts of their code, JavaScript execution and HTML rendering for example, as a sandboxed background process. This process runs with limited privileges and has restricted access to the file system, network, etc.  A master controller acting as an intermediary interacts with the user and manages these sandboxed processes. By using this master-slave architecture and providing a controlled environment, users are protected from exploit attempts by limiting a shell code’s capability to access host system resources and confining its damage to within the sandbox.

Since these browsers rely on the operating system’s security model, exploiting unpatched kernel vulnerabilities will result in the malicious code escaping its confined environment. The infamous Duqu malware relied on vulnerability (CVE-2011-3402) in the Win32k.sys driver that improperly handles specially crafted True Type Font (TTF) files. This allowed the malware to escape a user-mode sandboxed environment implemented by the Microsoft Word process and compromise the host.

Fig.9: Vulnerable code snippet from win32k.sys that lead to the Duqu TTF exploit

Enhanced Mitigation Experience Toolkit (EMET) Bypass

EMET is a Microsoft tool that provides additional security to commonly-exploited third-party applications such as web browsers, word processors, etc. It extends the operating system’s protection mechanisms to these vulnerable applications and makes exploitation attempts extremely difficult.

The following table lists the protections offered by EMET and known bypassing techniques [4]:

Click here to read the fourth part of this blog

References:
[4] http://bromiumlabs.files.wordpress.com/2014/02/bypassing-emet-4-1.pdf
[5] http://0xdabbad00.com/wp-content/uploads/2013/11/emet_4_1_uncovered.pdf

Lokesh Kumar
K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

Ladies, Savor Social Networking Safely

Tuesday, February 17th, 2015

As women, we believe it is important to share a blog series, focusing specifically on women’s cyber safety while they use the internet for social and commercial activities, highlighting the dangers of using this medium and providing tips to ensure online safety. This is the first part of the three-part blog series guiding women on social networking and the possible risks associated, providing a few precautionary steps to follow, though not exhaustive.

The internet to the modern women is akin to the purse she carries, indispensable. She uses the internet to interact with friends and family, shop and bank, in that order. A recent survey by comScore revealed that women dominate the usage of social networking sites and wield the social networking portals as an empowering tool to connect across boundaries and to successfully build e-commerce businesses.

Unfortunately the freedom of the internet also helps cyber criminals and online miscreants to connect with you quite easily. Social networking users should be vigilant about the kind of information they share online and the crowd with which they interact. Often women overlook the potential dangers of social networking sites. A simple socially engineered chat message with a malicious URL or a wall post of a “video link” especially of a cute baby/shopping offer could attract many victims to silently seed malware into their computer, as witnessed in the case of the Microsoft Windows worm Koobface.  This allows hackers to either gather the user’s personal information or infect the computer.

With the stolen valuable information, miscreants can potentially cause distress to a user, especially to women and children.

One should also be keenly aware that photos shared on these social networking portals are viewable by even unintended audiences and can be morphed and redistributed without one’s consent. Young women tend to be the most likely targets of online harassment such as cyberbullying, trolling, stalking and death threats. This harassment gets even more dangerous if it manifests itself in real life. Even in the virtual world, targeted online harassment has the potential to cause severe mental trauma.

In order to curb such online threat issues, the Computer Emergency Response Team (CERT) educates internet users about safe surfing, helps the public report online abuse, and offers recovery procedures.

Here are some simple tips to make women more social networking wise:

  • Never disclose sensitive information such as date of birth, location, phone number, address, etc.,
  • Incorporate privacy and security settings offered on social networking sites
  • Beware of clicking on links and opening messages from unknown sources
  • Think twice about accepting requests to connect from strangers
  • Secure your computer with a good antivirus solution

to second part…

Image courtesy of:
crisistextline.org
freenet-work.tk/wordpress/wp-contents/2014/08/social-network.jpg

Archana Sangili, Content Writer
V.Dhanalakshmi, Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/