These are quick first looks and trend and threats


Read More >>
Written by the security and AV professionals from team K7, meant for the general audience
Read More >>
These are usually articles that go into internals of a virus or deal with security issues
Read More >>
Senior managers speak on areas of interest to them, inside and outside the industry
Read More >>

Archive for the ‘Security’ Category

Patch Released, Before You Can Say ‘Patch Tuesday’

Friday, July 10th, 2015

Microsoft is set to do away with its cycle of serving up security updates, released on the second Tuesday of every month. This is (un)officially known as ‘Patch Tuesday’ in tech circles.

In an earlier blog post, we had mentioned that Microsoft is doing all it can to beef up on their security front. Along the same lines, this is also a move to ensure that any security update, critical or not, will reach a Windows 10 user immediately and will no longer have to wait for a month.

Yes, updates will be rolled out 24/7 year round for all devices that run Windows 10, thereby potentially reducing the time taken to address a security issue once it is found. These releases are not restricted to security updates alone, but any software enhancements would also follow the same pattern.  A round-the-clock approach updating the OS infrastructure could also improve the quality of the updates; in the past there have been issues with unstable patches.

While the month-on-month cycle is going to remain for Business and Professional users, Microsoft has reworked this under the title Windows Update for Business. This would provide features to prioritize patching based on chosen devices, to specify timeframes during which updates should occur, and peer-to-peer delivery of the updates for bandwidth conservation in an environment of a large number of computers.

This expedited update schedule is primarily aimed at securing devices ASAP once a security lapse has been identified and fixed.  Though Microsoft claims that users will be provided free lifetime upgrades, the timeframe might in fact be tied down to the type of device that the OS is running on and the device’s supported lifetime.

Perhaps Microsoft is taking the timely patching of security lapses to an even higher level since many supposedly dead and dried malware (Conficker, etc.) that aren’t supposed to be spreading are still doing the rounds just because a patch hasn’t been applied. It is imperative that we as users take security, at least as seriously as Microsoft appears to be doing.

Image courtesy of:
keepcalm-o-matic.co.uk

Kaarthik R.M
K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

My App or No App

Monday, June 1st, 2015

Last week in our K7 Threat Control Lab we came across an Android ransomware “locker” sample with a difference. This one splashes a lockscreen that recommends to the user a list of free applications to install in order to continue using any already installed application as shown below:

However, if the user chooses to install one or all of the listed applications, the list seems endless since a new application is inserted for the one that is chosen for installation. This implies that the user may not be able to access his already installed applications or it might take a long time to exhaust the displayed list to access them. Interestingly, the applications installed from the lock screen list are free to open and are not blocked by the splash screen.

Now let us see how this malware actually works.

Analysis of this locker shows that the AndroidManifest.xml file of the package has RECEIVERS (net.fatuously.Unengaged and net.fatuously.Encephalitis) registered to receive the broadcasts BOOT_COMPLETED, USER_PRESENT, SCREEN_ON, NEW_OUTGOING_CALL, PHONE_STATE and DEVICE_ADMIN_ENABLED respectively. But the registered RECEIVER classes are not referenced in the corresponding classes.dex.

click to enlarge

In addition when this locker sample is executed the application displays an additional custom explanatory message that is also not referenced in the top-level package, as shown in the picture below:

click to enlarge

Digging further it is understood that the APK under study carries within itself an encrypted (XORed) ZIP file (test.dat) in the assets folder which in turn carries the classes.dex file that is loaded at run time.

The studied APK file loads the classes.dex from the encrypted ZIP using the dynamic loading feature as shown in the java source below:

click to enlarge

The RECEIVERS registered in the top-level AndroidManifest.xml and the additional explanation in the Device Admin request screen are referenced in the dynamically loaded unzipped classes.dex file.

click to enlarge

click to enlarge

When the user tries to open any of the applications that is installed prior to the locker, the malware loads the splash screen by setting the splash screen content as the data to the intent “android.intent.action.VIEW” as seen in the following code:

This malware when run without an internet connection, or during application initialization, loads a different splash screen as shown below:

The corresponding code to load the above screen is:

And the contents of none.html are follows:

Base64 encoded data in this HTML contains the image (.PNG) content to be displayed.

A few of the websites to which this malware connects are:

sexualletube[dot]biz
pornigy[dot]biz
pornsage[dot]biz
adeffective[dot]org

Strangely the splash screen does not seem to demand any payment from the user. However, it proves to be malevolent as it does not allow the user to open any application that is installed earlier than the locker.

As we discussed in our VB2014 paper “Early launch Android malware: your phone is 0wned”, an updated boot and broadcast framework in the Android OS that allows the security products to load before any other application will help to keep these locker variants at bay. K7Mobile Security protects its users from this locker with the detection called “Trojan (004c2fc61).”

V.Dhanalakshmi, Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Rooting for Trouble

Friday, May 22nd, 2015


Despite device manufacturers’ announcement to the user about the void warranty on rooting Android phones, users still root their phones for various reasons such as installing special applications that runs only on a rooted device, removing built-in apps, USB tethering, turning the device into a Wi-Fi hotspot, etc., compromising on the features of security, performance and at the potential cost of the phone itself, as the user might fail at any step in the device-dependent process of rooting the device without a warranty safety net.

Apart from the traditional rooting methods, there are tools available online to root the device that can be run through either ADB or installed directly on the device.

One should also be aware that many Android malware require root access (administrative power) to execute the desired malefide functions on the victim’s device. They acquire root access by bundling with other good applications that require root access, by triggering an application in the victim device that requires root access, or by invoking exploits that they carry within themselves, as in the case of Android/DroidDream that carries the exploits RageAgainsttheCage and Exploid. In addition the recent Android PowerOffHijack malware exemplifies the ill-effects on the Android operating system if administrative power is acquired by a malware.

Security enhancements in Android notwithstanding, there are still new vulnerabilities and exploits for the OS being identified regularly. As per the recent Microsoft report that includes statistics on vulnerabilities and exploits reported in the second half of 2014, lots of the non-Windows exploits found on Windows computers are for the Android operating system and Open Handset Alliance.

All this implies that Android smartphone users should:

  • Ponder whether they really need to root the device
  • Be vigilant about the applications downloaded to root the device
  • Download the required application only from the official Google Playstore
  • Turn on the feature of “Verify apps” that is available with Android 4.2 or higher

Images courtesy of:
Talkandroid.com
Rootmyandroid.org
www.techlegends.in

V.Dhanalakshmi, Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Shell Team Six:Zero Day After-Party (Part VI)

Monday, April 27th, 2015

This is the final part of a six-part blog based on the paper submitted by my colleague Gregory and myself on Advanced Persistent Threats (APT), for AVAR 2014. Continuing from the fifth part of our paper…

Data Exfiltration and Cleanup



This stage of the APT involves the assailants collecting the sensitive data and transmitting it stealthily to a remote location. Data extraction can either be a one-time event or spread over a period of time, followed by constant snooping of the victim, all the while remaining hidden.

Once the objective of an APT campaign is achieved, the attackers exit the network in a phased manner after covering their tracks and clearing all the potential evidence of an intrusion.  The attackers could also plant or manipulate data in the target’s environment in an effort to create misdirection.

Extraction methodology

Confidential data that is collected during the period of the APT is copied to a staging server, compressed, encrypted and kept ready for transfer. Outbound sessions are then established that resemble legitimate traffic thereby attempting to fly under the security radar. The confidential data is thus extracted possibly in small chunks over a period of time.

The bad actors could exfiltrate data using any/all of the following methods:

HTTP/FTP/Cloud Storage Uploads

An HTTP/FTP upload or a cloud transfer is initiated by an application which is already approved by the firewall. Additionally, the packets could be SSL or custom encrypted making it difficult for security solutions to sniff.

Outgoing Emails with Password Protected Attachments

Sensitive contents are password protected and then transmitted using either a compromised employee’s email credentials, or by using a custom SMTP server.

Customized DNS Queries

Small chunks of data such as user credentials may be sent as custom DNS requests to DNS servers controlled by the attackers. The packets are then reassembled as required at the attackers end.

Fig.14. shows encrypted data sent as a DNS query

VPN/IPv6 Tunnels

VPN and IPv6 tunnels are created from the staging server to a remotely controlled machine. The contents are then securely transmitted through these tunnels.


The hacking outfit commonly known in computer security circles as Comment Crew [13] has been observed using the above data exfiltration techniques. Sensitive data which could potentially be Gigabytes in size would first be collected in a centralized location & compressed in a password-protected RAR file. The final archives would be split into chunks and uploaded using FTP, custom file transfer tools, etc.

Cleanup Methodology

The attackers tend to delete their malicious code and its associated components by remotely issuing self-destruct commands from their C2C server. A time/event bound kill switch built into the malicious code could also be automatically triggered to avoid being caught.

System logs that maintain login attempts, security logs that maintain protection status, audit files that track system changes, etc. are modified by the attackers to make a forensic reconstruction of the attack impossible.

Indicators of Compromise

Capturing and transmitting confidential data is the raison d’etre of any APT. In order to facilitate this transmission, the attacker must contact external servers from inside the victim’s network.

Here are some of the common symptoms that indicate suspicious activity within the organization’s network:

Wrong Data in the Wrong Place

Movement of encrypted or confidential data from a machine containing sensitive information to a potential upload server with Internet access, all within the organizations internal network could indicate that something is wrong.

Similarly, availability of large quantities of known-encrypted or sensitive data on a machine it’s not supposed be on could also indicate that something is amiss.

Anomalous Traffic


The following anomalies could indicate a compromise:

  1. Connections made directly to IP addresses
  2. HTTP/FTP connections on non-standard ports
  3. Connections to previously unused or high risk geo locations
  4. Accessing algorithmically generated domain names (DGA)

Other Indicators

Inconsistent events in audit logs maintained at network and endpoint level, changes in the system drivers list without an application uninstallation progress, etc. can also be used as indicators of compromise.

Prevention/Detection

Confidential information is the crown jewel of any company and typically it is this information that the attacker is focused on stealing. The following solutions can be involved in protecting the exfiltration of this confidential data:

Hardened DNS Servers


Outgoing DNS queries should be logged and monitored extensively for anomalies. Organizations could also create and maintain their own hardened DNS servers.

Security Solutions

Data aware technologies like Data Leakage Prevention (DLP) can be added to the organization’s existing layer of defense. Once critical and confidential data is identified, DLP solutions track and prevent this data from falling into the wrong hands.

URL scanners with built-in reputation intelligence can be used to detect:

  1. Access to subdomain/domains which are not popular or appear suspicious
  2. Repeated attempts to connect to domains which no longer resolve
  3. Attempts to connect to blacklisted or malicious IP addresses/domains
  4. Newly registered domains

Network scanners with Deep Packet Inspection and machine learning capabilities can be used to build a knowledge base of general network usage trends. Alarms are raised when deviations exceed pre-defined thresholds. This knowledge base includes:

  1. Commonly used protocols with source and destination information
  2. Common geo locations contacted
  3. Number of connections and the length of connections made depending on the time of the day

Software that take disk backups and dump physical memory images at regular intervals are of great help during incident response and forensic analysis of a potential APT attack.

Conclusion

The implications of the complexity and perseverance of Advanced Persistent Threats are of major significance to the existing security infrastructure. The evasion techniques discussed in this paper have exerted colossal pressure on the current methods used to detect and report these threats, especially where the human element is involved.

Safeguarding oneself against APTs requires more than just traditional security solutions. The need of the hour is a comprehensive, holistic security plan that intelligently integrates events reported from numerous forms of security established at various levels of the organization. This solution should be able to handle massive volumes of logs and spot patterns of an attack, find sources of a breach and stop new threats in their tracks.

Things are about to get a whole lot more difficult with compromised mobile devices joining the fray. Strategies to identify and stop sophisticated, multi-pronged APT attacks have been discussed; however coordinated implementation is far from straightforward. We live in interesting times.

References:

[13] http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

Lokesh Kumar
K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

Shell Team Six:Zero Day After-Party (Part V)

Friday, April 10th, 2015

This is the fifth part of a six-part blog based on the paper submitted by my colleague Gregory and myself on Advanced Persistent Threats (APT), for AVAR 2014.

Continuing from the fourth part of our paper

Expanding Access and Strengthening Foothold

The device that falls first is usually not the primary target of the APT. This backdoored computer is instead used as a base to search and compromise more devices that likely contain credentials to other workstations, application servers, etc. The assailants move laterally within the network, gaining access to these machines, strengthening their foothold, all the while hunting for valuable target information which was the objective of the attack.

Expansion Methodology

The initial infected host connects back to a command and control (C2C) infrastructure controlled by the bad actors. It sends critical information such as password details, privileges of the currently logged user, mapped drive information, etc. and awaits further instructions. The following techniques are used by the attackers to expand their access:

Privilege Escalation

The attackers exploit privilege escalation vulnerabilities to escape the confines of a limited user’s account. The objective here is to gain “root” on the infected machine which enables them to perform tasks that require elevated privileges such as creating/deleting system services, accessing critical process’ memory space, mapping internal networks, etc.

Fig.13: Privilege escalation code used from the Council for Foreign Relations Watering Hole attack

Remote Exploitation

Malware components can exploit network vulnerabilities to compromise systems accessible in the local network. The Stuxnet malware exploited a 0day Print Spooler (CVE-2010-2729) remote code execution vulnerability to propagate itself into new machines.

Installing More Tools

During the initial compromise, the malware authors use custom zero-day code that exploits vulnerabilities in common applications. In the expansion stage of the APT though, to avoid having to re-write code, the bad actors tend to use standard tools.

These tools could include system utilities like PsExec [9], network packet sniffers like tcpdump [10], password extracting tools like gsecdump [11], Cain&Abel [12], etc.

Obtain Credentials

With the help of the tools installed, the attackers brute-force login credentials to workstations and servers that likely contain sensitive data.

They could establish remote desktop sessions to these machines and eventually make their way onto domain controllers that have unrestricted access to the entire network.  They then begin their hunt for the target data to be extracted, if they haven’t found it already, that is.

Indicators of Compromise

Once the assailants possess domain level credentials, their movement within the network resembles that of legitimate traffic and so becomes very difficult to track. The following behaviors on the other hand could indicate a compromise and are relatively easy to track:

Presence of Unwarranted Files

Unauthorized use of kernel modules to elevate ones privileges could imply a compromise. The presence of unapproved software, modified versions of existing drivers containing trojanized code, tools like port scanners, password crackers, network sniffers, etc. could also indicate a compromise.

Login Irregularities

Repeated failed login attempts using non-existent user accounts, successful login attempts to machines that deviate from established baseline logins, login activity at odd hours, etc. could mean something is amiss.

Anomalies in Security Settings

Unauthorized disabling of security software, tampering of exclusion lists in firewalls and Anti-Virus, even for a brief period of time, could indicate a compromise.

Anomalies in User Account Activity

Changes in behavior of a user account such as time of activity, type of information accessed, systems accessed, etc. could indicate a compromise.

Prevention/Detection

Along with multi-factor authentication for sensitive accounts, updated Anti-Virus software that detects unwanted tools, a strong password policy, etc. the following solutions can be implemented to augment the network’s security:

Unified Extensible Firmware Interface (UEFI) and Secure-Boot

Privilege escalation attempts can be significantly reduced by using UEFI/secure-boot enabled machines that provide a level of trust from boot-up time.

Early Launch Anti-Malware (ELAM)

Security solutions with early loading components that are capable of detecting and blocking unauthorized kernel code should be installed throughout the network.

Click here to read the final part of this blog

References:

[9] http://technet.microsoft.com/en-us/sysinternals/bb897553
[10] http://www.tcpdump.org
[11] http://www.truesec.com/Tools/Tool/gsecdump_v2.0b5
[12] http://www.oxid.it/cain.html

Lokesh Kumar
K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

Surge in Unauthorized Access Grabbing

Monday, March 30th, 2015

Authorization, an access control system, is all about administering and providing sensitive system access to a process or an application or a class of users based on their privilege level. Privacy and security concerns arise when system resources are accessed by an unauthorized process, application, or user.

Application and system developers always strive to incorporate secure authorization systems in their software. On the other hand, hackers come forth with new exploit techniques to elevate the access privilege associated with a specific process, system, or user. Many of the attacks start with an entry into the targeted systems with limited privileges and then an attempt to elevate privileges by exploiting a vulnerability in the OS itself or in third-party installations.

We conducted a short piece of research work on Elevation of Privilege (EoP) vulnerabilities using publicly available information on vulnerabilities discovered in operating systems, desktop applications and browsers. Interestingly the data indicates a significant rise in EoP vulnerabilities over the past two–and-half years.

From our research set on Microsoft Windows operating system vulnerabilities found over the time period mentioned earlier, we found that out of 700 vulnerabilities, 115 vulnerabilities were Privilege Escalation vulnerabilities, i.e. approximately 16%. It is clear from the research data set that attackers or malware writers are focusing more on EoP vulnerabilities to carry out their malicious attack as silently as possible.

Standalone exploitation of EoP vulnerability might not be sufficient for the attacker to achieve the required destructive behavior thus forcing the attacker to look for yet more vulnerability in the system to exploit.

The following is a list of commonly exploited Windows components:

The Group Policy Service
Windows kernel-mode driver (Win32k.sys)
Cryptography Next Generation kernel-mode driver (cng.sys)
WebDAV kernel-mode driver (mrxdav.sys)
TS WebProxy Windows component
Windows User Profile Service (ProfSvc)
Microsoft IME
TypeFilterLevel Checks
Windows audio service component
Windows TCP/IP stack (tcpip.sys, tcpip6.sys)
Kerberos KDC
FASTFAT system driver, FAT32 disk partitions
Message Queuing service
.NET Framework
Windows Task Scheduler
Windows Installer service
DirectShow
Ancillary Function Driver
On-Screen Keyboard
ShellExecute API
TypeFilterLevel checks
Group Policy preferences
NDProxy component
Local Remote Procedure Call
Windows audio port-class driver (portcls.sys)
Hyper-V
USB drivers
Windows App Container
DirectX graphics kernel subsystem (dxgkrnl.sys)
Service Control Manager (SCM)
NT Virtual DOS Machine (Ntvdm.exe)
asynchronous RPC requests handling (Rpcss.dll)
TrueType font files handling
Windows Print Spooler (Win32spl.dl)
NTFS kernel-mode driver (ntfs.sys)
Windows CSRSS (cmd.exe)
Remote Desktop ActiveX control (mstscax.dll)
Windows USB drivers

We see that the attackers often aim at a relatively highly destructive attack by exploiting privilege escalation and code execution vulnerabilities together.

Techniques employed by malware writer constantly evolve to achieve the desired privilege escalation undetected. There are many privilege elevation techniques publicly available online, such as:

  1. METHOD OF PROVIDING A COMPUTER USER WITH HIGH LEVEL PRIVILEGES, PATENT 7,945,947
  2. Exploiting The Known Failure Mechanism in DDR3 Memory referred to as Row Hammer to gain kernel privilege with the only “patch” being a replacement of the DRAM!

Sometimes it is simply not possible to patch a vulnerability.

Elevation of Privilege is not limited only to operating systems but is also witnessed in desktop applications, browsers, web applications and even in hardware. With the increasing popularity of Internet of Things across devices everywhere, the effect of exploiting an  Elevation of Privilege vulnerability in just one of the links in Internet of Things could give the attacker complete control of the whole system.

Image courtesy of:

tompattersontalks.blogspot.in

Priyal Viroja, Vulnerability Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Shell Team Six:Zero Day After-Party (Part IV)

Friday, March 13th, 2015

This is the fourth part of a six-part blog based on the paper submitted by my colleague Gregory and myself on Advanced Persistent Threats (APT), for AVAR 2014.

Continuing from the third part of our paper…

Security Solutions Bypass

The next layer of defense that an attacker confronts is the end point security provided by third party vendors. Host Intrusion Prevention Systems (HIPS) for example, detect ROP exploitation and prevent shell code execution by injecting their modules into commonly exploited applications and placing hooks at various operating system APIs. However, these inline hooks meant to monitor suspicious activities and detect exploitation attempts are placed under the same privilege as the rest of the code in the process, thereby undermining the security solution’s ability to maintain and intercept all the required APIs.

Hook Hopping

This technique involves the attackers executing standard function prologues of intercepted APIs within self and then transferring control just past the JMP instruction intended to intercept the call.

Fig.10: Control flow depicting bypass of JMP instruction in a hooked API

The DeputyDog campaign [6] which exploited the CVE-2013-0389 vulnerability, employed the above technique to bypass the interception of WinExec() API calls by security software.

Direct SYS Calls

These are a sequence of CPU instructions that transfer control to the kernel directly from the application code instead of using the OS provided user mode APIs.

Payload Delivery via Documents or Sparse Encrypted Fetches

Shell code used as part of the exploitation chain may need to execute a larger payload to establish a backdoor on the machine. To prevent this payload from being detected by security scanners, the attackers can:

  • Embed the payload in popular document formats like PDF, DOC, etc. The shell code when run, locates this payload in the document by scanning for specific magic markers, extracts it and executes it, or
  • Download smaller encrypted chunks of the larger payload stealthily onto the victim’s machine. These chunks are later reassembled and executed on the victim’s machine.

Anti-Virus Bypassing

The attackers use custom cryptors to encrypt their malicious code and attempt to defeat traditional signature based Anti-Virus scanners. At times, these files are digitally signed using trusted stolen certificates to appear legitimate and to circumvent local system policies.

The notorious Stuxnet malware for instance used malicious kernel drivers signed with valid stolen digital certificates to bypass Anti-Virus scanners.

Equipped with information about the security solutions installed in the organization’s end point, these payloads are often tested for detection by the vendor’s security scanner before they are deployed onto the victim’s machine.

Volatile Threats

The attackers execute their malicious payloads directly on the victim’s machine without ever writing the file on the machine’s disk. Traditional security solutions that scan only files on the disk in real-time cannot see these malicious payloads that are directly written and executed in memory. Behavioral analysis systems do not intercept these operations either fearing additional performance overheads.

In the BaneChant APT campaign [7], the shell code downloaded an innocuous XOR encoded binary as the first level payload. This binary in turn downloaded a second level payload which was an executable impersonating an image file meant to bypass security scanners. Once downloaded, this binary was executed directly in memory.

Indicators of Compromise

The initial compromise stage of an APT represents an attacker’s attempts to gain entry into the target organization’s network.  In an environment defended by multiple layers of logging and security, it becomes quite a challenge for an attacker to be successful without leaving behind digital footprints. Provided below are some symptoms that could indicate a compromise in an organization’s network:

Suspicious System Changes

The presence of unauthorized applications that start from uncommon auto-start locations could indicate a compromise. Files names that resemble popular/operating system files like svchost.exe, acrord32.exe, etc. and dwell in unusual locations should also raise suspicion levels.

Fig.11: System file name present in an unusual auto-startup location

Hidden instances of popular applications like Internet Explorer, code-injection attempts into trusted operating system related processes, installation of unauthorized software, loading of driver files without an entry in the Service Control Manager, etc. could also indicate compromise.

Unusual Disk Activity

Exploitation attempts using heap spray techniques tend to use significant amounts of memory.

At times this can lead to high disk activity due to frequent page-file access. Attempts to sweep a user’s profile area for personal or confidential data could also result in increased disk activity, which could indicate compromise.

Compromised Security Components

Partially enabled security features or completely disabled security solutions on endpoints, even for a brief period of time, could indicate that something is wrong.

Loading of Unsigned Drivers in x64 Systems

x64-based Microsoft Windows verifies and allows only digitally signed driver binaries to load during system boot-up. Unsigned malware that want to load early on during the boot process will have to disable this verification process.

Boot kits for instance, tend to bypass the driver signing policy by making persistent system wide changes. Successful loading of a custom unsigned “test” driver on a machine infected with such a boot kit could indicate a compromise.

Fig.12: Windows alerting on loading an unsigned driver

Prevention/Detection

Mock Phishes

Since human behaviour is manipulated to the attacker’s advantage during this stage of an APT, training programs should be conducted at regular intervals to educate the users on the latest intrusion techniques. These programs should aim at explaining the importance of security along with adequate examples, as well as changing user behaviour such that they follow security policies correctly.

Pen test emails mimicking a spear phishing attack could be used to improve the employees’ resilience towards such attacks [8].

Virtualization

Email applications and web browsers could be run in a virtualized environment that is automatically reverted during startup.


Malicious email attachments and drive by downloads would be contained within this environment and reboot resilient code would not survive a revert-to-clean-snapshot assuming that the malware cannot escape the guest VM and infect the host.

Intent to View

Suspicious or unknown email attachments should explicitly be stripped by security solutions.

These attachments should be released to a user only if he/she explicitly requests them.

Detecting Bypassing Attempts

Evasion techniques such as hook-hopping can be identified by breaking some basic assumptions made by the attacker. The security solution can replace the random number of instructions from the function prologue with its own code sequence. This way, shell code that attempts to bypass the initial JMP instruction would still land on the code sequence controlled by the security solution.

Few security solutions use multiple int 0×3 instructions past the initial JMP instruction to trigger a debug exception when executed, breaking the flow of execution.

Hook bypass attempts using direct system calls from user-mode processes can be flagged using a kernel module, if this user-mode to kernel-mode transition does not originate from the native layer.

Click here to read the fifth part of this blog

References:

[6] http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-part-2-zero-day-exploit-analysis-cve-2013-3893.html
[7] http://www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html
[8] http://phishme.com/product-services/what-is-phishme

Lokesh Kumar
K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

Shell Team Six:Zero Day After-Party (Part III)

Monday, February 23rd, 2015

This is the third part of a six-part blog based on the paper submitted by my colleague Gregory and myself on Advanced Persistent Threats (APT), for AVAR 2014.

Continuing from the second part of our paper…

Exploiting Popular Applications

Popular applications such as web browsers, word processors, etc. in an attempt to provide rich functionality, at times fail to handle untrusted data properly. The attackers probe these applications with a variety of mechanisms such as fuzzing, reverse-engineering, study of any stolen code, etc. in order to discover bugs that allow them to execute malicious code without any user interaction.

Lack of buffer boundary checks in the application’s code is exploited, critical memory area is over written to hijack the control flow of the program and  execute the attacker’s shell code.

Likewise, bugs in handling multiple references to the same object have lead to Use-After-Free class of vulnerabilities which after seeding memory areas with malicious code can be exploited to execute the attacker’s shell code.

Data Execution Prevention (DEP) Bypass

DEP is a security feature provided by the operating system to thwart buffer overflow attacks that store and execute malicious code from a non-executable memory location. The OS leverages the No-eXecute technology in modern day CPUs to enforce hardware assisted DEP that prevents memory areas without explicit execute-privilege from executing. Attempts to transfer control to an instruction in a memory page without execute-privilege will generate an access fault, thereby rendering the attack ineffective.

Bypassing the DEP feature in a process involves locating already existing pieces of executable code from process memory space and manipulating them to use attacker controlled data to achieve arbitrary code execution. This is accomplished using one of the following techniques:

  • Return-to-libc
  • Branch Oriented Programming (BOP)
    • Return Oriented Programming (ROP)
    • Jump Oriented Programming (JOP)

Return-to-libc

This evasion technique involves replacing the return address on the call stack with that of an existing routine in a loaded binary. The parameters/arguments that are passed to such routines are controlled by the exploit data strategically placed on the stack.  A system function like WinExec() can be invoked to load and run a malicious component without running non-executable exploit data.


Fig.6: The stack layout when using return-to-libc attack to invoke system() in GNU Linux (32-bit).

Branch Oriented Programming

This bypassing method involves an attacker gaining control of the call stack and executing carefully stitched pieces of executable code called “gadgets”. These gadgets contain one or two instructions which typically end in a return instruction (ROP) or a jump instruction (JOP) and are located in a subroutine within an existing program or a shared library. Chained together, these gadgets allow an attacker to perform arbitrary operations on a machine.

Fig.7: ROP gadget execution sequence based on exploit controlled stack layout

Address Space Layout Randomization (ASLR) Bypass

In order to thwart BOP attacks, the concept of randomizing executable code locations, by randomizing the base address of the loaded binary, on every system reboot was introduced. This security measure known as ASLR made it difficult for the attacker to predict where the required gadget sequence resides in memory. However, APTs have been observed bypassing this protection using the following techniques:

Loading Non-ASLR modules

Dynamic-Link Libraries compiled without the dynamic-base option cannot take advantage of the protection offered by ASLR and as a result, are usually loaded at a fixed memory space. For example, Microsoft’s MSVCR71.DLL shipped with Java Runtime Environment 1.6 is usually loaded at a fixed address in the context of Internet Explorer making it easy to construct the required gadget chain in memory.

Fig.8: An ASLR incompatible version of MSVCR71.dll

DLL Base Address calculation via Memory Address Leakage

This technique involves determining the base address of any loaded ASLR-compatible DLL based on any leaked address of a memory variable or API within that DLL. Based on the address of this known entity, the relative addresses of all the required gadgets can be calculated and a ROP attack constructed.

Attack techniques such as modifying the BSTR length or null termination allows access to memory areas outside the original boundaries, leading to the memory address of known items being revealed to the exploit code. This can then be used to pinpoint the DLL’s location to use ROP gadgets within it. Array() object also has a length component that can be overwritten to leak memory addresses beyond its bounds.

Browser Security Bypass

Leveraging the operating system’s security, popular web browsers run certain parts of their code, JavaScript execution and HTML rendering for example, as a sandboxed background process. This process runs with limited privileges and has restricted access to the file system, network, etc.  A master controller acting as an intermediary interacts with the user and manages these sandboxed processes. By using this master-slave architecture and providing a controlled environment, users are protected from exploit attempts by limiting a shell code’s capability to access host system resources and confining its damage to within the sandbox.

Since these browsers rely on the operating system’s security model, exploiting unpatched kernel vulnerabilities will result in the malicious code escaping its confined environment. The infamous Duqu malware relied on vulnerability (CVE-2011-3402) in the Win32k.sys driver that improperly handles specially crafted True Type Font (TTF) files. This allowed the malware to escape a user-mode sandboxed environment implemented by the Microsoft Word process and compromise the host.

Fig.9: Vulnerable code snippet from win32k.sys that lead to the Duqu TTF exploit

Enhanced Mitigation Experience Toolkit (EMET) Bypass

EMET is a Microsoft tool that provides additional security to commonly-exploited third-party applications such as web browsers, word processors, etc. It extends the operating system’s protection mechanisms to these vulnerable applications and makes exploitation attempts extremely difficult.

The following table lists the protections offered by EMET and known bypassing techniques [4]:

Click here to read the fourth part of this blog

References:
[4] http://bromiumlabs.files.wordpress.com/2014/02/bypassing-emet-4-1.pdf
[5] http://0xdabbad00.com/wp-content/uploads/2013/11/emet_4_1_uncovered.pdf

Lokesh Kumar
K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

Shell Team Six:Zero Day After-Party (Part II)

Wednesday, February 11th, 2015

This is the second part of a six-part blog based on the paper submitted by my colleague Gregory and myself on Advanced Persistent Threats (APT), for AVAR 2014.

Continuing from the first part of our paper

Initial Compromise

Armed with information obtained from the previous stage, the perpetrators may adopt several techniques to sneak into the organization. Traditional attacks involve actively targeting vulnerable applications and exploiting Internet facing resources like webservers, SQL servers, FTP servers, etc. As log analysis and security around these external resources have caught on, the attackers have had to evolve their tactics in order to be successful.

Infiltration Methodology

The attackers now target the most vulnerable element of any organization – the human. Social engineering tactics are used to entice an individual or a group of users into running code, which will allow the attackers to introduce their malware into the organization’s network. The most commonly used attack techniques are:

  • Spear Phishing
  • Watering Hole

Spear Phishing

Spear phishing involves the attacker compromising a machine by sending a well-crafted email to a targeted user and convincing him/her to:

  • Open an embedded link that points to a website loaded with zero-day exploits, or
  • Open a malicious attachment (EXE, PDF, DOCX etc.)

both of which exploit the rendering application to drop or download, and execute a payload with backdoor capabilities

Watering Hole

 

Watering hole attack involves the attacker placing exploits, possibly zero-day in nature, on a trusted website which is frequented by the users of the organization.  When a targeted user visits the site, the exploit code is automatically invoked and the malware installed on his/her machine.

Case Study

The U.S. Veterans of Foreign Wars’ website was recently compromised to serve a zero-day exploit (CVE-2014-0322). A similar watering hole attack exploiting zero-day vulnerabilities has occurred in the past targeting a specific group of people by compromising the website of the Council for Foreign Relations.

Fig.2 shows publicly available website access logs of users along with their non-routable IP addresses. This information can be used to evaluate the browsing habits of individuals in the company and eventually to execute a watering hole attack.


 
Fig.2: Publicly available map of internal IP addresses and their website logs

Security Bypassing

Email attachments, file downloads, HTTP requests, etc. originating from users undergo rigorous checks at various layers that include:

  • Network/Gateway layer scanners
    • Email/File/URL scanners
    • Sandboxed file analysis
  • Endpoint/Desktop layer scanner
    • Anti-Virus/HIPS/firewall
    • Application security features
    • Operating system security features

Once the human element falls prey to social engineering, and is coaxed into downloading a file/email or visiting an exploit site, the attackers are faced with challenge of defeating a series of network and end point security solutions before conquering the victim’s machine. Listed below are some of the tactics used by the perpetrators to bypass these layers of security.

Attachment Archive File Format Abuse

Discrepancies in the way in which a security product handles a compressed file versus that of an un-archiving application has led to abuse of the popular ZIP file format.  Un-archiving apps identify ZIP file types by scanning the last 64KB of the file for a special magic marker. Security scanners on the other hand, with a need for speed, identify the file type by inspecting only the first few bytes from the beginning of the file.

An attacker abuses this disparity by creating a malicious ZIP file and manipulating its headers by adding junk data at the beginning of the ZIP file. This specially crafted file deceives security scanners into thinking that it is of an unknown type and escapes detection, but un-archiving applications are able to successfully extract the malicious code at the end point.

Fig.3 shows a Proof-of-Concept [2] archive file that is capable of evading security scanners

Fig.3: Crafted ZIP file with NULL data prefixed.

Gateway Sandboxing Bypass

Suspicious files that match certain criteria are typically executed within a sandboxed environment for a short period of time. Depending on their behavior, the files are either blocked from the user or released to him/her.

Attackers can craft malicious files which detect such controlled settings by looking for specific registry keys, in-memory code changes, mouse pointer movement, etc.

For example if the malicious file identifies that it is being executed in a sandboxed environment, it stays idle without performing any activity thereby bypassing this check. The Up-Clicker Trojan [3] attempts to evade sandbox analysis by staying idle and waiting for a mouse click before activating itself.

Fig.4: Code showing Up-Clicker Trojan set to activate on mouse click

Browser Multi-Purpose Internet Mail Extensions (MIME) Sniffing

This attack exploits differences in the way in which security scanners and web browsers identify the content returned by an HTTP server.

Security scanners parse the magic headers available at the beginning of a file returned by the web server, to identify the file type. This means that a specially crafted malicious HTML file containing the magic marker commonly found in a GIF image will be identified by the scanner as an image file, exempted from scanning and let through into the network.

Web browsers on the other hand, depend on the MIME type in the HTTP response header returned by the web server to identify the file type. When this information is absent as is the case of a response from an attacker controlled web server, the web browser resorts to content sniffing to determine the MIME type. So, the same malicious HTML containing the GIF magic marker will now be identified as HTML content by the user’s browser and rendered accurately to execute the exploit code.

Fig.5: Malicious script containing bogus RAR and GIF magic markers.

Click here to read the third part of this blog

References:
[2] http://www.reversinglabs.com/news/vulnerability/reversinglabs-vulnerability-advisories.html
[3] http://www.infosecurity-magazine.com/news/trojan-upclicker-ties-malware-to-the-mouse

Lokesh Kumar
K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

Exorcising CTB Locker from your Computer: What you Need to Know

Friday, January 30th, 2015

Ransomware, a type of malware which holds your files to ransom by encrypting them and then demanding a ransom for their “release”, i.e. by decryption, is nothing new. Cyber criminals make a lot of money by extorting funds from victims all over the world.

The latest family of widely distributed ransomware is called CTB Locker. In this blog we have decided to provide information about CTB Locker in the form of an FAQ so that our customers and the general public globally may be well-informed about the dangers of this malware family, learn how to avoid it, and be reassured about our robust response to it.

FAQ

  • How do you prevent your computer from becoming infected by CTB Locker?

Let’s begin with this question as it is the most important one to keep your computer safe. Prevention is always better than cure.

The initial spreading vector for CTB Locker is a spam email with enticing content which uses social engineering techniques to convince the potential victim to unzip a ZIP archive attachment (extension ‘.zip’) and execute its embedded file.

This embedded file, which is currently around 40KB in size, may have misleading extensions such as ‘.scr’ in order to masquerade as a screensaver application. This file is the downloader component for CTB Locker’s main payload, which then does the actual file encryption and makes ransom demands. We urge you to be vigilant against such spam emails as it is very first line of defence against CTB Locker as well as a host of other malware families which also use the same old time-tested technique to spread.

If an email comes from an unknown or unexpected source containing an attachment or a website link requesting you to open the attachment or click on the link, please exercise extreme caution. We would suggest simply deleting such emails if they are not already quarantined by your spam filter.

The spam emails tend to be targeted at English-speaking countries and at least 3 European countries given that the malware payload provides its ransom messages in German, Dutch and Italian.

This ransomware is not targeted at Indian users per se but given the ubiquitous nature of spam there will be “collateral damage” resulting in not just Indian victims but also many other hapless victims in other non-target countries.

  • What should you do when you discover your computer is infected with CTB Locker?

If you have seen messages demanding a ransom as shown above, it is likely that many, if not all, of your personal files such as Microsoft Office documents, PDF, TXT, ZIP and even ‘C’ source code files will be in an encrypted state, i.e. appear to contain random binary junk. Files encrypted by CTB Locker will have filenames such as yourfile.ext.<7 random lowercase letters>, e.g. 253667.PDF.iryrzpi

Executable files, e.g. EXE, DLL, OCX, etc, and files with extensions unknown to the malware will not be touched.

First and foremost, we would request that you do not attempt to pay the ransom to get your files back. Even if the cyber criminals do actually decrypt your files, the money they get from you will only serve to encourage them to continue their nefarious practices, investing R&D in enhancing their capabilities and global reach. Cyber criminals must be stripped of their Return on Investment incentive to create malware.

Once you have decided not to pay the ransom we would recommend removing the malware immediately. This can be done most easily by:

  1. updating your product
  2. rebooting into Safemode
  3. performing an on-demand scan on your computer
  4. removing the detected components. Note, the main CTB Locker payload is detected as ‘Trojan ( 0049d83b1 )’ and its downloader component is detected as ‘Trojan-Downloader ( 00499db21 )’

  • Is it possible to decrypt files encrypted by CTB Locker?

The malware itself demonstrates that files can be decrypted by randomly choosing 5 samples to decrypt.

However, the malware uses a high-grade encryption algorithm with a key which is unique to your computer, rendering it effectively impossible to force a decryption en masse.

  • How to restore files encrypted by CTB Locker?

It may not be possible to restore all files encrypted by CTB Locker. However, if your Windows operating system supports System Restore it may be possible to recover some of the contents of some of your folders to a recent restore point before the infection took place. However, typically System Restore will not restore files from user areas such as images and documents.

The most reliable solution, though, is to restore your critical files from regular backups. If you don’t backup your important files regularly then we urge you to start doing so ASAP. Apart from a CTB Locker infection, there are numerous other factors which could render your files irrecoverable in the future, including a hard disk failure. Note, it may also be possible to use deep forensics tools to recover some critical files if they still exist on sectors on the hard disk, but this is not an alternative to regular backups.

  • Will paying the ransom actually decrypt your files?

We refuse to pay any ransom so we are unable to confirm whether payment will actually result in your files being released. Once again, we would request you to not attempt to pay the ransom for the reasons mentioned earlier.

  • Why did K7 not detect and remove CTB Locker?

At K7 Threat Control Lab we are constantly monitoring and acting against CTB Locker infections, including coding robust generic detection for all components of CTB Locker. However, the cyber criminals behind the CTB Locker family have been investing considerable resources in morphing, i.e. changing the appearance of, all their components and spam emails such that they may sometimes be able to get past security scanners, not just K7’s, albeit for a very short period of time. We at K7, and our colleagues at other security companies, are working hard to stay ahead of CTB Locker in order to protect all our customers across the planet.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed