News about Excubits and IT-Security
Keep being updated and subscribe to our newsletter.
2019/03/12 by F. Rienhardt
We have just released the new versions of Bouncer and Türsteher now supporting AdminByPass and GUID-Logging.
2019/02/19 by F. Rienhardt
We have just released a new Beta version of Bouncer. The current beta does feature two options which are described below:
This feature was already part of a beta we published end of December but still want to introduce to you: With the admin-bypass option you can allow system/admin processes to bypass the rules engine. This helps to reduce the complexity of your rules, and on how you install patches or updates which often require SYSTEM/admin permissions. On the other hand we must point out that there is a risk because malicious executables running as SYSTEM or in the admin group could also bypass. So you need to balance between security and comfort, but you now have a choice.
If you'd like to deploy Bouncer in a larger scale you might accumulate log files centrally. To distinguish the log files you then need to differentiate between files coming from different machines somehow. Each and every Windows installation comes with its unique ID which is represented by Windows' internal GUID. With Bouncer's GUID-logging feature you can add this ID to each log entry and are able store log files from different sources centrally in a database and can still distinguish between machines.
We will soon provide you some scripting examples which should help you to deploy a logging server, plus examples on how to import log files into a SQL database for further processing.
2019/01/24 by C. Lopez
According to Jigsaw, millions of Internet users are tricked by phishing mails every day. Google has published a quiz that allows you to test your knowledge about phishing and helps you to become more sensitive to this kind of technique. Try it and be amazed.
2019/01/12 by F. Rienhardt
We wish all readers a wonderful new year! January is always the beginning of the time of good intentions for the new year. We hope that the new year will also be a time of good intentions for the new year, such as doing more sports or spending less time on your mobile, etc. Well, we have started cleaning up things and are currently successfully testing the new Adminbypass-Feature in Bouncer. Bouncer has passed the last patchday successfully and we are looking forward to finalize stuff so we can release a new version of Bouncer soon.
We have also composed a new list of dangerous Commandlet Names we have published, so you can harden your systems even more. You could put them onto you Commandline-Blacklist (Bouncer, CommandLineScanner), and we hope this list helps you to avoid infections from more sophisticated attackers.
Besides that we have also licensed AnyDesk, so we can now provide personal remote support for our customers. This can be very helpful for unexperienced users, that just want their things done without hassle. If you are interested, just get in touch with us.
2018/12/18 by F. Rienhardt
We are happy to release the new beta version of Bouncer now supporting the [ADMINBYPASS] feature. If you like, you can allow system (admin) processes to bypass Bouncer's rules engine. This helps to reduce the complexity of rules, and on how you install patches or updates which often require SYSTEM/admin permissions. On the other hand we must also point out that there is a risk because malicious executables running as SYSTEM or in the admin group could also then bypass. So you need to ballance between security and comfort, but you now have a choice. Consider yourself informed and warned. Well, enjoy testing and let us know what you think about it.
2018/12/18 by F. Rienhardt
The trojan Emotet has been spread via so-called dynamite phishing in last couple of weeks. The attackers use some nice tricks to camouflage their trojan from antivirus scanners. The emails are personally addressed and formulated to fit the target, so many recipients opened the added attachments. This attachment contains malicious macros that finally download a trojan from the Internet. By downloading the trojan from Internet, attackers can easily adapt the malicious code timely and ensure that it is not detected by recent virus scanners. Even if an antivirus is able to detect a variant of the trojan, it does not take long and the criminals adapt the code to by-pass it again. A cat and mouse game starts: criminals against the antivirus industry. Those who do not constantly update their virus scanners have no chance and may be in danger.
In addition to this, the criminals also use additional techniques. The macro does not contain suspicious code, but decodes it from the Word document's content. The criminals implant a form text field in the document, to be exact, a so-called Microsoft Forms 2.0 TextBox object, see the following screenshots:
This field contains the actual shellcode, which is started on a hidden cmd.exe console window. The code then downloads and executes the trojan. The whole process is known as staging and a well known technique. But what is new? Well, that they use Microsoft Forms and that the criminals try to download and start the executables from the directory C:\ProgramData\. This is fairly clever, because this folder probably does not arise any suspicion during a quick analysis. Usually attackers use temporary folders like %temp%, which have been known for attacks. The folder C:\ProgramData\, on the other hand, is also used by many legitimate programs.
Conclusion: If you don't need macros for your daily work, you should simply deactivate them or only allow signed macros. In addition, you should check whether parent rules are suitable for you. Ask yourself whether Word, Excel, PowerPoint, Adobe-Reader and Browser really need to start other processes. We at Excubits say: No! The Windows Explorer is legit and there to start programs, not Office or other business apps. Therefore we recommend to restrict typical office applications so that they can only start themselves. Keep your system and installed programs up to date: install updates and patches regularly. Update your virus scanner daily. Do not use your computer with administrator rights for normal business. Store backup copies of your important files on an external device: separate it from the computer. If an email or file seems suspicious: don't click, think and ask first. Resist tempting offers and information: most successful attacks rely on curiosity, envy, avarice, forbidden things like sex, drugs and rock 'n roll - don't get fooled or tricked by these.
2018/11/28 by C. Lopez and F. Rienhardt
We were asked several times, if we could implement an optional feature into our drivers which allow elevated (admin / system) processes to bypass our driver’s rules engine. This would be a powerful feature to reduce the amount of effort one have to spend on updates and patches etc. Well, as security guys we were (and are) not happy with such an option, but we listen to the community and understand why this is required. So we started to find a way integrating this feature into our drivers. You guys might already know what will follow... :-)
Well, we are happy to introduce the [ADMINBYPASS] feature which allows elevated parent processes (with system, admin permissions) to start processes and execute command line calls without going through our rule decision function in Bouncer. If you have enforced “normal user” for daily business and “admin user” for updates and software installations, this now makes the process much more comfortable, as you do not need to switch into [INSTALLMODE] or [#LETHAL] anymore. This should also lead to more generic configurations not aiming the fully fledged “bullet proof” hedging, but should enable you to build hardening configurations that help to mitigate against many risks without being too strict.
We are currently heavily alpha testing internally and will soon release our first version of Bouncer in our beta camp. If you can’t await the release, hook up to our newsletter and you will receive a notification as soon as it is ready. We're also going to have a live seminar very soon, so if you ever wanted to get in touch with us, this will be your chance. Stay tuned, to be continued...
2018/11/16 by F. Rienhardt
The days are getting shorter again, so we usually make ourself comfortable at home and read books. We are asked again and again why you should use one of our application whitelisting solutions. Well, I had some time and recently read the following book by Wil Allsopp: Advanced Penetration Testing, Hacking the World's Most Secure Networks. Security specialists might know one or the other attacks, Wil Allsopp describes with a lot of love for anecdotes. We strongly recommend this book to every IT security specialist. Read this book and ask yourself if and how secure your Windows-Systems really are :-) Trust me, it is worth reading.
We have also updated the list of LOLBins in the blacklist, please use with caution as some of the tools are required; here parent checking is the key.
2018/09/17 von F. Rienhardt
We know that many system admins are happy with Windows' built in AppLocker, but as it comes to harden your systems even more you need the parent checking capabilities of Bouncer. This is particularly true for Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts) which are needed by system processes but are not required to be run via your office tools, web browsers or accounting applications. Here Bouncer's (and our other drivers') parent checking feature provide a powerful extra layer of security. So we would like to draw your attention to this feature and also like to reference to a great collection of well known LOLBins and LOLScripts you should check and take into account.
To sum it up, consider parent checking within your malware mitigation strategy and have a look at the following GitHub here. Check to what extent your Windows boxes really need to have full execution access rights to these binaries and if you can make use of parent checking to reduce the risk.
2018/08/31 von F. Rienhardt
We have renewed our blacklist recommendation for critical system applications often exploited to drop and execute malware. Protect yourself even better with the new and extended ruleset. You can download the list here.
Unfortunately, some virus scanners have once again rated our installers as harmful, although they are not. This is an failure and is referred to as false positive. To save you the trouble, we have already contacted the AV vendors to remove the false positives from their lists. However, since this can sometimes take several days and weeks, we have also rebuild the binary packages. Nothing has changed in our software, the packages have just been repackaged.
2018/06/21 by F. Rienhardt
We have to update the installer packages for Bouncer and Türsteher. Once again some AV vendors flagged our installer as malicious although the installer is no malware, we are a trustworthy vendor, have an EV-certificate and are a real existing, officially registered company. What a mess!
We also updated the tray application, the icons for the executables are not branded for Bouncer or Türsteher, so it better suits our other drivers which are supported by the tray application. We have also fixed an issue where some users reported an installation-mode balloon message although the driver was running in normal mode (greetings and thanks to Jeff). We also changed some wordings in the .locales files, and last but not least added the playsound and shortmenu options. The latter suits environments where the user does not have the permission to do any changes with regard to the driver, so it does not make sense to show all the possible options.
2018/06/20 by F. Rienhardt
We are happy to give a presentation at heise devSev 2018 conference from 16th to 18th October 2018 in Heidelberg, Germany. Come and see us live. More information can be found at devSec() 2018. We are very delighted to have a talk about secure kernel driver development and how to use kernel-only solutions for malware analysis and detection. If you want to meet us, discuss with us in or near Heidelberg, this is your chance: get in touch with us.
2018/06/11 by F. Rienhardt
We have finished the beta phase and are happy to announce the new version of Bouncer. We have not only revised the driver, but also rewritten the manual, it is now clearer and much shorter. In addition, the tray application has been completely revised and now supports localization. You can edit the files bouncer.locales and tuersteher.locales to fully localize the TrayApp regarding your needs.
But that's not all. The tray application now not only supports Bouncer, by changing the file names the tray application can also support all our other drivers. For example, rename BouncerTray_x86.exe and BouncerTrayHelper_x86.exe to MZWriteScannerTray_x86.exe and MZWriteScannerTrayHelper_x86.exe, so the TrayApp will support MZWriteScanner. Of course you shall adjust the locales file fitting the driver, but it gives you a first glimpse of what's next... Enjoy!