Newsblog

News about Excubits and IT-Security
Keep being updated and subscribe to our newsletter.

Sensitizing: A Phishing Quiz by Google's Jigsaw...

How well can you spot phishing in mails?

2018/01/24 by C. Lopez

According to Jigsaw, millions of Internet users are tricked by phishing mails every day. Google has published a quiz that allows you to test your knowledge about phishing and helps you to become more sensitive to this kind of technique. Try it and be amazed.


All the best for 2019 and some news

A wonderful 2019 and some news from the Beta Lab

2018/01/12 by F. Rienhardt

We wish all readers a wonderful new year! January is always the beginning of the time of good intentions for the new year. We hope that the new year will also be a time of good intentions for the new year, such as doing more sports or spending less time on your mobile, etc. Well, we have started cleaning up things and are currently successfully testing the new Adminbypass-Feature in Bouncer. Bouncer has passed the last patchday successfully and we are looking forward to finalize stuff so we can release a new version of Bouncer soon.

We have also composed a new list of dangerous Commandlet Names we have published, so you can harden your systems even more. You could put them onto you Commandline-Blacklist (Bouncer, CommandLineScanner), and we hope this list helps you to avoid infections from more sophisticated attackers.

Besides that we have also licensed AnyDesk, so we can now provide personal remote support for our customers. This can be very helpful for unexperienced users, that just want their things done without hassle. If you are interested, just get in touch with us.


Simplify the update and software installation process in new Bouncer BETA

Brand new [ADMINBYPASS] feature in Bouncer BETA

2018/12/18 by F. Rienhardt

We are happy to release the new beta version of Bouncer now supporting the [ADMINBYPASS] feature. If you like, you can allow system (admin) processes to bypass Bouncer's rules engine. This helps to reduce the complexity of rules, and on how you install patches or updates which often require SYSTEM/admin permissions. On the other hand we must also point out that there is a risk because malicious executables running as SYSTEM or in the admin group could also then bypass. So you need to ballance between security and comfort, but you now have a choice. Consider yourself informed and warned. Well, enjoy testing and let us know what you think about it.


OCX Objects as hidden shellcode vbehicles

Malicious Word Macros and OCX Objects in MS Word

2018/12/18 by F. Rienhardt

The trojan Emotet has been spread via so-called dynamite phishing in last couple of weeks. The attackers use some nice tricks to camouflage their trojan from antivirus scanners. The emails are personally addressed and formulated to fit the target, so many recipients opened the added attachments. This attachment contains malicious macros that finally download a trojan from the Internet. By downloading the trojan from Internet, attackers can easily adapt the malicious code timely and ensure that it is not detected by recent virus scanners. Even if an antivirus is able to detect a variant of the trojan, it does not take long and the criminals adapt the code to by-pass it again. A cat and mouse game starts: criminals against the antivirus industry. Those who do not constantly update their virus scanners have no chance and may be in danger.

In addition to this, the criminals also use additional techniques. The macro does not contain suspicious code, but decodes it from the Word document's content. The criminals implant a form text field in the document, to be exact, a so-called Microsoft Forms 2.0 TextBox object, see the following screenshots:

Hidden Text field in Word Dokument Shellcode in Microsoft Forms 2.0 TextBox-Object

This field contains the actual shellcode, which is started on a hidden cmd.exe console window. The code then downloads and executes the trojan. The whole process is known as staging and a well known technique. But what is new? Well, that they use Microsoft Forms and that the criminals try to download and start the executables from the directory C:\ProgramData\. This is fairly clever, because this folder probably does not arise any suspicion during a quick analysis. Usually attackers use temporary folders like %temp%, which have been known for attacks. The folder C:\ProgramData\, on the other hand, is also used by many legitimate programs.

Conclusion: If you don't need macros for your daily work, you should simply deactivate them or only allow signed macros. In addition, you should check whether parent rules are suitable for you. Ask yourself whether Word, Excel, PowerPoint, Adobe-Reader and Browser really need to start other processes. We at Excubits say: No! The Windows Explorer is legit and there to start programs, not Office or other business apps. Therefore we recommend to restrict typical office applications so that they can only start themselves. Keep your system and installed programs up to date: install updates and patches regularly. Update your virus scanner daily. Do not use your computer with administrator rights for normal business. Store backup copies of your important files on an external device: separate it from the computer. If an email or file seems suspicious: don't click, think and ask first. Resist tempting offers and information: most successful attacks rely on curiosity, envy, avarice, forbidden things like sex, drugs and rock 'n roll - don't get fooled or tricked by these.


Simplify the update and software installation process in Bouncer

New admin-bypass feature

2018/11/28 by C. Lopez and F. Rienhardt

We were asked several times, if we could implement an optional feature into our drivers which allow elevated (admin / system) processes to bypass our driver’s rules engine. This would be a powerful feature to reduce the amount of effort one have to spend on updates and patches etc. Well, as security guys we were (and are) not happy with such an option, but we listen to the community and understand why this is required. So we started to find a way integrating this feature into our drivers. You guys might already know what will follow... :-)

Well, we are happy to introduce the [ADMINBYPASS] feature which allows elevated parent processes (with system, admin permissions) to start processes and execute command line calls without going through our rule decision function in Bouncer. If you have enforced “normal user” for daily business and “admin user” for updates and software installations, this now makes the process much more comfortable, as you do not need to switch into [INSTALLMODE] or [#LETHAL] anymore. This should also lead to more generic configurations not aiming the fully fledged “bullet proof” hedging, but should enable you to build hardening configurations that help to mitigate against many risks without being too strict.

We are currently heavily alpha testing internally and will soon release our first version of Bouncer in our beta camp. If you can’t await the release, hook up to our newsletter and you will receive a notification as soon as it is ready. We're also going to have a live seminar very soon, so if you ever wanted to get in touch with us, this will be your chance. Stay tuned, to be continued...


Book recommendation: Wil Allsopp

Advanced Penetration Testing

2018/11/16 by F. Rienhardt

The days are getting shorter again, so we usually make ourself comfortable at home and read books. We are asked again and again why you should use one of our application whitelisting solutions. Well, I had some time and recently read the following book by Wil Allsopp: Advanced Penetration Testing, Hacking the World's Most Secure Networks. Security specialists might know one or the other attacks, Wil Allsopp describes with a lot of love for anecdotes. We strongly recommend this book to every IT security specialist. Read this book and ask yourself if and how secure your Windows-Systems really are :-) Trust me, it is worth reading.

We have also updated the list of LOLBins in the blacklist, please use with caution as some of the tools are required; here parent checking is the key.


Living Off The Land Binaries And Scripts

System hardening by blocking LOLBins- and Scripts

2018/09/17 von F. Rienhardt

We know that many system admins are happy with Windows' built in AppLocker, but as it comes to harden your systems even more you need the parent checking capabilities of Bouncer. This is particularly true for Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts) which are needed by system processes but are not required to be run via your office tools, web browsers or accounting applications. Here Bouncer's (and our other drivers') parent checking feature provide a powerful extra layer of security. So we would like to draw your attention to this feature and also like to reference to a great collection of well known LOLBins and LOLScripts you should check and take into account.

To sum it up, consider parent checking within your malware mitigation strategy and have a look at the following GitHub here. Check to what extent your Windows boxes really need to have full execution access rights to these binaries and if you can make use of parent checking to reduce the risk.


Extended blacklist for better protection

New binary packages for bouncers and a new blacklist

2018/08/31 von F. Rienhardt

We have renewed our blacklist recommendation for critical system applications often exploited to drop and execute malware. Protect yourself even better with the new and extended ruleset. You can download the list here.

Unfortunately, some virus scanners have once again rated our installers as harmful, although they are not. This is an failure and is referred to as false positive. To save you the trouble, we have already contacted the AV vendors to remove the false positives from their lists. However, since this can sometimes take several days and weeks, we have also rebuild the binary packages. Nothing has changed in our software, the packages have just been repackaged.


Updated installer and tray application

New binries for Bouncer and Türsteher

2018/06/21 by F. Rienhardt

We have to update the installer packages for Bouncer and Türsteher. Once again some AV vendors flagged our installer as malicious although the installer is no malware, we are a trustworthy vendor, have an EV-certificate and are a real existing, officially registered company. What a mess!

We also updated the tray application, the icons for the executables are not branded for Bouncer or Türsteher, so it better suits our other drivers which are supported by the tray application. We have also fixed an issue where some users reported an installation-mode balloon message although the driver was running in normal mode (greetings and thanks to Jeff). We also changed some wordings in the .locales files, and last but not least added the playsound and shortmenu options. The latter suits environments where the user does not have the permission to do any changes with regard to the driver, so it does not make sense to show all the possible options.


Secure Dev Conference Heidelberg

Meet us at heise devSev() 2018

2018/06/20 by F. Rienhardt

We are happy to give a presentation at heise devSev 2018 conference from 16th to 18th October 2018 in Heidelberg, Germany. Come and see us live. More information can be found at devSec() 2018. We are very delighted to have a talk about secure kernel driver development and how to use kernel-only solutions for malware analysis and detection. If you want to meet us, discuss with us in or near Heidelberg, this is your chance: get in touch with us.


Beta phase of Bouncer and Türsteher completed

Release of brand new Bouncer and Türsteher

2018/06/11 by F. Rienhardt

We have finished the beta phase and are happy to announce the new version of Bouncer. We have not only revised the driver, but also rewritten the manual, it is now clearer and much shorter. In addition, the tray application has been completely revised and now supports localization. You can edit the files bouncer.locales and tuersteher.locales to fully localize the TrayApp regarding your needs.

But that's not all. The tray application now not only supports Bouncer, by changing the file names the tray application can also support all our other drivers. For example, rename BouncerTray_x86.exe and BouncerTrayHelper_x86.exe to MZWriteScannerTray_x86.exe and MZWriteScannerTrayHelper_x86.exe, so the TrayApp will support MZWriteScanner. Of course you shall adjust the locales file fitting the driver, but it gives you a first glimpse of what's next... Enjoy!


« Older Entries