Excubits Logo
burger-menu Toggle Menu



News about Excubits and IT-Security Keep being updated and subscribe to our newsletter.

Blacklist suggestions from the Microsoft's Device Guard Team

Updated Blacklist for Bouncer and Command Line Scanner

2017/06/19 by F. Rienhardt

Microsoft's Device Guard Team maintains a list of “vulnerable applications” which they recommend to put onto a blacklist. The named applications can be used for bypassing Device Guard and other application whitelisting (anti-Executable) software. We also maintain such a list and have updated it with regards to Microsoft's Device Guard Team suggestions. Thanks to WildByDesign for posting this at Wilders Security Forums and Shizzle for giving a hint.

Enhanced memory protection with module filtering

New beta of MemProtect released

2017/06/09 by F. Rienhardt

We have released a new beta version of MemProtect in the BetaCamp. This brand new version now supports module filtering. This feature enables you to exactly define which modules (DLLs) can be loaded by an executable. This feature was inspired by functionality in EMET, we would also like to give shout outs to Dave. We hope you like the beta and are looking forward to push it into the release version soon.

2017/06/11 Updated Binaries

We have updated the beta package, the configuration file can now have 512Kbs in size. You should now be able to test MemProtect with more options and especially with more libraries in the .ini file. Have fun.

Public Domain source code of a demonstration Tray-App

Create your own Tray-App for our drivers

2017/06/07 by F. Rienhardt

Well, we are happy to announce the first version of a generic Tray-App under Public Domain which can be used to create your own eventing apps for our drivers. If there is need we will adjust and enhance this sample, so you can get the maximum out of it. But on the first release we decided to keep things as simple as possible and to show you how simple stuff can be done using our drivers. The source should encourage you to build your own watch-dog applications which perfectly suit your needs and it should proof that you do not get a black box. We do not just say it is simple, it really is as you can now see.

You can download the current version from here. We hope you will find the code useful, if you have something to share with us or the community, please let us know. We are happy to hear from you.

Enhanced notifications for the tray application

New Tray-App in Beta-Camp

2017/05/30 by F. Rienhardt

There was some demand for balloon notifications in Pumpernickel, MemProtect and the other drivers. Some users also requested a “play sounds” feature instead of notifications through colors or balloon messages. You can enable this options by using the following command line parameters:

on an event. We decided to first start with Pumpernickel and published the first version into the BetaCamp. Tray Apps for the other drivers will follow up in the next days or weeks. We hope you enjoy, any feedback is welcome.

We will also soon publish some demo code for AutoIt you can use to write your own notification applications. The code will be under Public Domain, so you are free to use and distribute. You will see that the code is pretty simple which proves that there is no need for sophisticated techniques to get things done. We hope you will find the code useful, if you have something to share with us or the community, please let us know. We are happy to hear from you.

Watch out for ^-symbols in the command line

Another way to bypass application whitelisting

2017/05/28 by F. Rienhardt

A while ago, we stumbled over some Word- and Excel-files containing malicious macros, which forced to download and execute ransomware. Nothing new until here, the fact that made us curious was that the cyber crooks utilized the command shell (cmd.exe) in a tricky way. Instead of executing the commands in plain text, they used the ^-symbol to obfuscate their call to the powershell interpreter:

cmd.exe shell ^ blur trick

If you remove the ^-symbol you will quickly identify a well known HTTP downloading and execution powershell script, as seen in many malicious campaigns. This kind of obfuscation technique again will stop some AVs and other anti cyber-attack tools from detecting such threats.

Good to know that Bouncer will detect such attacks instantly if you make use the *>cmd*/c rule which we recommended back in 2016. But you can specify a more generic rule


in the command line blacklist. The same rule can also be used for our Command Line Scanner driver.

#WannaCrypt0r #WanaCry, #Wcry attacked thousands of PCs

How to protect and mitigate against cyber attacks

2017/05/17 by F. Rienhardt

On Friday, May 12, 2017 a massive ransomware #WannaCry attack hit Windows computers all over the world. The attack utilized the EternalBlue exploit to rapidly spread itself over networks. The EternalBlue exploit was originally published through the Shadow Brokers dump of the NSA hacking tools. The exploit makes use of a vulnerability in the Microsoft Server Message Block (SMB) protocol on TCP port 445. The malware scans for vulnerable devices and spreads throughout this.

Well, normally ransomware is not worth to highlight, but the huge amount of infected machines in such a short time frame is. With over 200.000 infected machines in 150 countries this attack had an huge impact and shows how fragile IT still is. It was reported that the British health care system was knocked out, in Germany destination boards of rail services was disturbed, and in Japan ATMs were out of services etc. PCs are everywhere, even if we use a lot of mobile devices and IoT, there is still a huge number of systems in the back to help us managing our life in a convenience way. So it is important that we can rely on them. But can we?!

WannaCry Ransom Desktop Hintergrund

As reported by proofpoint, beside WannaCry there seems to be another huge attack named Adylkuzz, but the attackers operated a bit more under the hood. They still used the same exploit to distribute their vicious executable: a Monero crypto curreny miner. But the cyber crooks did not encrypt or delete just files for a ransom. They were clever enough to use the computing power of the infected machines to mine for digital money.

Again, the attacks behind the EternalBlue exploit is not that sophisticated. Either WannaCry nor Adylkuzz and their technical properties are sensational. The news is, that these attacks spread in such an amount and speed. If you analyze the malware samples you will encounter that it is again just a bunch of executables dropped onto your system. There are also a lot of command line shell calls to system tools which helped the attackers to install a service, adjust permissions, or to delete backups. Well, from this perspective nothing really new.

If you had enrolled any application whitelisting, patches and created backups, things should not have gone crazy last Friday. We have analyzed WannaCry using one of our honeypot machines and were able to perfectly trace down what this "beast" does, by just having our drivers in [#LETHAL] and [LOGGING] mode. You do not need to debug or disassembly to get a basic understanding of what WannaCry did. Just collecting the right data on your endpoints is enough to spot such attacks at an early stage, and then deploy the right counter measures. Having blocking enabled not just provides information at an early stage, it also mitigates at an early stage.

What is the outcome, what to recommend?

Well, this was said by us and others several times:

If you'd like to go more profound, we would recommend to use command line scanning as featured in Bouncer or CommandLineScanner. We also recommend to deploy memory protection as we did with MemProtect. Just logging dropped executables onto your system by using MZWriteScanner can also help a lot to identify attacks at an early stage.

You do not need huge and expensive solutions to fight current malware attacks. You can just use Sysinternal's ProcessExplorer or SysMon, the only thing you need to do is: START DOING IT!

New paths for the blacklist

Why you should blacklist some paths below C:\Windows\

2017/05/07 by F. Rienhardt

Recently we have updated our blacklist with regards to applications you should block for daily Windows use. You might have encountered that we had included some directories onto the blacklist, but there are many more you should consider about. The problem is, that Windows allows standard users to write-access some folders below C:\Windows\, hence you and malware could place executables into such a folder. If you have specified a whitelist rule like C:\Windows\* such injected code thus could be started. This is not what we want to have as a final result if we use application whitelistig, right?! So it is time to create some blacklist rules for the well known paths below C:\Windows\* that could be write-accessed. You can download the latest blacklist and take it as an inspiration for your own blacklist.

Well, but there is more to do. It might be possible that your specific configuration of Windows allows some other paths below C:\Windows\ to be written by the standard/default user, so you should check their names and also put them on the blacklist. If there are executables inside such folders that shall be executed, you can whitelist them by the full qualified path, including the executable's filename using a priority rule (i.e. starting with !).

Enumerating such paths is quite simple: You can write a script that runs through all directories and tries to read out the access permissions, or that tries to copy a file into the folder. Unfortunately we tried this and one result was that this method seems not to be suitable. We found a much simpler way to achieve the same thing and no code has to be written. Just do a

dir /B /S /A:D C:\Windows >dummy.txt

on a cmd.exe shell with standard user permissions. Then open up the dummy.txt file and replace any C:\Windows\ with

xcopy 4cdfa0c8-9c1f-4b14-8eb5-a5b6405284d3.exe C:\Windows\

where 4cdfa0c8-9c1f-4b14-8eb5-a5b6405284d3.exe can be any executable. Just name it with a weird name, we used a randomly generated UUID, then copied the whole content of dummy.txt into the clipboard and pasted this into a cmd.exe shell. Do not worry, it takes a certain time to run. If all commands are processed you can search for the executable in explorer down in C:\Windows\, and voila, after little while of searching you will have a list of paths were you as a standard user could place executables into. After updating your blacklist do not forget to delete the copied files; and also restart Bouncer or your other Application Whitelisting Solution to ensure that the new rules are enforced.

Well, this method is a bit cheesy, but it works and most important, using this method got us much better results than any tool we tried to achieve the same. It seems that the console in some situations has more rights than tools that do the same. As we see a lot of malware campaigns making use of stacked calls of “cmd.exe /c”-commands it seems to be a good idea to use a cmd.exe shell to obtain such a list, as this is what can be executed by cyber crooks easily.

If you have any questions, comments or suggestions, please do not hesitate and share with us, so we can update this post and also the blacklist. Thanks.

Update of our blacklist

2017/04/19 by F. Rienhardt

We have updated our blacklist as there are again clever ways to install malicious executables persistently onto your system. Casey Smith a.k.a. subTee has written some great articles about this, but unfortunately removed them from his blog. You can also find some helpful information regarding this issue here. Referring to this you should consider to blacklist *odbcconf.exe and *sdbinst.exe, too. We added these two executables onto the Blacklist.

Some thoughts on CVE-2017-0199 and Application Whitelisting

2017/04/18 by F. Rienhardt

As you might already know there is an Office Remote Code Execution Vulnerability (CVE-2017-0199) that is actively exploited. After a quick analysis we can confirm that Bouncer and CommandLineScanner can mitigate against this vulnerability.

If you look at the incident from a more formal perspective there is nothing really new. Well, yet another security hole which leads to code execution by first downloading and then starting an executable. This again confirms that any application whitelisting strategy proactive helps to mitigate against a bunch of attacks out there. Sure, there are still ways to bypass application whitelisting solutions, but in most cases it dramatically helps to avoid getting infected by most common malware and exploits we see in the wild. If you deploy application whitelisting you do not have to mess around with all these ordinary junk, you can seek and prepare for the more sophisticated attacks. For example you can use our drivers MZWriteScanner, MemProtect, and Pumpernickel to monitor for suspicious behavior and track down sophisticated exploits and attacks more easily: See what executables are dropped onto your machines, see what application attempts to access what folders, monitor the command line parameters of started applications. All of this helps to identify an incident at an early stage and to start countermeasures early.

Application whitelisting in in combination with consistent monitoring can help a lot to counter threats we see. As noted above, not just the ordinary malware droppers coming in fake pdf.exe or as JS or VBS scripting files, also the more sophisticated ones. We are currently seeing a lot of malware campaigns featuring malware executables that are changed so quickly that most anti virus solutions will fail to detect. On Virus Total we often see recognition rates of around 4-6 out of 56 scanners. That is a horribly rate at all. So relying on a anti-virus, even if it includes cloud based checks, heuristics and relies on deep learning strategies is not enough. Having application whitelisting in place brings a significant added value. If you fine-tune it with blacklisting, parent and command line scanning rules you are well prepared. You can make use of dedicated tools but you can also just use Applocker, GPOs and the Eventlog. Well, the most important thing here is not what to use or to start a battle on who or what solution is better. Just get up and start doing it.

New binary packages of drivers released

2017/04/02 by F. Rienhardt

We have updated all driver packages now. All drivers again went through extensive review and we have also written manuals for MemProtect and Pumpernickel/FIDES. MZWriteScanner went through an extra review and was optimized a lot. We were able to squeeze the driver's source code and also were able to fix a bug (shout outs and thanks to Dave for his report). We also would like to thank Froggie and Peter for beneficial feedback on MZWriteScanner which helped to optimize this tool.

Preparing new signed packages

2017/03/31 by F. Rienhardt

We are currently preparing a new batch of demo packages. In addition we will also update the full versions in the next days. Stay tuned.

« Older Entries