News about Excubits and IT-Security
Keep being updated and subscribe to our newsletter.

First English Video

2016/01/09 by F. Rienhardt

In our first English video we show how Bouncer can protect against typical spam e-mails that contain malicious attachments (like ransomware or cryptolockers).

New Beta Camp Releases

2016/01/02 by F. Rienhardt

We have just released the new version of Bouncer in the Beta Camp. The new beta version now supports date and time stamps in the log. For example, log entries now look like:

2016/01/02_11:59:56 > C:\Windows\explorer.exe > C:\Users\VM_TestUser\Desktop\evil_malicious.exe

Besides some minor performance enhancements we also introduce the priority rules we have written about in this blog several weeks ago. Priority rules are rules, that can overwrite any other classic Bouncer rules whether they are on the white- or blacklist. Although Bouncer supports a very powerful rules mechanism we think that priority rules will provide more flexibility. So you can, for example, blacklist C:\Windows\Temp but can whitelist necessary update executables that need to be started from C:\Windows\Temp. Assume you have an updater that runs from C:\Windows\Temp\SomeUpdater.exe, you shall set a priority rule !C:\Windows\Temp\SomeUpdater.exe in the [WHITELIST] section. Please note, that the order of rules matters. If you have a whitelist rule C:\Windows\* you shall set the priority rule !C:\Windows\Temp\SomeUpdater.exe before C:\Windows\*, otherwise the rules engine will find C:\Windows\* first and this rule will then be blocked (because it is no priority rule) by the blacklist rule C:\Windows\Temp\*.

We are also happy to announce that we published Pumpernickel now. Pumpernickel is a simple kernel mode driver that enables you to sandbox (limit) write attempts of processes. For example you can restrict notepad.exe such, that it can only write text files to some whitelisted paths. Pumpernickel can be a very handy but powerful tool for browser protection, because it can ensures that a browser's process can only write files to certain locations. This can help to mitigate against exploits and other dangerous activities browsers (or other applications) might have been misused for. Please note, that Pumpernickel is currently early beta, so only install and test it if you are an expert and are used to configure our other driver -- meaning, you know how our stuff works in the background.

Please do not try the beta camp drivers on production line systems. Using them is your own risk, including all damages caused, so consider yourself warned and informed.

If you have any questions feel free and contact us.

How Cryptolockers infect your PC in stages (German)

2015/12/13 by F. Rienhardt

Currently there are a lot of Cryptolockers sent as Spam mails. In this video (German only) we show how such an evil Spam EMail looks like and what is behind the scene. Our experts do an quick in-depth analysis of the attached and zipped JavaScript dropper's code and show that there are executables downloaded and executed. Excubits Bouncer can help to avoid infections by typical Cryptolockers and other mal- and crimeware. Start to protect your Windows PC today and use Bouncer.

Upcoming priority Rules for Bouncer and some other news

2015/12/06 by F. Rienhardt

We are still elevating Bouncer and are happy to announce that our driver will feature so called priority rules in the next release. Priority rules are rules, that can overwrite any other classic Bouncer rules whether they are on the white- or blacklist. Although Bouncer supports a very powerful rules mechanism we think that priority rules will provide more flexibility.

A priority rule can be set by adding "!" at the beginning of a rule's line, e.g.:

C:\Program Files\*

In the example from above we declared C:\Windows\Temp\* to be on the blacklist. For good reasons you shall limit access to this folder, but it often happens that legit applications need to write and execute from C:\Windows\Temp\, hence you cannot block the folder without having issues afterwards. With priority rules you can define rules that will overwrite other rules, so in our example the whitelist rule


will overwrite the blacklist rule


Hence in this example the AVUpdater can execute from C:\Windows\Temp\ but other applications started from C:\Windows\Temp\ will still be blocked. Additional note: If you have set priority rules in both sections [WHITELIST] and [BLACKLIST], then the priority rule from [BLACKLIST] will always overwrite the priority rules from the [WHITELIST].

We will first publish it in the beta camp, then will release it (current plan is around Jan. 2016). Besides Bouncer we are currently developing another driver (Codename: Pumpernickel) that is able to block write attempts to blacklisted folders. With this driver you will be able to block any write attempt from any application into blacklisted folders. For example you can avoid that your web browser is able to write any file to C:\Windows\ or C:\Program Files\ etc.

For our professional business customers we are also happy to announce that we will soon launch our ExploitBuster-Framwork as part of the Excubits Family. Have you ever asked yourself: "How can I securely open up an untrusted document attachment that I have received via E-Mail or external drive?". Well, if yes, our upcoming cloud service will answer your question and will help to avoid such worries. In a nutshell: It is a cloud service where you can upload document files (doc, xls, ppt, pdf, and others) and let them be opened on our pre-configured Windows machines. If a document triggers an exploit or any other malicious behavior the file will be rated as "malicious" and you shall not open it on your machine. Hence you can avoid infecting your machines but still open up documents that you may receive as part of your all day every day business. In contrast to other solutions we plan to run the service on real hardware, not on VMs, so we assume that typical malware's anti-VM techniques will fail and we will detect and rate malicious files better than our competitors. This service will also be offered as a private cloud or as an fully tailored Analysis Appliance (real bare metal hardware, fully under your control) that reflects your individual needs and can be customized. This will dramatically help you to detect and avoid cyber attacks, and, at the end enhances security of your business infrastructure every day. Be amazed and stay tuned.

We have also just launched our YouTube-Channel and plan to publish videos there. The first one is in German, but we will also feature videos in English, soon.

There is also some more news on Application Whitelisting you might be interested in. We highly recommend to check out the slides from SecConsult and keep on tracking SubTee's twitter.

Whitelisting Evasion

2015/11/07 by F. Rienhardt

Information Security Analyst Casey Smith made a great job in his presentation on how to bypass application whitelisting on Windows. Besides basic attacks on well known Windows folders he also showed how to misuse scripting hosts and our beloved .NET framework. On the latter he showed in an impressive way how an attacker can use build in .NET executables as a vehicles to start up nearly any executable. He showed how to misuse

  • csc.exe (to compile the intruder's code)
  • vbc.exe (to compile the intruder's code)
  • jsc.exe (to compile the intruder's code)
  • InstallUtil.exe
  • IEExec.exe
  • DFsvc.exe
  • dfshim.dll
  • PresentationHost.exe

to start executables by the attacker. With classic whitelisting defense strategies you will not be able to avoid such attacks. The only way would be to block the mentioned .NET executables, so if you do not need these executables you should blacklist them as soon as possible. We also suggest that you restrict access permissions on

  • C:\Windows\ADFS\*
  • C:\Windows\Fonts\*
  • C:\Windows\Minidump\*
  • C:\Windows\Offline Web Pages\*
  • C:\Windows\tracing\*
  • C:\Windows\Temp\*
  • C:\Windows\Tasks\*

such, that you cannot copy (or write) files into one of these folders with default user permissions.

We as security guys know that nothing is absolutely bullet proof, IT security is and will always be a battle of the fittest and sometimes it is like playing cat and mouse. And IT security shall also be layered, hence you should have different protection strategies enforced.

It shall also be well known that classic whitelisting will fail when attackers can use (bytecode-) interpreters or reflective in-memory attacks. We are aware of such attacks and understand that classic whitelisting cannot mitigate here. For this reason we have introduced the blackist and parentblacklist feature into Bouncer which can mitigate a bit, but not on all attacks. We always suggest that users that do not need .NET or other (bytecode/scripting) interpreters should blacklist the underlying interpreter and framework executables. But we also know that this is not feasible for all users.

Thus we have implemented CommandLineScanner which is able to allow or block executables by their full qualified executable and by the provided command line parameters. Using this driver you can mitigate attacks as described by Casey Smith. For example you can whitelist InstallUtil.exe just for some well known (and really needed) command line parameters and for source files out of trusted paths, same on csc.exe. So an attacker is not able to start these tools with untrusted source files etc. or with malign command line parameters. Then it is more difficult to successfully initiate such attacks.

We have also implemented a memory protection driver that should help to mitigate against in-memory attacks, if an attacker tries to access (remote inject or exploit) other (vehicle/helper) processes. This driver works really awesome, and, like CommandLineScanner, can help protecting targets on fire. If you use them altogether with whitelisting you can achieve a considerably good level of protection.

On our lab and analysis computers we use a combination of our drivers and they work very decent and can block a whole bunch of attacks. We are also using them on document analysis systems where we can open document files (pdf, doc, xls, ppt, ...) on dedicated Windows-based machines, protected by our drivers. If one of our drivers reports a hit we rate such a file as malicious and can give additional information about the attack (or exploit being used). This also works great and provides additional protection, because users can test suspicious documents first before they open them on their own machine and operating system.

If you have any questions about advanced threats, need help and assistance with our whitelisting drivers, please do not hesitate and contact us.

New demo videos are online

2015/11/01 by F. Rienhardt

Unsuspecting users often receive e-mails claiming to be a message or fax from online retailers, the tax office or local court. These e-mails often state that the user shall open the attachment and follow the instructions. These attachments are malicious programs that infect the PC. We have made a short video to show how Excubits Bouncer protects against common ransomware and malware attacks that trick users to start fake documents claiming to be text or pdf documents. Another video shows how Bouncer protects your PC against executables from external USB drives. Visit our Google+ site and watch the videos.

By the way: With Bouncer you can also ensure that no external USB flash drive will work on your PC by just blocking the underlying USB device drivers. Hence you can lock down your PC against USB attacks - especially for business PCs (ATMs and POS) this can be very helpful to mitigate against such attacks.

"Easy Maintenance" By Design

2015/10/27 by F. Rienhardt

Customers often ask us how to centrally maintain our solutions, because there seems to be no centrally management application nor any configuration management or deployment. Well, while designing our drivers we thought, you shall not be bothered with yet another fancy looking management and deployment tool, or complicated server architectures. Our overall design goal was that you can just use your favorite software distribution tool to deploy and manage machines running our solutions. All you need to do is to specify an ini file that can be deployed using your favorite software distribution system. Yes! It is just that simple: no tricks and no gimmicks. There is no dedicated management tool, no complicated configuration system, weird data structures, or any data base management system (e.g. SQL-Server) needed. Just focus on specifying tight and secure rules, then push them using your favorite method to deploy - this is it. We think that our customers shalt not adapt to our software, but we shall design to match your workflows. This is why we have chosen a simple way of configuration which is nevertheless powerful enough to let you set up things understandable and comprehensible, thus save time: for faster deployment, and a timely return of invest (ROI) in contrast to AV- and other solutions.

In a short sum up and as a quick quide:

  • specify an ini file on your golden image machine, or use [#LETHAL] training mode on several trusted machines to build a combined ini file out of the results.
  • build an installation script that copies the new ini to C:\Windows\, and then restarts the driver.
  • build an MSI (or other package) out of the ini and the script and deploy this package to the end points.

If you need help or have any questions on central configuration management and deployment, please do not hesitate and contact us.

New version of Bouncer

protect against cyber threats

2015/10/25 by F. Rienhardt

A new version of Excubits Bouncer is just released. Our fully kernel-based and truly user-mode independent driver is now even better than before. You can protect against more attack vectors, as an highlight we now feature true SHA256 based hashing in the whitelist and a powerful parent-based control system. With the latter you can specify exactly what an parent application is allowed to start or not, this also includes libraries and drivers. For example, it is now very easy to limit what your web browser is able to start and thus to mitigate against a lot of nasty browser (and browser-plugin) exploits.

In IT Security the amount of code size matters like nowhere else. The driver core of Bouncer is just ~700 lines of heavily commented and optimized code. We believe that it would also be possible to formally audit it. In contrast to other heavy weight solutions this is an absolute novelty. We think that there is no whitelisting system on the market right now, that is so incredible transparently integrated, so fast, so simple to understand, and so easy to install and maintain altogether. Curious? Try the demo version.

We are close to our next release

2015/08/31 by F. Rienhardt

We have implemented a lot of new features into Bouncer and MZWriteScanner. After a long internal beta testing journey we just started public beta last weekend. Our supporters can test the drivers for the next few weeks. We are also happy to announce that MemProtect really works awesome on our internal systems, and on the machines of our early bird beta testers: Thank you very much guys, for your constant support and great ideas. You are awesome and we really appreciated your beneficial feedback. So we are looking forward to also release MemProtect together with Bouncer and MZWriteScanner.

Mitigating against in-memory attacks

08/02/2015 by F. Rienhardt

Having an in depth view into one of our client's malware analysis reports, we stumbled across many malware binaries tending to inject their code into legit Windows processes. Well, the reason attackers walk this way is simple:

  1. Most malware binaries are still just executables (or scripts) located in the user's folder or one of the well known temp directories. So even ordinary users are able to detect such a malicious script/process in the task manager or system service overview. To avoid getting catched by quick forensics it is hence good practice to inject the evil executable into a legitimate process like a hidden notepad.exe, cmd.exe etc.
  2. If some initial malware gets started through an exploit, the targeted application usually crashes at some point: Not good for the bad guys as they want their code running to spy on you, steal your passwords and credit card number, etc. So again, injecting malicious code/software into another process is the only option to survive, if the attackers do not want to drop and execute malware directly, but then see (1) again.

So this is why attackers love to use in-memory attacks nowadays. They inject code into another process or even better, they manage to load a dynamic link library into another process or overwrite a suspended executable with their own executable and resume the process. To avoid getting catched by anti-executable tools, attackers often implement some kind of reflective loading technique, avoiding to make use of the Windows' build in executable loader.

Detecting such attacks is very difficult and a performance thing. Well, we thought about this problem for a while and came across some in-memory attack protection approaches that are used for self-defense or as application protection tools. The problem is, that they only protect individual processes that must be specified by the user. Every application that is not registered though, will not be protected.

We think it shall be turned around: Every running process should be protected from potentially dangerous applications injecting something into their memory locations. Hence, exclude potentially insecure, e.a. often exploited, applications from this list and ensure that they cannot harm all the other processes. We have implemented a kernel driver that is able to encage such potentially dangerous applications. A potentially dangerous application is for example a web-browser, audio/video player, PDF viewer, MS Office etc. Because such applications are often targeted by exploits and (mis-)used as a vehicle to start-up malicious code, it seems to be a good idea to encage them, and to block any attempt from their binary to inject code into another processes' binary.

What the driver actually does is, to ensure that any encaged process is not able to operate on memory locations registered to another process. Hence it is not possible to inject code or an executable/library. It even works if the source application was fully exploited, achieved system level privileges etc. What we have currently implemented is a PoC, but we look forward to turn it into some kind of convenience product. We think that together with other mitigation techniques like anti-executable, shell and integrity scanners it helps a lot to mitigate against sophisticated attacks we currently see.

If you have any questions, want to see a demo or want to have more information, please do not hesitate and contact us.

Zero-days in Adobe Flash Player

0-day exploit

2015/07/13 by F. Rienhardt

The hack of the ]Hacking Team[ results in more and more in depth analysis of the company's leaked information. Adobe just announced that there are more security vulnerabilities that can be exploited in Flash Player. Since Adobe still works on patches and some of the vulnerabilities have already found their way into exploit kits, it is highly recommended to disable Adobe Flash Player. You shall also blacklist all of Adobe Flash Player's DLLs and application files. We also recommend to blacklist *Shockwave Flash* and *flash*. If you need to use it anyway, our drivers might help to mitigate against successful exploration. We suggest that you carefully specify your rules, especially avoid to whitelist any user paths that could be used by the exploits to drop executables and to start code from there.

Update (2015/07/15): Flash Player fixed

Adobe Flashplayer is fixed. In addition other vulnerabilities in Windows and Java relating to the ]Hacking Team[ breach are also fixed, users shall update Windows, Java and Flash.

How malware hits your system

2015/07/12 by F. Rienhardt

In the last couple of weeks we have analyzed many current threats and tried to summarize the most obvisous attack vectors, cyber criminals use today in order to infect Windows driven devices. We used a sample base of about 250 current threats reported to common frameworks like VirusTotal or URLQuery etc. The results are:

  1. EXE, COM, SCR, CPL, or PIF files packed into ZIP, RAR and 7Z archives.
  2. Executable files pretending to be PDF, DOC, XLS, PPT or ZIP files.
  3. Malicious JAR, PS, PDF, DOC, XLS, PPT files exploiting unpatched applications forcing to drop and execute malicious code.
  4. Malicious macros/scrips in well known document formats (DOC, XLS, PDF) forcing to drop and execute malicious code.

The attackers use these files to initiate the attack and to proceed with the overall plan to infect a machine persistantly. To achieve this, the attackers often download executable code from the internet and execute it (in most cases to %TEMP% or other user specific folders not restricted by policies). In this context we have seen the following Windows build-in tools as exploited mates:

  • *aspnet_compiler.exe
  • *csc.exe
  • *vbc.exe
  • *jsc.exe
  • *ilasm.exe
  • *msbuild.exe
  • *script.exe
  • *msiexec.exe
  • *bitsadmin*
  • *iexpress.exe
  • *mshta.exe
  • *systemreset.exe
  • *bcdedit.exe
  • *mstsc.exe
  • *hh.exe
  • *powershell*.exe
  • *reg.exe
  • *set.exe
  • *setx.exe
  • *reg.exe
  • *vssadmin.exe

The list may not be complete, but gives an impression. And it should give you a first idea of what you should blacklist or watch using Bouncer or CommandLineScanner. There are still good reasons to use one of the listed applications, so you may have to whitelist some of them if you cannot do your daily work without them. But what we have seen on many SOHO systems is, that these applications shall not be active all the time and having them on the blacklist does not bother most users. So give it a try, put them on a blacklist.

Ransomware continues to spread

2015/07/06 by F. Rienhardt

FBI's Internet Crime Complaint Center (IC3) press release shows that ransomware continues to spread and is infecting devices around the globe. In this context CryptoWall was identified as the most current and significant ransomware threat targeting U.S. It is often delivered as e-mails containing a link which directs unsuspecting users to malicious web-pages or an attachment with fake pdf.exe files. If the user clicks the malicious link or opens such attachment the computer gets infected and owned by the ransomware.

Due to the fact that the attackers update their evil code daily, there is a good chance that an ordinary antivirus will fail to detect such attacks within a daily time frame of about 24h. If you are lucky your AV's defenition gets updated timely, but if not you are in danger. Using Bouncer can reduce the risk of an infection and will help to mitigate.

Two brand new drivers in the family

2015/06/21 by F. Rienhardt

Two new drivers are now online at Excubits: MZWriteScanner and CommandLineScanner. The two drivers are very useful for general forensic analysis, but are also perfect for any kind of permanent monitoring.

MZWriteScanner registers any executable program file that is written to the hard drive and thus transforms any standard Windows PC into some kind of active honeypot, which is supposed to identify many of today attacks, where attackers try to get persistent on the system. If you permanently monitor and analyze the driver’s log, you can identify possible attacks at an early stage.

With CommandLineScanner you can explore execution of program files with their command-line parameters, the driver also allows to enable lethal mode where you can block attempts to start executables from untrusted locations or with literally any command line option you would like to allow or not. This driver again is very well suited for forensic investigations and can help to identify attacks early, even if you just use it in non-lethal mode.

Both drivers can be used in malware analysis environments as an additional forensics source. Due to their transparent nature they will not attract attention and will seamless integrate into existing systems. You can also install them on normal Windows-based PCs and hence turn any ordinary working machine into a valuable forensics honey pot that can help to identify and measure attacks.

If you have any questions, need assistance or consultation, please do not hesitate and contact us.

Short Video on how Bouncer prevents against fake invoice ZIP/PDF

2015/06/11 by F. Rienhardt

Bouncer prevents GIF video

Admin Tool and manual updated

2015/05/31 by F. Rienhardt

We have updated the Admin Tool an the manual for Bouncer. The Admin Tool now supports multi select for folders and files as it was requested by our users. We have also fixed a bug in the file select dialog for *.dll, now you shall be able to select DLL files more easily. The manual now contains some FAQ for your convenience.

Four simple strategies to mitigate 85% of the threats

2015/05/18 by F. Rienhardt

The Australian Signals Directorate published a top 35 list of mitigation strategies to avoid digital intrusion. You can mitigate 85% of threats by following only the four top most strategies:

  1. Enforce Application whitelisting (EXE, DLL, SYS, etc...).
  2. Patch your applications (Java, PDF-Reader, Flash, Browser, MS Office etc...).
  3. Patch your operating System.
  4. Restrict administrative privileges to the operating system.

Good to know that whitelisting is so simple with Excubits Bouncer. You can install and use Bouncer in minutes and secure up your system and infrastructure. Regardless of whether it is a Windows Server, a business Windows PC, your private Windows PC, an industry machine running Windows or a POS.

« Older Entries