Excubits Logo
burger-menu Toggle Menu

 

Newsblog

News about Excubits and IT-Security Keep being updated and subscribe to our newsletter.


Silent Rules (+ + + Update + + +)

2016/08/14 by F. Rienhardt

We are currently working on so called "Silent Rules" for the decision engines in our drivers. This feature allows you to block events which you do not want showing up in the logs. So with Silent Rules you are able to calm down pesky alerts you cannot get rid of, because e.g. the operating system's core triggers them without any chance to block them. For example: If you are using Pumpernickel and block a folder, then Windows Explorer or an Anti Virus might still try to access the protected folder and thus causing "harmless" alerts in the log. There is no way to avoid such attempts, but with Silent Rules you are able to calm them down. Just specify the $ character before a blacklist rule and it will not show up in the logs.

We have integrated and tested Silent Rules into all drivers and are happy to release them in Beta Camp for public testing. This again brings our tools to another level and enhances how you can use and configure our drivers. We are looking forward hearing from you.


Pumpernickel: News from the Lab

2016/07/24 by F. Rienhardt

A new signed version of Pumpernickel is now available at the Beta Camp. Enjoy!


Pumpernickel: News from the Lab

2016/07/17 by F. Rienhardt

We are happy to announce that we have an internal build of Pumpernickel which is now able to block read and info requests, too. You can check it out at our Beta Camp. With this new feature, Pumpernickel is not just blocking write, copy, rename and move attempts to files and folders, our driver will also be able to block any read access from unintended executables like cryptolockers, spyware or trojans. This brings Pumpernickel to another level and can help to enhance your PC's security dramatically. We all know that typical Anti Virus Solutions lack to detect brand new threats. It is no news that if you are accidentally getting catched by a brand new virus, trojan, or cryptolocker the ordinary Anti Virus Solution will fail and can do little, because their malware definition database does not know of each and every brand new malware sample. This can be critical, and even if you use 2 or 3 anti virus products in parallel there is still high risk to get infected. Cyber crime economy develops their evil programs fast and faster, so there is need to have another barrier. Our drivers are such an barrier, and Pumpernickel brings it to another level.

We are happy for any feedback and also success stories. Tell us where Pumpernickel (or our other drivers) have helped you and your IT systems not getting infected. Also give us feedback on functionality and features you'd like to see in the next versions. Thanks!


Official Launch: New version of Bouncer

2016/05/24 by F. Rienhardt

Beta phase is finally closed, we are happy to release the new version of Bouncer. With this release Bouncer supports so called priority rules and command line scanning.

Priority rules are rules, that can overwrite any other classic Bouncer rules whether they are on the white- or blacklist. Although Bouncer supports a very powerful rules engine right now, we think that priority rules will provide more flexibility and result in better protection rules.

A priority rule can be set by adding "!" at the beginning of a rule's line, e.g.:

[WHITELIST]
!C:\Windows\Temp\AVUpdaterXy0001.exe
C:\Windows\*
C:\Program Files\*
C:\ProgramData\Microsoft\*
...
[BLACKLIST]
C:\Windows\Temp\*
...

In the example from above we declared C:\Windows\Temp\* to be on the blacklist. For good reasons you shall limit access to this folder, but it often happens that legit applications need to write and execute from C:\Windows\Temp\, hence you cannot block the folder without having issues afterwards. With priority rules you can define rules that will overwrite other rules, so in our example the whitelist rule

!C:\Windows\Temp\AVUpdaterXy0001.exe

will overwrite the blacklist rule

C:\Windows\Temp\*

Hence in this example the AVUpdater can execute from C:\Windows\Temp\ but other applications started from C:\Windows\Temp\ will still be blocked. Additional note: If you have set priority rules in both sections [WHITELIST] and [BLACKLIST], then the priority rule from [BLACKLIST] will always overwrite the priority rules from the [WHITELIST].

Please note, that the order of rules matters. If you have a whitelist rule C:\Windows\* you shall set the priority rule !C:\Windows\Temp\SomeUpdater.exe before C:\Windows\*, otherwise the rules engine will find C:\Windows\* first and this rule will then be blocked (because it is no priority rule) by the blacklist rule C:\Windows\Temp\*.

Bouncer now supports command line scanning, hence you can white- and blacklist command line parameters with Bouncer. You are able to white- and blacklist executables by their command line options. This feature can be very beneficial to lock down interpreters and virtual machine (e.g. .NET or Java) executables which are often misused by intruders and malware's first and second stage infection mechanisms.

Enable Command Line Scanning by setting

[CMDCHECK]

in the init part of Bouncer's .ini file. Then specify

[CMDWHITELIST]
...
[CMDBLACKLIST]

for your command line white- and blacklist. Please start Bouncer in [#LETHAL] mode to play with this feature. It is not an easy task to set up rules, so beware. But it is great fun to see what happens behind the scenes and know more about all the command line options Windows and other applications make use of. With this new feature Bouncer is now close to a silver bullet and can dramatically enhance your system's overall security, especially when it comes to harden your interpreters and virtual machine executables like .NET or Java.

Bouncer is not just a cool tool for professional (end-)users, it is also a very handy tool for security experts and malware analysts.


New versions of Bouncer and MemProtect

2016/04/18 by F. Rienhardt

We have updated Bouncer and MemProtect in the BetaCamp. The Tuersteher driver package now also contains the Bouncer named drivers. MemProtect supports [DEFAULTALLOW] rules as requested by some users. Our web page was also enhanced and should perform better on mobile devices. We decided to support responsive design behavior for small (mobile) displays.


Analysis of a High Speed Cryptolocker

2016/03/28 by F. Rienhardt

locky howto recover

We stumbled upon a new cryptolocker variant that encrypts your data extremely fast by just scanning your local drives and only encrypting the very first 2KBs of any harvested document file. This makes this kind of ransomware very efficient. The cryptolocker was distributed through typical spam e-mail claiming to be from a parcel logistic center, the attachment claims to be a tracking confirmation document in a .zip file. The document in the .zip serves as a typical .doc.js file which - when opened - downloads some executables and starts them. The script also writes a .cmd file and a ransom how to text file into the %temp% folder. The batch script gets started and walks through all your local drives (c: - z:), passing any interesting document file (like .doc, .xls, .pdf, .jpg, .ind, .mp4, etc.) to the downloaded executable, which in turn encrypts only the first 2KBs of the file. In fact not all of your data is then encrypted, but in most cases enough information is bricked that it cannot be used by the document file’s dedicated application, hence you cannot use such files anymore. The cyber crooks also add some registry keys to survive the next reboot and to show the ransom message telling you how to pay and getting your files back. Our analysis showed that the malware excutables are served through hijacked “Joomla! CMS” web pages. Well, a lot of people think they need a CMS but never keep such systems up to date. Unfortunately such CMS pages often get hijacked and end up as malware distribution sites like in this case.

cryptolocker ransomware lockWe have also observed some other brand new cryptolocker ransomware which distributes through MS Word documents that contain an evil macro file. This macro downloads a malicious Powershell script that is getting started. The remarkable thing is that this cryptolocker does not start any executable, everything was implemented for the MS Powershell interpreter. As such it is difficult to track down and mitigate against such malware. Using Bouncer can mitigate, because you can simply block any attempt from winword.exe to start cmd.exe or powershell.exe using parent checking. Additionally, with Command Line Scanner you can limit access to your scripting hosts and interpreters like wscript.exe and powershell.exe by just allowing well known and entrusted command line options called with these interpreters. For example you can block any attempt to call Powershell with a filename served from the user or temporary folders. In fact our drivers can extremely help to mitigate against these new threats out of the box, it is all just a matter of seconds to adapt new rules for Bouncer and our other drivers.

If you have any questions about configuration, please do not hesitate and contact us.


Short Introduction into Pumpernickel

2016/03/05 by F. Rienhardt

Hey guys! There was some confusion about Pumpernickel, especially how to configurate and use this little driver. Well, we decided to make a short introduction video that shows you what this driver is all about. In a nutshell: Pumpernickel is something people know from SELinux where you can limit access to files depending on the process who tries to access directories and its files. Thus you can e.g. restrict your browser, so the browser's process can only write to files in its cache. What is it good for? Security, assume you browser gets hit by a zero-day, then most attackers try to drop a malicious executable onto your system and start it. If you lock down your browser, the attacker cannot drop the malicious executable to %temp% and thus cannot infect your machine. Another scenario might be: You restrict access to typical document files only to well known applications normally used to edit the files. For example MS Word is the only application that can alter .doc and .docx, notepad.exe is the only process that can alter .txt, and Adobe Photoshop the only application that can alter .bmp, .jpg, .png. Hence if you start a cryptolocker it cannot encrypt your files, because access is denied. To learn how to use Pumpernickel the first time you install and want to use it, check out this video. Have fun!


New Demo- und Beta Versions

2016/02/29 by F. Rienhardt

We have just updated CommandLineScanner und MZWriteScanner. Both forensic tools now support date and time stamping and are a bit faster. In the Beta-Camp we have updated Türsteher, MemProtect and Pumpernickel. We fixed some minor bugs and issues and made the drivers working faster. On top we digitally signed all drives for your convenience.


Video: Reveal an evil JS attachment.

2016/02/10 by F. Rienhardt

In this video we show how cryptolockers can find their way to your computer through an e-mail attachment. We just analyze such an evil e-mail and show what is behind the weird looking JS attachment (we decode it live).


Updates in the Beta Camp

2016/01/31 by F. Rienhardt

We have just updated Bouncer, MZWriteScanner, MemProtect and Pumpernickel in the Beta Camp. All drivers have gone thorugh some minor bug fixes (none was critical) and performance optimizations.

But we have also some great news from Bouncer: Bouncer now supports command line scanning, hence you can white- and blacklist command line parameters with Bouncer. You are able to white- and blacklist executables by their command line options. This feature can be very beneficial to lock down interpreters and virtual machine (e.g. .NET or Java) executables which are often misused by intruders and malware's first and second stage infection mechanisms.

Enable Command Line Scanning by setting

[CMDCHECK]

in the init part of Bouncer's .ini file. Then specify

[CMDWHITELIST]
...
[CMDBLACKLIST]

for your command line white- and blacklist. Please start Bouncer in [#LETHAL] mode to play with this feature. It is not an easy task to set up rules, so beware. But it is great fun to see what happens behind the scenes and know more about all the command line options Windows and other applications make use of. With this new feature Bouncer is now close to a silver bullet and can dramatically enhance your system's overall security, especially when it comes to harden your interpreters and virtual machine executables like .NET or Java.

We are currently heavily testing this new feature to lock down rundll32.exe, regsvr32.exe, and wscript.exe. From one side it is very interesting to see all the native (Windows/OS) calls to such functions but from the other side also to track down malicious files which often make use of these executables. There is a lot of information to gain and for malware analysis systems this new feature can be very, very helpful - so Bouncer is not just a cool tool for professional (end-) users, it is also a very handy tool for security experts and malware analysts.

We are happy to hear from you guys, feedback is welcome and appreciated.


Pumpernickel updated in Beta Camp

2016/01/10 by F. Rienhardt

We have just updated Pumpernickel in the Beta Camp. We were asked to support black- and whitelisting including priority rules in this Project Driver. We are always happy for any feedback and love our supporters. You asked for it, we did it :-) There is now a [WHITELIST] and [BLACKLIST] section so you can specify more granular rules in the .ini file. Pumpernickel also supports the priority tag !, so you can tell the driver that any rule in the black- or whitelisting section can overwrite others. Please note, that any priority rule in the blacklist section will always overwrite any (priority) rule in the whitelist section.

This is it for now, enjoy the new version of Pumpernickel in the Beta Camp.

Update 2015/01/11: There was an issue on reboot with Pumpernickel installed. We have fixed the bug and released a new version of Pumpernickel. If you have already installed it we ask you to update the driver, thank you.

Update 2015/01/17: We've updated Pumpernickel again. Now the driver also supports rename, delete and special create options and can block these, too. We have also fixed a minor bug in the Boolean decision function.


« Older Entries