Newsblog

News about Excubits and IT-Security
Keep being updated and subscribe to our newsletter.

Updated blacklist

2017/03/19 by F. Rienhardt

We have updated the Blacklist for Bouncer. There was a minor typo regarding auditpol.exe which is now corrected. We have also added utilman.exe, syskey.exe, and scrcons.exe. We would like to greet and thank Dave, Sean and Flo for their comments and contribution. By the way, check out Florian Roth's sigma rules which you can perfectly re-write and use with Bouncer, CmdScanner and MemProtect.


Cloudflare Bug and Impact

2017/02/25 by F. Rienhardt

Some of you might have noticed that we are a Cloudflare customer, so we would like to comment the discussions regarding the bug and impact. In no time our data nor our customers were affected. Due to our strong data protection concept we do not store any customer data on servers exposed to the internet, all data sent via forms will always be end-to-end encrypted using NaCl-encryption and will never be decrypted on servers connected to the internet.

Cloudflare has confirmed us:

Fortunately, your domain is not one of the domains where we have discovered exposed data in any third party caches

If you still have any concerns or questions, please do not hesitate and contact us.


Fileless attacks

Make use of Command Line Scanning to track and fight such threats

2017/02/19 by F. Rienhardt

Kaspersky Labs recently has posted about fileless attacks against enterprise networks. In the blog post they have analyzed the attack in detail. In my opinion at the end the attack was not that fileless as it seemed to be. The attackers still needed to get persistent and stored their evil code in the Windows Registry which in fact is stored onto the disk - as such it is not completey fileless. The interesting thing about this fileless attempt was, that the attackers did not need an executable to start up. They had executables in place, but the fileless part was registered as a Windows Service which was not represented by a typical Windows (MZ-PE) executable. Instead they managed to start up a powershell script as the service application which in fact is a very smart way to push malware:

sc \\target_name create ATITscUA binpath= "C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden e [base64 ecoded script…]" start= manual

This is a new quality but nothing to give up. It is even “not the end” for AVs or Whitelisting in general. You cannot rely on just one layer and you shall keep up with the bad guys: Watch out security and hacking news and ask yourself if an attack would have been successful on your site.

With regards to the recently reported case by Kaspersky things are not that dramatic as they might look. For example with Command Line Scanner or Bouncer with its Command Line Scanning Engine such attacks - depending on your rules set - could have been detected. You should monitor as much as possible, even if you do not enforce any blocking rules, having a comprehensive log file can help a lot to identify and track attacks of such kind.

If you have not already used Command Line Scanning as a mitigation technique, it is now time to have an eye on this methodology as we see more and more attacks using the command line and interpreter shells as an vehicle to drop and execute evil code onto your machines. The attack as reported by Kaspersky is definitely not the first one, it is just a lighting example. We have seen current Ransomware and Cryptolockers that also make use of such "persistent" tricks without the need to drop and execute real executables. There are Cryptolockers out there which do not have any real executable, they just make use of WScript and Powershell - so get ready and prepared. We have always suggested to block any scripting host if you do not need them for your daily business and if you need them, please use Command Line Scanning to limit who is able to call the interpreter with which parameters.


Update your Bouncer’s blacklist now

Attacks via EVENTVWR.EXE

2017/02/12 by F. Rienhardt

Today we would like to publish an updated list of recommended blacklist values for Bouncer. The current list can be loaded here, use the values to enhance your configuration’s security.

Additionally we would like to focus on EVENTVWR.EXE. This program file is recently abused by cyber crooks to install malware forcing privilege escalation. EVENTVWR.EXE is part of the Windows operating system and is automatically installed onto your system. The attackers rely on a security breach described by enigma0x3. In short, it is a misbehavior of EVENTVWR.EXE which requests parts of its configuration from the user accessible parts of the Windows Registry. E.a. cyber criminals can change the behavior of EVENTVWR.EXE by just manipulating a setting in the user's Registry Hive. Crooks use this to instruct macros placed in Microsoft Excel and Word files to execute malicious code with higher (admin) privileges and thus can manipulate vivid parts of your system. However, an attacker can gain total control over the computer by just calling EVENTVWR.EXE.

EVENTVWR.EXE is therefore dangerous and shall be deactivated. Normally you do not need this EXE every day, so you should put it onto Bouncer’s blacklist as soon as possible and protect your PCs effectively against this security hole. Hopefully Microsoft will publish a patch soon. Also disable Office Macros if you do not need them.


Additional notes on Pumpernickel

2017/01/22 by F. Rienhardt

Since we have published Pumpernickel late 2016 it has been downloaded and used by many people. We are happy for the feedback and got beneficial responses from all over the world. Thank you guys! Well, we would like to provide some additional notes regarding Pumpernickel in this little blog post which reflects some of common misunderstandings and questions we received in the last couple of weeks.

Installation

First of all, Pumpernickel is a raw kernel driver. We would only recommend it to users with advanced knowledge about the Windows operating system. Before you download and use it, you should know how to install and use a driver by its .inf file, also how to start, stop and uninstall such a driver using the cmd.exe console.

As a quick starting guide: Download the Pumpernickel Program Package, uncompress it. Then install the appropriate driver for your version of Windows. Copy a basic configuration to C:\Windows\pumpernickel.ini. Then open an admin console (cmd.exe) and type

net start pumpernickel

The driver shall now run. You can then use the Tray.exe to control the driver more comfy. But you can also use the admin console as well using

net stop pumpernickel

or

sc delete pumpernickel

to stop or uninstall the driver easily.

As we always recommend, we say it again: Please start using our drivers in [#LETHAL] mode first and check the log file while adjusting your basic configuration file (C:\Windows\pumpernickel.ini). If you feel comfortable with the configuration, and the log file does not show alerts for files you would like to access properly, you can turn Pumpernickel into lethal mode [LETHAL]. Only turn Pumpernickel into [LETHAL] mode if you are absolutely sure it works and the log file does not show many entries while testing it in [#LETHAL] mode.

Access from Raw Access and Kernel Modules

Pumpernickel is not able to protect against bootkit and rootkit malware which runs in the Windows kernel. Pumpernickel is also not able to block raw access to your disk, e. a. malware which directly manipulates the sectors and buffers on your disk. We do not consider this as a bug, nor as a security issue. To run something that is able to load code into the kernel, normally admin permissions are required, so you as a user have to run it, or some exploit triggers to run it while running the system in admin-mode (which is not a good idea from a security point of view). We highly recommend to use an anti-exe or at least Software Restrictions Policies to protect against unintended execution of programs and to mitigate against such attacks. Pumpernickel is not an anti-exe solution, so do not assume it to mitigate against malware getting started on your machine. And if you install a kernel-driver which has access to your disk there is little Pumpernickel (or any other security software) can do. It is also you - the user - who is responisble for what is happening on your PC. If you wilful start malware and install malicious kernel-drivers, Pumpernickel cannot help you and it is not Pumpernickel's fault! You should still use an Anti Virus, exploit mitigation or anti-exe solution in place. For example check out our awesome Bouncer.

Pumpernickel and Network Drives

Also note, that Pumpernickel cannot protect network drivers as they are not physically attached to your computer and thus are not part of the file system stack managed by your Windows machine. Thus the Windows kernel is not responsible for managing the disk, ergo Pumpernickel will not see it (=cannot protect it), as it is not a disk of the computer. You should protect network drivers using appropriate access privileges on the network storage machine. We also recommend that you backup your (vital) data onto some cold-backup site – both your local and network data shall be backup-ed once a day, nevertheless if you use any protection system. Creating no backups is reckless – tort of negligence. So CREATE BACKUPS every day!

8.3 naming scheme

Please note, that in some situation Windows might turn filename representation from long filename format into the old 8.3-format; meaning, that a filename like

this_is_a_log_file_name.doc

can internally turn into

this_i~1.doc

Consider that a filename in long format can also be referenced in 8.3-format, your rules shall indicate that! Especially long file extensions like e.g. .journal, .docx, .kbdx etc. can turn into something like .jou, .doc or .kbd. If you have specified a generic rule like:

*keepass.exe>*.kbdx

you shall also define the rule

*keepass.exe>*~*.kbd

If you like to protect special file types, we always recommend that you define a locked folder from where you operate on them. It is often much easier to define a rule on a folder (location) instead of defining rules for file types itself.

If you need help, contact us

As one of our goals is customer satisfaction we would like to encourage you to contact us, if you have any questions or problems. We are happy to help. Provide us enough information to help, it does not make any sense to just write "It does not work, please help!". We need at least basic information about your system, the configuration file and what you would like to achieve with Pumpernickel. Save your and our time and provide comprehensive information we can use to instantly answer your questions. This makes us happy, and you, too.


Merry X-Mas and Happy New Year

2016/12/25 by F. Rienhardt

Dear Customers and Supporters, the Excubits team wishes you and your families joy and peace for the holidays throughout the new year! Kind regards from Bonn, Germany!


MemProtect now supports larger configuration files

2016/11/21 by F. Rienhardt

Some of our users asked for larger configuration file support, so we recompiled the driver and MemProtect now supports .ini-files containing up to one megabyte of configuration data. Please note, the demo version was not changed as we did not add any functionality to the driver's core.


Driver Update

2016/11/05 by F. Rienhardt

We are happy to announce that all of our drivers are now updated to Silent and Priority Rules. Additionally all drivers are now Windows 10 Anniversary Update ready, hence signed using an EV Code Signing Certificate, so you can also install them on machines with Secure Boot enabled. Enjoy 🎉


New version of Bouncer online

2016/10/30 by F. Rienhardt

We were implementing and testing a lot in the last couple of weeks and are now happy to publish the new version of Bouncer. Bouncer is now signed with an EV Certificate and was also cross-signed by Microsoft, so it is fully compliant with Windows 10 Anniversary Update and can also be used on machines with Secure Boot turned on. We would like to thank all the beta testers, especially we would like to thank Dave for his great support and additional hints.

Additionally, Bouncer now comes with the Silent Rules feature, but we were again able to do more housekeeping within the source code, the driver should now perform even better than before. Well, you might not notice it, because we were only able to optimize some minor parts, but the code is more "beautified". The Tray Application also got a new feature requested by our users: Fast Configuration Exchange. You are now able to change the ini file from the Tray Application directly. No copy, paste and then restarting the driver, just select the ini file you would like to use and the Tray Application will do the rest. Well, we think this feature can be very beneficial for users who like to have different ini file configurations depending on how they use the computer in certain situations. E.g. you are now able to define a very strict ini file for web-surfing and can also have a more "relaxed" one for using your well known internal applications like games etc. We hope, you like this feature and would be happy to receive some feedback. Please note: Keep copies of your ini files, because on change the ini file in C:\Windows\ will be overwritten.

Before we close up this post we would like to announce that there will be more releases this week. We are also close to final release the other drivers from Beta Camp, so stay tuned. We are also happy to tell that we recently did research on the AtomicBombing exploits mentioned in IT Sec press releases. We took a sneak peek into the published PoC on GitHub and can confirm that MemProtect would be able to block such an attack. MemProtect will not "heal" the underlying Atoms problem, but due to the fact that an attacker still needs to do a OpenProcess on the target is enough for MemProtect to do its job. Nice to know folks 😊


Nemucod Revealed

2016/08/22 by F. Rienhardt

We were bothered by Nemucod ransomware mails for a little while now, so we decided to do a bit more in-depth analysis with these pesky spam mails and their attachments. These e-mails always claim to be from DHL or FedEx, attached to every e-mail there is a ZIP file containing jscript with a typical .pdf.xxx or .js.xxx filename extension where xxx is a scripting host extension. Typical filenames look like

  • Delivery_Notification_0000807198.doc.wsf
  • Delivery_Notification_0000807198.doc.jse
  • Delivery_Notification_0000807198.pdf.wsf
  • Delivery_Notification_0000807198.rtf.jse

The jscript is scrambled, so you cannot see much, if you open it with a text editor. Uncovering the final code is not too hard if you understand a bit of JavaScript, so we revealed it and analyzed plenty of these jscript files.

It seems that the cyber crooks hijacked typical Joomla! and WordPress based web-pages and placed their malicious codes and parts of the payment infrastructure on the hacked CMS. The servers and CMS are owned by small companies, universities, schools and private persons. It is the same story on all of them: they seem to have installed a CMS once and never kept up with latest updates and patches, so it is quite easy to do a dump-crawl on these domains, checking HTTP server versions and information the CMS provides. Just checking for vulnerable server, CMS and plug-in versions is enough what these crooks have to do. Equipped with a list of vulnerable systems it is peace of cake to pawn them using one of the handy exploiting tools. Just click and fire onto such a system and you control it. In most cases they place some malware binaries onto the server and some additional scripts handling the requests if you have paid the ransom to receive the decrypter tool.

A typical malware bundle you receive when clicking (opening) an attachment usually contains several executable files, namely EXE and DLL and also scripts (js, bat, cmd, php). The initial jscript often registers some of the dropped EXE and BAT files as autostart and runs a PHP interpreter which finally is running a PHP script. All scripts are highly obfuscated, but with human intelligence you can quickly reveal them.

Obfuscating and only changing some bits of the code is clever and helps the crooks to work under the radar of Anti Virus solutions. Additionally we tried to download the exeuctables served by the hacked CMS ~ 4 times a day, and it seems that crimeware crews are compiling their malware binaries several times a day. They change the icons, the executable’s general description and also huge parts of the binary itself by modifying most of the code. We have seen such modifications in MS Office macros for years now where the attacker’s code was just around 1-2% of the whole macro’s code, the rest of it were copy & pasted macros one can find on web pages and in books on macro programming. It seems that malware - especially ransomware authors - use the same trick. We have found several ransomware samples from different crews that seem to use public domain Visual Basic programs to hide their ransomware code inside it. This public domain code is just there to trick the AV’s heuristic scanners and to make the code look like sweet Dorothy, who cannot do any harm.

But this is not the whole story. We analyzed how such malware infects the PC finally and were fascinated about how many steps attackers take to infect the machine and to cover tracks of code execution. The samples we analyzed made use of classic auto start options to start a .bat/.cmd file which in turn then starts an Windows’ built in jscript interpreter which reads and executes a jscript, but from registry, not from a file. This jscript then starts up a powershell and sends keystrokes to this powershell which in turn does an in-memory code injection into regsvr.exe started up beforehand. Beside that they also make use of a PHP script noted above. A lot of steps and work just to call some ransomware. But they are successful and can trick the ordinary AV, even if the AV industry updates, the crooks also update their code several times a day, it is like playing cat and mouse.

It is a lot of smart code just for running the persistent part of simple ransomware, where the encryption algorithm of the malware samples was implemented weakly and could be revealed by a simple known plaintext attack. As it turns out they claim to use RSA-1024 but finally they just use a simple XOR encryption scheme to encrypt the initial 1024 bytes of each document file they are searching and encrypting (.jpg, doc, xls, pdf, zip, ...).

Well, as long as you have one decrypted (backup) copy of any encrypted file, you can simply reveal the used XOR key. All you have to do is to XOR the first 1024 bytes of the encrypted files with the first 1024 bytes of the (backup) copy of this file, not being encrypted. If you have backups you might not need to reveal the encryption key, but even if you have backups, there can still be files that are encrypted by Nemucod and that were not part of your backup yet - revealing the key can be beneficial.

We also have written a tool to reveal the key to help you guys. Just contact us in cases of a Nemucod infection. You can simply check by opening an encrypted file with an HEX editor, if the first 1024 bytes of typical well-known structured document files like .jpg or .pdf look like a digital scrambled egg, and the succeeding bytes are well-known structured, the chances are good that you can decrypt the files without give any ransom to the crooks.


« Older Entries