News about Excubits and IT-Security
Keep being updated and subscribe to our newsletter.
2017/05/17 by F. Rienhardt
On Friday, May 12, 2017 a massive ransomware #WannaCry attack hit Windows computers all over the world. The attack utilized the EternalBlue exploit to rapidly spread itself over networks. The EternalBlue exploit was originally published through the Shadow Brokers dump of the NSA hacking tools. The exploit makes use of a vulnerability in the Microsoft Server Message Block (SMB) protocol on TCP port 445. The malware scans for vulnerable devices and spreads throughout this.
Well, normally ransomware is not worth to highlight, but the huge amount of infected machines in such a short time frame is. With over 200.000 infected machines in 150 countries this attack had an huge impact and shows how fragile IT still is. It was reported that the British health care system was knocked out, in Germany destination boards of rail services was disturbed, and in Japan ATMs were out of services etc. PCs are everywhere, even if we use a lot of mobile devices and IoT, there is still a huge number of systems in the back to help us managing our life in a convenience way. So it is important that we can rely on them. But can we?!
As reported by proofpoint, beside WannaCry there seems to be another huge attack named Adylkuzz, but the attackers operated a bit more under the hood. They still used the same exploit to distribute their vicious executable: a Monero crypto curreny miner. But the cyber crooks did not encrypt or delete just files for a ransom. They were clever enough to use the computing power of the infected machines to mine for digital money.
Again, the attacks behind the EternalBlue exploit is not that sophisticated. Either WannaCry nor Adylkuzz and their technical properties are sensational. The news is, that these attacks spread in such an amount and speed. If you analyze the malware samples you will encounter that it is again just a bunch of executables dropped onto your system. There are also a lot of command line shell calls to system tools which helped the attackers to install a service, adjust permissions, or to delete backups. Well, from this perspective nothing really new.
If you had enrolled any application whitelisting, patches and created backups, things should not have gone crazy last Friday. We have analyzed WannaCry using one of our honeypot machines and were able to perfectly trace down what this "beast" does, by just having our drivers in [#LETHAL] and [LOGGING] mode. You do not need to debug or disassembly to get a basic understanding of what WannaCry did. Just collecting the right data on your endpoints is enough to spot such attacks at an early stage, and then deploy the right counter measures. Having blocking enabled not just provides information at an early stage, it also mitigates at an early stage.
Well, this was said by us and others several times:
If you'd like to go more profound, we would recommend to use command line scanning as featured in Bouncer or CommandLineScanner. We also recommend to deploy memory protection as we did with MemProtect. Just logging dropped executables onto your system by using MZWriteScanner can also help a lot to identify attacks at an early stage.
You do not need huge and expensive solutions to fight current malware attacks. You can just use Sysinternal's ProcessExplorer or SysMon, the only thing you need to do is: START DOING IT!
2017/05/07 by F. Rienhardt
Recently we have updated our blacklist with regards to applications you should block for daily Windows use. You might have encountered that we had included some directories onto the blacklist, but there are many more you should consider about. The problem is, that Windows allows standard users to write-access some folders below C:\Windows\, hence you and malware could place executables into such a folder. If you have specified a whitelist rule like C:\Windows\* such injected code thus could be started. This is not what we want to have as a final result if we use application whitelistig, right?! So it is time to create some blacklist rules for the well known paths below C:\Windows\* that could be write-accessed. You can download the latest blacklist and take it as an inspiration for your own blacklist.
Well, but there is more to do. It might be possible that your specific configuration of Windows allows some other paths below C:\Windows\ to be written by the standard/default user, so you should check their names and also put them on the blacklist. If there are executables inside such folders that shall be executed, you can whitelist them by the full qualified path, including the executable's filename using a priority rule (i.e. starting with !).
Enumerating such paths is quite simple: You can write a script that runs through all directories and tries to read out the access permissions, or that tries to copy a file into the folder. Unfortunately we tried this and one result was that this method seems not to be suitable. We found a much simpler way to achieve the same thing and no code has to be written. Just do a
dir /B /S /A:D C:\Windows >dummy.txt
on a cmd.exe shell with standard user permissions. Then open up the dummy.txt file and replace any C:\Windows\ with
xcopy 4cdfa0c8-9c1f-4b14-8eb5-a5b6405284d3.exe C:\Windows\
where 4cdfa0c8-9c1f-4b14-8eb5-a5b6405284d3.exe can be any executable. Just name it with a weird name, we used a randomly generated UUID, then copied the whole content of dummy.txt into the clipboard and pasted this into a cmd.exe shell. Do not worry, it takes a certain time to run. If all commands are processed you can search for the executable in explorer down in C:\Windows\, and voila, after little while of searching you will have a list of paths were you as a standard user could place executables into. After updating your blacklist do not forget to delete the copied files; and also restart Bouncer or your other Application Whitelisting Solution to ensure that the new rules are enforced.
Well, this method is a bit cheesy, but it works and most important, using this method got us much better results than any tool we tried to achieve the same. It seems that the console in some situations has more rights than tools that do the same. As we see a lot of malware campaigns making use of stacked calls of “cmd.exe /c”-commands it seems to be a good idea to use a cmd.exe shell to obtain such a list, as this is what can be executed by cyber crooks easily.
If you have any questions, comments or suggestions, please do not hesitate and share with us, so we can update this post and also the blacklist. Thanks.
2017/04/19 by F. Rienhardt
We have updated our blacklist as there are again clever ways to install malicious executables persistently onto your system. Casey Smith a.k.a. subTee has written some great articles about this, but unfortunately removed them from his blog. You can also find some helpful information regarding this issue here. Referring to this you should consider to blacklist *odbcconf.exe and *sdbinst.exe, too. We added these two executables onto the Blacklist.
2017/04/18 by F. Rienhardt
As you might already know there is an Office Remote Code Execution Vulnerability (CVE-2017-0199) that is actively exploited. After a quick analysis we can confirm that Bouncer and CommandLineScanner can mitigate against this vulnerability.
If you look at the incident from a more formal perspective there is nothing really new. Well, yet another security hole which leads to code execution by first downloading and then starting an executable. This again confirms that any application whitelisting strategy proactive helps to mitigate against a bunch of attacks out there. Sure, there are still ways to bypass application whitelisting solutions, but in most cases it dramatically helps to avoid getting infected by most common malware and exploits we see in the wild. If you deploy application whitelisting you do not have to mess around with all these ordinary junk, you can seek and prepare for the more sophisticated attacks. For example you can use our drivers MZWriteScanner, MemProtect, and Pumpernickel to monitor for suspicious behavior and track down sophisticated exploits and attacks more easily: See what executables are dropped onto your machines, see what application attempts to access what folders, monitor the command line parameters of started applications. All of this helps to identify an incident at an early stage and to start countermeasures early.
Application whitelisting in in combination with consistent monitoring can help a lot to counter threats we see. As noted above, not just the ordinary malware droppers coming in fake pdf.exe or as JS or VBS scripting files, also the more sophisticated ones. We are currently seeing a lot of malware campaigns featuring malware executables that are changed so quickly that most anti virus solutions will fail to detect. On Virus Total we often see recognition rates of around 4-6 out of 56 scanners. That is a horribly rate at all. So relying on a anti-virus, even if it includes cloud based checks, heuristics and relies on deep learning strategies is not enough. Having application whitelisting in place brings a significant added value. If you fine-tune it with blacklisting, parent and command line scanning rules you are well prepared. You can make use of dedicated tools but you can also just use Applocker, GPOs and the Eventlog. Well, the most important thing here is not what to use or to start a battle on who or what solution is better. Just get up and start doing it.
2017/04/02 by F. Rienhardt
We have updated all driver packages now. All drivers again went through extensive review and we have also written manuals for MemProtect and Pumpernickel/FIDES. MZWriteScanner went through an extra review and was optimized a lot. We were able to squeeze the driver's source code and also were able to fix a bug (shout outs and thanks to Dave for his report). We also would like to thank Froggie and Peter for beneficial feedback on MZWriteScanner which helped to optimize this tool.
2017/03/31 by F. Rienhardt
We are currently preparing a new batch of demo packages. In addition we will also update the full versions in the next days. Stay tuned.