Tag Archives: Antivirus products

Policies are an effective means for dealing with malware

5 March 2016

This week I was flooded with spear phishing emails in the office. Most of them dealt with late payment of invoices. In any case the attackers requested to study an attached file and to take immediate action to avoid the accrual of penalties.

Fortunately, the anti-virus scanner on the email gateway removed the payload from the attached zip files and filed the emails in the junk folder:

--------Begin Virus scanner message-----------------------------------------------
The company security policies do not allow to transfer file attachments of the specified type.
Removed attachment(s): B56d48d430000.000000000001.0004.mml; invoice_kOUEsX.js
--------End Virus scanner message-------------------------------------------------

It is important to note that the virus scanner removed the attachments because the company policy does not allow the transfer of such files with email. For the exchange of JavaScript files with a partner other secure communication channels must be used.

With this, the inherent risk of classic anti-malware systems is reduced. Unwanted attachments are removed even if they have not yet been identified by the anti-malware system.

Sending the payload in nested zip files is an often used technology to outsmart antivirus systems. Therefore, it is very important to let the antivirus system do in-depth scans on all attachments, even though many users will complain about this because in-depth scans delay the delivery of emails by some seconds. In the case an antivirus system cannot deal with nested archives just remove any content from the outer archive. Some more false positives are better than rebuilding hundreds of computers in the company network.

The malicious JavaScript attachment invoice_kOUEsX.js is identified by 33 of 55 antivirus systems on VirusTotal.com. Microsoft Defender identifies the file as TrojanDownloader:JS/Nemucod. And as always, the few relevant lines of code are hided in a mess of statements.

Have a good weekend.

Marco viruses on the rise – The Sleeping Beauty slumber is over

28 February 2015

For some month reports about macro viruses are constantly appearing in the IT press. Although the latest report, ‘Macro viruses reemerge in Word, Excel files’, published by Michael Heller on the TechTarget platform SearchSecurity at 24 February 2015, could make us feel somewhat insecure, there is in my opinion no reason to panic.

From the statistics created by security firm Kaspersky, we see that attackers used Microsoft Office in 1% of all cases for the distribution of exploits in 2014. In total Kaspersky products detected and neutralized 6.167,233,068 cyber-attacks in 2014. This means that Word or Excel were used in 61,763,330 cyber-attacks, 2.3 times more than in 2013.

Sounds anything but dangerous. Moreover, we are better prepared than 15 years ago, when macro viruses were most popular. Many protection measures are common sense, but sometimes it’s good to recap.

With that, I suggest:

  1. Please make sure that your anti-malware program is always up-to-date.
  2. Configure Macro Settings in Microsoft Office Trust Center. Choose ‘Disable all macros with notification’ as default:

    Disable Macros With Warnings Settings in Trust Center

    ‘Disable all Macros With Notifications’ in Trust Center

  3. Use Windows Update to keep Microsoft Office and Windows up-to-date with the latest patches.
  4. On 64 bit Windows please activate ‘enhanced Protection Mode’ in Internet Explorer. This will force Windows to run Internet Explorer in Container Mode at low integrity level. In addition, please download all files to the default download location.
  5. Enable SmartScreen Technology in Internet Explorer. Malicious files are downloaded from malicious sites. SmartScreen Technology supports you by blocking downloads from known malicious sites.
  6. Try working with standard user rights. This limits the impact of an attack to the operating system
  7. The last and perhaps the most important rule: Think twice before you click on a word or excel file stored in an untrusted site. As a rule of thumb the entire Internet is an untrusted site, and of course all email attachments.

There’s really no need to panic. Macro viruses are no rocket science. The available protection measures are enough to deal with this old stuff.

Have a good weekend!

Poweliks it is still stuck in my mind

17 August 2014

It may sound funny, but Poweliks is still stuck in my mind. The bad news for me is: Poweliks resides only in Windows registry.

The good news is: To start at every login the malware uses the Windows registry, namely the outdated method of using the [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] key.

And this is exactly the vulnerability of Poweliks we can use for taking counter measures!

The Windows policy ‘Do not process the legacy run list’ could be used to block Poweliks. If enabled this policy blocks the programs listed in the run key from getting executed during login. That’s it!

Do Not Process Legacy Run List Policy

Do Not Process Legacy Run List Policy

To enable the ‘Do not process the run once list’ policy start the local group policy editor gpedit.msc and navigate to section User Configuration\Administrative Templates\System\Logon. Double click the policy, select option ‘Enabled’, enter a comment and click ‘Apply’.

Use policy ‘Run these programs at user logon’ to whitelist the programs which you want to start at login. To prevent unwanted programs from getting started during system boot, enable the ‘Do not process the run once list’ in Computer Configuration as well.

Sounds somewhat strange, like fighting fire with fire. A much better solution would be to isolate all applications in AppContainers like Internet Explorer and run them at integrity level “Low” when connected to whatever network.

Microsoft, please do us this favour in Windows 10 the latest!

Review – ‘Poweliks’ malware variant employs new antivirus evasion techniques

9 August 2014

On 4 August 2014 Brandan Blevins talks in his post ‘‘Poweliks’ malware variant employs new antivirus evasion techniques‘ about a new malware which uses new infection routes.

My first thought was: Oh no, not another new malware that could not be detected by state-of-the-art Anti Virus systems!

My second thought was: Hold on for a moment. The Poweliks malware appears to jump into our computers like a deus ex machina! Sounds like magic, doesn’t it?

If you dig somewhat deeper, you find, that to implant the malware, attackers must exploit a vulnerability of the system and, the good faith of the users. In this case the media was a Word attachment of an email and a flaw in the MSCOMCTL.OCX described in CVE-2012-0158.

In section ‘What might an attacker use the vulnerability to do?’ Microsoft describes the impact:

Bacteriophage P2. Source: Mostafa Fatehi

Bacteriophage P2. Source: Mostafa Fatehi

‘An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights…’.

And this is exactly what the Poweliks malware does.

What countermeasures could we take?

(a) Do not open attachment and files from untrusted sources like email. Common sense can prevent lots of malware attacks.

(b) Do not work with permanent administrative rights.

(c) Change the User Account Control (UAC) Settings to the highest level ‘Always notify’. The malware installs Powershell, if not already installed. In this case UAC will notify you.

(d) Check whether the latest updates and patches are installed. CVE-2012-0158 was fixed in 2012 and can not be used for an attack, if Windows Update is configured to automatically install updates.

(e) Review the Trust Center Settings in Microsoft Office.

Activate ‘ Disable all macros with notification’ in section ‘Macro Settings’,

Activate ‘Prompt me before enabling all controls with minimal restrictions’ in section ‘ActiveX Settings’.

Activate ‘File Block Settings’ except for Office 2007 or later formats in section ‘File Block Settings’.

(f) Check your AV providers Homepage for the latest updates or utilities. I bet you will find some Information or tool which could support you in an emergency.

(g) Don’t Panic!

Have a good Weekend

BadUSB – Don’t fall into a doomsday mood!

2 August 2014

When Karsten Nohl published his research on 21 July 2014, BadUSB spread throughout the media within hours. One had the feeling that the end of the world arrives at the door. Millions of  potentially compromised USB sticks could take over control of all other USB devices.

But the worst is yet to come: We are utterly powerless! Antivirus products of whatever vendor could not block this kind of attack.  As if we did not know, that Antivirus products are of limited value today.

My first reaction was: Keep cool! It’s just a proof of concept. It’s not in the wild! And the best is: It’s a very complex task, and therefore not lucrative for normal attackers.

Vulnerabilities in the handling of USB devices are not new. A search in the U.S. National Vulnerabilty Database (NVD) shows 4 high severity flaws in the past 18 month. Moreover, it is well-known that viruses are very often spread through USB devices. We all know the risk!

And even the vulnerabilities in onboard controllers are not new. Mathieu Stephan reports in his post ‘Hacking SD Card & Flash Memory Controllers’ from 29 December 2013 that the Firmware of SD Card’s was compromised. Take a look at the Video in his post.

Marshall Honorof’s post ‘Don’t Panic Over the Latest USB Flaw’ from 1 August 2014 saved my day.

At the end of his post Marshall sums it up: ‘Make no mistake: BadUSB is a fantastic proof-of-concept, and lays bare some serious problems with USB stick security. But, like anything else in the world of computing, you can avoid trouble using a little common sense.

To be honest, I expect a technical solution to the BadUSB trouble within the next month. Otherwise the USB stick market will collapse.

But in the meantime: Don’t Panic!